diff --git a/refpolicy/Makefile b/refpolicy/Makefile index 4beb272..b14be0a 100644 --- a/refpolicy/Makefile +++ b/refpolicy/Makefile @@ -238,9 +238,9 @@ tmp/generated_definitions.conf: $(ALL_LAYERS) $(ALL_TE_FILES) done $(QUIET) $(SETTUN) $(TUNABLES) >> $@ -tmp/all_interfaces.conf: $(ALL_INTERFACES) +tmp/all_interfaces.conf: $(M4SUPPORT) $(ALL_INTERFACES) @test -d tmp || mkdir -p tmp - $(QUIET) cat $^ > $@ + $(QUIET) m4 $^ | sed -e s/dollarsstar/\$$\*/g > $@ tmp/all_te_files.conf: $(ALL_TE_FILES) @test -d tmp || mkdir -p tmp diff --git a/refpolicy/policy/modules/admin/consoletype.if b/refpolicy/policy/modules/admin/consoletype.if index afb9df7..c4499cd 100644 --- a/refpolicy/policy/modules/admin/consoletype.if +++ b/refpolicy/policy/modules/admin/consoletype.if @@ -3,7 +3,7 @@ # # consoletype_domtrans(domain) # -define(`consoletype_domtrans',` +interface(`consoletype_domtrans',` gen_require(` type consoletype_t, consoletype_exec_t; class process sigchld; @@ -24,7 +24,7 @@ define(`consoletype_domtrans',` # # consoletype_exec(domain) # -define(`consoletype_exec',` +interface(`consoletype_exec',` gen_require(` type consoletype_exec_t; ') diff --git a/refpolicy/policy/modules/admin/dmesg.if b/refpolicy/policy/modules/admin/dmesg.if index 3e55cac..189fc5e 100644 --- a/refpolicy/policy/modules/admin/dmesg.if +++ b/refpolicy/policy/modules/admin/dmesg.if @@ -11,7 +11,7 @@ ## ## # -define(`dmesg_domtrans',` +interface(`dmesg_domtrans',` gen_require(` type dmesg_t, dmesg_exec_t; class process sigchld; @@ -38,7 +38,7 @@ define(`dmesg_domtrans',` ## ## # -define(`dmesg_exec',` +interface(`dmesg_exec',` gen_require(` type dmesg_exec_t; ') diff --git a/refpolicy/policy/modules/admin/netutils.if b/refpolicy/policy/modules/admin/netutils.if index dd833fa..a6ba8dd 100644 --- a/refpolicy/policy/modules/admin/netutils.if +++ b/refpolicy/policy/modules/admin/netutils.if @@ -3,7 +3,7 @@ # # netutils_domtrans(domain) # -define(`netutils_domtrans',` +interface(`netutils_domtrans',` gen_require(` type netutils_t, netutils_exec_t; class process sigchld; @@ -23,7 +23,7 @@ define(`netutils_domtrans',` # # netutils_exec(domain) # -define(`netutils_exec',` +interface(`netutils_exec',` gen_require(` type netutils_exec_t; ') diff --git a/refpolicy/policy/modules/admin/rpm.if b/refpolicy/policy/modules/admin/rpm.if index c0d2e30..b7791a7 100644 --- a/refpolicy/policy/modules/admin/rpm.if +++ b/refpolicy/policy/modules/admin/rpm.if @@ -11,7 +11,7 @@ ## ## # -define(`rpm_domtrans',` +interface(`rpm_domtrans',` gen_require(` type rpm_t, rpm_exec_t; class process sigchld; @@ -45,7 +45,7 @@ define(`rpm_domtrans',` ## ## # -define(`rpm_run',` +interface(`rpm_run',` gen_require(` type rpm_t, rpm_script_t; class chr_file rw_term_perms; @@ -67,7 +67,7 @@ define(`rpm_run',` ## ## # -define(`rpm_use_fd',` +interface(`rpm_use_fd',` gen_require(` type rpm_t; class fd use; @@ -86,7 +86,7 @@ define(`rpm_use_fd',` ## ## # -define(`rpm_read_pipe',` +interface(`rpm_read_pipe',` gen_require(` type rpm_t; class fifo_file r_file_perms; @@ -105,7 +105,7 @@ define(`rpm_read_pipe',` ## ## # -define(`rpm_read_db',` +interface(`rpm_read_db',` gen_require(` type rpm_var_lib_t_t; class dir r_dir_perms; @@ -122,7 +122,7 @@ define(`rpm_read_db',` # # rpm_manage_db(domain) # -define(`rpm_manage_db',` +interface(`rpm_manage_db',` gen_require(` type rpm_var_lib_t_t; class dir rw_dir_perms; diff --git a/refpolicy/policy/modules/admin/usermanage.if b/refpolicy/policy/modules/admin/usermanage.if index 625aaff..34131a4 100644 --- a/refpolicy/policy/modules/admin/usermanage.if +++ b/refpolicy/policy/modules/admin/usermanage.if @@ -11,7 +11,7 @@ ## ## # -define(`usermanage_domtrans_chfn',` +interface(`usermanage_domtrans_chfn',` gen_require(` type chfn_t, chfn_exec_t; class process sigchld; @@ -46,7 +46,7 @@ define(`usermanage_domtrans_chfn',` ## ## # -define(`usermanage_run_chfn',` +interface(`usermanage_run_chfn',` gen_require(` type chfn_t; class chr_file rw_term_perms; @@ -67,7 +67,7 @@ define(`usermanage_run_chfn',` ## ## # -define(`usermanage_domtrans_groupadd',` +interface(`usermanage_domtrans_groupadd',` gen_require(` type groupadd_t, groupadd_exec_t; class process sigchld; @@ -102,7 +102,7 @@ define(`usermanage_domtrans_groupadd',` ## ## # -define(`usermanage_run_groupadd',` +interface(`usermanage_run_groupadd',` gen_require(` type groupadd_t; class chr_file rw_term_perms; @@ -123,7 +123,7 @@ define(`usermanage_run_groupadd',` ## ## # -define(`usermanage_domtrans_passwd',` +interface(`usermanage_domtrans_passwd',` gen_require(` type passwd_t, passwd_exec_t; class process sigchld; @@ -158,7 +158,7 @@ define(`usermanage_domtrans_passwd',` ## ## # -define(`usermanage_run_passwd',` +interface(`usermanage_run_passwd',` gen_require(` type passwd_t; class chr_file rw_term_perms; @@ -179,7 +179,7 @@ define(`usermanage_run_passwd',` ## ## # -define(`usermanage_domtrans_useradd',` +interface(`usermanage_domtrans_useradd',` gen_require(` type useradd_t, useradd_exec_t; class process sigchld; @@ -214,7 +214,7 @@ define(`usermanage_domtrans_useradd',` ## ## # -define(`usermanage_run_useradd',` +interface(`usermanage_run_useradd',` gen_require(` type useradd_t; class chr_file rw_term_perms; diff --git a/refpolicy/policy/modules/apps/gpg.if b/refpolicy/policy/modules/apps/gpg.if index 9f42521..7ccb56f 100644 --- a/refpolicy/policy/modules/apps/gpg.if +++ b/refpolicy/policy/modules/apps/gpg.if @@ -24,7 +24,7 @@ ## is the prefix for user_t). ## # -define(`gpg_per_userdomain_template',` +template(`gpg_per_userdomain_template',` gen_require(`$0'_depend) ######################################## diff --git a/refpolicy/policy/modules/kernel/bootloader.if b/refpolicy/policy/modules/kernel/bootloader.if index ee0b515..6e1597f 100644 --- a/refpolicy/policy/modules/kernel/bootloader.if +++ b/refpolicy/policy/modules/kernel/bootloader.if @@ -11,7 +11,7 @@ ## ## # -define(`bootloader_domtrans',` +interface(`bootloader_domtrans',` gen_require(` type bootloader_t; class process sigchld; @@ -44,7 +44,7 @@ define(`bootloader_domtrans',` ## ## # -define(`bootloader_run',` +interface(`bootloader_run',` gen_require(` type bootloader_t; class chr_file rw_file_perms; @@ -66,7 +66,7 @@ define(`bootloader_run',` ## ## # -define(`bootloader_search_boot_dir',` +interface(`bootloader_search_boot_dir',` gen_require(` type boot_t; class dir search; @@ -85,7 +85,7 @@ define(`bootloader_search_boot_dir',` ## ## # -define(`bootloader_dontaudit_search_boot',` +interface(`bootloader_dontaudit_search_boot',` gen_require(` type boot_t; class dir search; @@ -105,7 +105,7 @@ define(`bootloader_dontaudit_search_boot',` ## ## # -define(`bootloader_rw_boot_symlinks',` +interface(`bootloader_rw_boot_symlinks',` gen_require(` type boot_t; class dir r_dir_perms; @@ -126,7 +126,7 @@ define(`bootloader_rw_boot_symlinks',` ## ## # -define(`bootloader_create_kernel',` +interface(`bootloader_create_kernel',` gen_require(` type boot_t; class dir ra_dir_perms; @@ -149,7 +149,7 @@ define(`bootloader_create_kernel',` ## ## # -define(`bootloader_create_kernel_symbol_table',` +interface(`bootloader_create_kernel_symbol_table',` gen_require(` type boot_t, system_map_t; class dir ra_dir_perms; @@ -170,7 +170,7 @@ define(`bootloader_create_kernel_symbol_table',` ## ## # -define(`bootloader_read_kernel_symbol_table',` +interface(`bootloader_read_kernel_symbol_table',` gen_require(` type boot_t, system_map_t; class dir r_dir_perms; @@ -191,7 +191,7 @@ define(`bootloader_read_kernel_symbol_table',` ## ## # -define(`bootloader_delete_kernel',` +interface(`bootloader_delete_kernel',` gen_require(` type boot_t; class dir { r_dir_perms write remove_name }; @@ -212,7 +212,7 @@ define(`bootloader_delete_kernel',` ## ## # -define(`bootloader_delete_kernel_symbol_table',` +interface(`bootloader_delete_kernel_symbol_table',` gen_require(` type boot_t, system_map_t; class dir { r_dir_perms write remove_name }; @@ -233,7 +233,7 @@ define(`bootloader_delete_kernel_symbol_table',` ## ## # -define(`bootloader_read_config',` +interface(`bootloader_read_config',` gen_require(` type bootloader_etc_t; class file r_file_perms; @@ -253,7 +253,7 @@ define(`bootloader_read_config',` ## ## # -define(`bootloader_rw_config',` +interface(`bootloader_rw_config',` gen_require(` type bootloader_etc_t; class file rw_file_perms; @@ -273,7 +273,7 @@ define(`bootloader_rw_config',` ## ## # -define(`bootloader_rw_tmp_file',` +interface(`bootloader_rw_tmp_file',` gen_require(` type bootloader_tmp_t; class file rw_file_perms; @@ -294,7 +294,7 @@ define(`bootloader_rw_tmp_file',` ## ## # -define(`bootloader_create_runtime_file',` +interface(`bootloader_create_runtime_file',` gen_require(` type boot_t, boot_runtime_t; class dir rw_dir_perms; @@ -316,7 +316,7 @@ define(`bootloader_create_runtime_file',` ## ## # -define(`bootloader_list_kernel_modules',` +interface(`bootloader_list_kernel_modules',` gen_require(` type modules_object_t; class dir r_dir_perms; @@ -335,7 +335,7 @@ define(`bootloader_list_kernel_modules',` ## ## # -define(`bootloader_read_kernel_modules',` +interface(`bootloader_read_kernel_modules',` gen_require(` type modules_object_t; class dir r_dir_perms; @@ -358,7 +358,7 @@ define(`bootloader_read_kernel_modules',` ## ## # -define(`bootloader_write_kernel_modules',` +interface(`bootloader_write_kernel_modules',` gen_require(` attribute rw_kern_modules; type modules_object_t; @@ -383,7 +383,7 @@ define(`bootloader_write_kernel_modules',` ## ## # -define(`bootloader_manage_kernel_modules',` +interface(`bootloader_manage_kernel_modules',` gen_require(` attribute rw_kern_modules; type modules_object_t; @@ -401,7 +401,7 @@ define(`bootloader_manage_kernel_modules',` # # bootloader_create_private_module_dir_entry(domain,privatetype,[class(es)]) # -define(`bootloader_create_private_module_dir_entry',` +interface(`bootloader_create_private_module_dir_entry',` gen_require(` type modules_object_t; class dir rw_dir_perms; diff --git a/refpolicy/policy/modules/kernel/corenetwork.if.in b/refpolicy/policy/modules/kernel/corenetwork.if.in index 9430836..9f3ab47 100644 --- a/refpolicy/policy/modules/kernel/corenetwork.if.in +++ b/refpolicy/policy/modules/kernel/corenetwork.if.in @@ -12,7 +12,7 @@ ## ## # -define(`corenet_tcp_sendrecv_generic_if',` +interface(`corenet_tcp_sendrecv_generic_if',` gen_require(` type netif_t; class netif { tcp_send tcp_recv }; @@ -25,7 +25,7 @@ define(`corenet_tcp_sendrecv_generic_if',` # # corenet_udp_send_generic_if(domain) # -define(`corenet_udp_send_generic_if',` +interface(`corenet_udp_send_generic_if',` gen_require(` type netif_t; class netif udp_send; @@ -38,7 +38,7 @@ define(`corenet_udp_send_generic_if',` # # corenet_udp_receive_generic_if(domain) # -define(`corenet_udp_receive_generic_if',` +interface(`corenet_udp_receive_generic_if',` gen_require(` type netif_t; class netif udp_recv; @@ -51,7 +51,7 @@ define(`corenet_udp_receive_generic_if',` # # corenet_udp_sendrecv_generic_if(domain) # -define(`corenet_udp_sendrecv_generic_if',` +interface(`corenet_udp_sendrecv_generic_if',` corenet_udp_send_generic_if($1) corenet_udp_receive_generic_if($1) ') @@ -60,7 +60,7 @@ define(`corenet_udp_sendrecv_generic_if',` # # corenet_raw_send_generic_if(domain) # -define(`corenet_raw_send_generic_if',` +interface(`corenet_raw_send_generic_if',` gen_require(` type netif_t; class netif rawip_send; @@ -75,7 +75,7 @@ define(`corenet_raw_send_generic_if',` # # corenet_raw_receive_generic_if(domain) # -define(`corenet_raw_receive_generic_if',` +interface(`corenet_raw_receive_generic_if',` gen_require(` type netif_t; class netif rawip_recv; @@ -88,7 +88,7 @@ define(`corenet_raw_receive_generic_if',` # # corenet_raw_sendrecv_generic_if(domain) # -define(`corenet_raw_sendrecv_generic_if',` +interface(`corenet_raw_sendrecv_generic_if',` corenet_raw_send_generic_if($1) corenet_raw_receive_generic_if($1) ') @@ -97,7 +97,7 @@ define(`corenet_raw_sendrecv_generic_if',` # # corenet_tcp_sendrecv_all_if(domain) # -define(`corenet_tcp_sendrecv_all_if',` +interface(`corenet_tcp_sendrecv_all_if',` gen_require(` attribute netif_type; class netif { tcp_send tcp_recv }; @@ -110,7 +110,7 @@ define(`corenet_tcp_sendrecv_all_if',` # # corenet_udp_send_all_if(domain) # -define(`corenet_udp_send_all_if',` +interface(`corenet_udp_send_all_if',` gen_require(` attribute netif_type; class netif udp_send; @@ -123,7 +123,7 @@ define(`corenet_udp_send_all_if',` # # corenet_udp_receive_all_if(domain) # -define(`corenet_udp_receive_all_if',` +interface(`corenet_udp_receive_all_if',` gen_require(` attribute netif_type; class netif udp_recv; @@ -136,7 +136,7 @@ define(`corenet_udp_receive_all_if',` # # corenet_udp_sendrecv_all_if(domain) # -define(`corenet_udp_sendrecv_all_if',` +interface(`corenet_udp_sendrecv_all_if',` corenet_udp_send_all_if($1) corenet_udp_receive_all_if($1) ') @@ -145,7 +145,7 @@ define(`corenet_udp_sendrecv_all_if',` # # corenet_raw_send_all_if(domain) # -define(`corenet_raw_send_all_if',` +interface(`corenet_raw_send_all_if',` gen_require(` attribute netif_type; class netif rawip_send; @@ -160,7 +160,7 @@ define(`corenet_raw_send_all_if',` # # corenet_raw_receive_all_if(domain) # -define(`corenet_raw_receive_all_if',` +interface(`corenet_raw_receive_all_if',` gen_require(` attribute netif_type; class netif rawip_recv; @@ -173,7 +173,7 @@ define(`corenet_raw_receive_all_if',` # # corenet_raw_sendrecv_all_if(domain) # -define(`corenet_raw_sendrecv_all_if',` +interface(`corenet_raw_sendrecv_all_if',` corenet_raw_send_all_if($1) corenet_raw_receive_all_if($1) ') @@ -182,7 +182,7 @@ define(`corenet_raw_sendrecv_all_if',` # # corenet_tcp_sendrecv_generic_node(domain) # -define(`corenet_tcp_sendrecv_generic_node',` +interface(`corenet_tcp_sendrecv_generic_node',` gen_require(` type node_t; class node { tcp_send tcp_recv }; @@ -195,7 +195,7 @@ define(`corenet_tcp_sendrecv_generic_node',` # # corenet_udp_send_generic_node(domain) # -define(`corenet_udp_send_generic_node',` +interface(`corenet_udp_send_generic_node',` gen_require(` type node_t; class node udp_send; @@ -208,7 +208,7 @@ define(`corenet_udp_send_generic_node',` # # corenet_udp_receive_generic_node(domain) # -define(`corenet_udp_receive_generic_node',` +interface(`corenet_udp_receive_generic_node',` gen_require(` type node_t; class node udp_recv; @@ -221,7 +221,7 @@ define(`corenet_udp_receive_generic_node',` # # corenet_udp_sendrecv_generic_node(domain) # -define(`corenet_udp_sendrecv_generic_node',` +interface(`corenet_udp_sendrecv_generic_node',` corenet_udp_send_generic_node($1) corenet_udp_receive_generic_node($1) ') @@ -230,7 +230,7 @@ define(`corenet_udp_sendrecv_generic_node',` # # corenet_raw_send_generic_node(domain) # -define(`corenet_raw_send_generic_node',` +interface(`corenet_raw_send_generic_node',` gen_require(` type node_t; class node rawip_send; @@ -243,7 +243,7 @@ define(`corenet_raw_send_generic_node',` # # corenet_raw_receive_generic_node(domain) # -define(`corenet_raw_receive_generic_node',` +interface(`corenet_raw_receive_generic_node',` gen_require(` type node_t; class node rawip_recv; @@ -256,7 +256,7 @@ define(`corenet_raw_receive_generic_node',` # # corenet_raw_sendrecv_generic_node(domain) # -define(`corenet_raw_sendrecv_generic_node',` +interface(`corenet_raw_sendrecv_generic_node',` corenet_raw_send_generic_node($1) corenet_raw_receive_generic_node($1) ') @@ -265,7 +265,7 @@ define(`corenet_raw_sendrecv_generic_node',` # # corenet_tcp_bind_generic_node(domain) # -define(`corenet_tcp_bind_generic_node',` +interface(`corenet_tcp_bind_generic_node',` gen_require(` type node_t; class tcp_socket node_bind; @@ -278,7 +278,7 @@ define(`corenet_tcp_bind_generic_node',` # # corenet_udp_bind_generic_node(domain) # -define(`corenet_udp_bind_generic_node',` +interface(`corenet_udp_bind_generic_node',` gen_require(` type node_t; class udp_socket node_bind; @@ -291,7 +291,7 @@ define(`corenet_udp_bind_generic_node',` # # corenet_tcp_sendrecv_all_nodes(domain) # -define(`corenet_tcp_sendrecv_all_nodes',` +interface(`corenet_tcp_sendrecv_all_nodes',` gen_require(` attribute node_type; class node { tcp_send tcp_recv }; @@ -304,7 +304,7 @@ define(`corenet_tcp_sendrecv_all_nodes',` # # corenet_udp_send_all_nodes(domain) # -define(`corenet_udp_send_all_nodes',` +interface(`corenet_udp_send_all_nodes',` gen_require(` attribute node_type; class node udp_send; @@ -317,7 +317,7 @@ define(`corenet_udp_send_all_nodes',` # # corenet_udp_receive_all_nodes(domain) # -define(`corenet_udp_receive_all_nodes',` +interface(`corenet_udp_receive_all_nodes',` gen_require(` attribute node_type; class node udp_recv; @@ -330,7 +330,7 @@ define(`corenet_udp_receive_all_nodes',` # # corenet_udp_sendrecv_all_nodes(domain) # -define(`corenet_udp_sendrecv_all_nodes',` +interface(`corenet_udp_sendrecv_all_nodes',` corenet_udp_send_all_nodes($1) corenet_udp_receive_all_nodes($1) ') @@ -339,7 +339,7 @@ define(`corenet_udp_sendrecv_all_nodes',` # # corenet_raw_send_all_nodes(domain) # -define(`corenet_raw_send_all_nodes',` +interface(`corenet_raw_send_all_nodes',` gen_require(` attribute node_type; class node rawip_send; @@ -352,7 +352,7 @@ define(`corenet_raw_send_all_nodes',` # # corenet_raw_receive_all_nodes(domain) # -define(`corenet_raw_receive_all_nodes',` +interface(`corenet_raw_receive_all_nodes',` gen_require(` attribute node_type; class node rawip_recv; @@ -365,7 +365,7 @@ define(`corenet_raw_receive_all_nodes',` # # corenet_raw_sendrecv_all_nodes(domain) # -define(`corenet_raw_sendrecv_all_nodes',` +interface(`corenet_raw_sendrecv_all_nodes',` corenet_raw_send_all_nodes($1) corenet_raw_receive_all_nodes($1) ') @@ -374,7 +374,7 @@ define(`corenet_raw_sendrecv_all_nodes',` # # corenet_tcp_bind_all_nodes(domain) # -define(`corenet_tcp_bind_all_nodes',` +interface(`corenet_tcp_bind_all_nodes',` gen_require(` attribute node_type; class tcp_socket node_bind; @@ -387,7 +387,7 @@ define(`corenet_tcp_bind_all_nodes',` # # corenet_udp_bind_all_nodes(domain) # -define(`corenet_udp_bind_all_nodes',` +interface(`corenet_udp_bind_all_nodes',` gen_require(` attribute node_type; class udp_socket node_bind; @@ -400,7 +400,7 @@ define(`corenet_udp_bind_all_nodes',` # # corenet_tcp_sendrecv_generic_port(domain) # -define(`corenet_tcp_sendrecv_generic_port',` +interface(`corenet_tcp_sendrecv_generic_port',` gen_require(` type port_t; class tcp_socket { send_msg recv_msg }; @@ -413,7 +413,7 @@ define(`corenet_tcp_sendrecv_generic_port',` # # corenet_udp_send_generic_port(domain) # -define(`corenet_udp_send_generic_port',` +interface(`corenet_udp_send_generic_port',` gen_require(` type port_t; class udp_socket send_msg; @@ -426,7 +426,7 @@ define(`corenet_udp_send_generic_port',` # # corenet_udp_receive_generic_port(domain) # -define(`corenet_udp_receive_generic_port',` +interface(`corenet_udp_receive_generic_port',` gen_require(` type port_t; class udp_socket recv_msg; @@ -439,7 +439,7 @@ define(`corenet_udp_receive_generic_port',` # # corenet_udp_sendrecv_generic_port(domain) # -define(`corenet_udp_sendrecv_generic_port',` +interface(`corenet_udp_sendrecv_generic_port',` corenet_udp_send_generic_port($1) corenet_udp_receive_generic_port($1) ') @@ -448,7 +448,7 @@ define(`corenet_udp_sendrecv_generic_port',` # # corenet_tcp_bind_generic_port(domain) # -define(`corenet_tcp_bind_generic_port',` +interface(`corenet_tcp_bind_generic_port',` gen_require(` type port_t; class tcp_socket name_bind; @@ -461,7 +461,7 @@ define(`corenet_tcp_bind_generic_port',` # # corenet_udp_bind_generic_port(domain) # -define(`corenet_udp_bind_generic_port',` +interface(`corenet_udp_bind_generic_port',` gen_require(` type port_t; class udp_socket name_bind; @@ -474,7 +474,7 @@ define(`corenet_udp_bind_generic_port',` # # corenet_tcp_sendrecv_all_ports(domain) # -define(`corenet_tcp_sendrecv_all_ports',` +interface(`corenet_tcp_sendrecv_all_ports',` gen_require(` attribute port_type; class tcp_socket { send_msg recv_msg }; @@ -487,7 +487,7 @@ define(`corenet_tcp_sendrecv_all_ports',` # # corenet_udp_send_all_ports(domain) # -define(`corenet_udp_send_all_ports',` +interface(`corenet_udp_send_all_ports',` gen_require(` attribute port_type; class udp_socket send_msg; @@ -500,7 +500,7 @@ define(`corenet_udp_send_all_ports',` # # corenet_udp_receive_all_ports(domain) # -define(`corenet_udp_receive_all_ports',` +interface(`corenet_udp_receive_all_ports',` gen_require(` attribute port_type; class udp_socket recv_msg; @@ -513,7 +513,7 @@ define(`corenet_udp_receive_all_ports',` # # corenet_udp_sendrecv_all_ports(domain) # -define(`corenet_udp_sendrecv_all_ports',` +interface(`corenet_udp_sendrecv_all_ports',` corenet_udp_send_all_ports($1) corenet_udp_receive_all_ports($1) ') @@ -522,7 +522,7 @@ define(`corenet_udp_sendrecv_all_ports',` # # corenet_tcp_bind_all_ports(domain) # -define(`corenet_tcp_bind_all_ports',` +interface(`corenet_tcp_bind_all_ports',` gen_require(` attribute port_type; class tcp_socket name_bind; @@ -535,7 +535,7 @@ define(`corenet_tcp_bind_all_ports',` # # corenet_udp_bind_all_ports(domain) # -define(`corenet_udp_bind_all_ports',` +interface(`corenet_udp_bind_all_ports',` gen_require(` attribute port_type; class udp_socket name_bind; @@ -548,7 +548,7 @@ define(`corenet_udp_bind_all_ports',` # # corenet_tcp_sendrecv_reserved_port(domain) # -define(`corenet_tcp_sendrecv_reserved_port',` +interface(`corenet_tcp_sendrecv_reserved_port',` gen_require(` type reserved_port_t; class tcp_socket { send_msg recv_msg }; @@ -561,7 +561,7 @@ define(`corenet_tcp_sendrecv_reserved_port',` # # corenet_udp_send_reserved_port(domain) # -define(`corenet_udp_send_reserved_port',` +interface(`corenet_udp_send_reserved_port',` gen_require(` type reserved_port_t; class udp_socket send_msg; @@ -574,7 +574,7 @@ define(`corenet_udp_send_reserved_port',` # # corenet_udp_receive_reserved_port(domain) # -define(`corenet_udp_receive_reserved_port',` +interface(`corenet_udp_receive_reserved_port',` gen_require(` type reserved_port_t; class udp_socket recv_msg; @@ -587,7 +587,7 @@ define(`corenet_udp_receive_reserved_port',` # # corenet_udp_sendrecv_reserved_port(domain) # -define(`corenet_udp_sendrecv_reserved_port',` +interface(`corenet_udp_sendrecv_reserved_port',` corenet_udp_send_reserved_port($1) corenet_udp_receive_reserved_port($1) ') @@ -596,7 +596,7 @@ define(`corenet_udp_sendrecv_reserved_port',` # # corenet_tcp_bind_reserved_port(domain) # -define(`corenet_tcp_bind_reserved_port',` +interface(`corenet_tcp_bind_reserved_port',` gen_require(` type reserved_port_t; class tcp_socket name_bind; @@ -611,7 +611,7 @@ define(`corenet_tcp_bind_reserved_port',` # # corenet_udp_bind_reserved_port(domain) # -define(`corenet_udp_bind_reserved_port',` +interface(`corenet_udp_bind_reserved_port',` gen_require(` type reserved_port_t; class udp_socket name_bind; @@ -626,7 +626,7 @@ define(`corenet_udp_bind_reserved_port',` # # corenet_tcp_sendrecv_all_reserved_ports(domain) # -define(`corenet_tcp_sendrecv_all_reserved_ports',` +interface(`corenet_tcp_sendrecv_all_reserved_ports',` gen_require(` attribute reserved_port_type; class tcp_socket { send_msg recv_msg }; @@ -639,7 +639,7 @@ define(`corenet_tcp_sendrecv_all_reserved_ports',` # # corenet_udp_send_all_reserved_ports(domain) # -define(`corenet_udp_send_all_reserved_ports',` +interface(`corenet_udp_send_all_reserved_ports',` gen_require(` attribute reserved_port_type; class udp_socket send_msg; @@ -652,7 +652,7 @@ define(`corenet_udp_send_all_reserved_ports',` # # corenet_udp_receive_all_reserved_ports(domain) # -define(`corenet_udp_receive_all_reserved_ports',` +interface(`corenet_udp_receive_all_reserved_ports',` gen_require(` attribute reserved_port_type; class udp_socket recv_msg; @@ -665,7 +665,7 @@ define(`corenet_udp_receive_all_reserved_ports',` # # corenet_udp_sendrecv_all_reserved_ports(domain) # -define(`corenet_udp_sendrecv_all_reserved_ports',` +interface(`corenet_udp_sendrecv_all_reserved_ports',` corenet_udp_send_all_reserved_ports($1) corenet_udp_receive_all_reserved_ports($1) ') @@ -674,7 +674,7 @@ define(`corenet_udp_sendrecv_all_reserved_ports',` # # corenet_tcp_bind_all_reserved_ports(domain) # -define(`corenet_tcp_bind_all_reserved_ports',` +interface(`corenet_tcp_bind_all_reserved_ports',` gen_require(` attribute reserved_port_type; class tcp_socket name_bind; @@ -689,7 +689,7 @@ define(`corenet_tcp_bind_all_reserved_ports',` # # corenet_dontaudit_tcp_bind_all_reserved_ports(domain) # -define(`corenet_dontaudit_tcp_bind_all_reserved_ports',` +interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',` gen_require(` attribute reserved_port_type; class tcp_socket name_bind; @@ -702,7 +702,7 @@ define(`corenet_dontaudit_tcp_bind_all_reserved_ports',` # # corenet_udp_bind_all_reserved_ports(domain) # -define(`corenet_udp_bind_all_reserved_ports',` +interface(`corenet_udp_bind_all_reserved_ports',` gen_require(` attribute reserved_port_type; class udp_socket name_bind; @@ -717,7 +717,7 @@ define(`corenet_udp_bind_all_reserved_ports',` # # corenet_dontaudit_udp_bind_all_reserved_ports(domain) # -define(`corenet_dontaudit_udp_bind_all_reserved_ports',` +interface(`corenet_dontaudit_udp_bind_all_reserved_ports',` gen_require(` attribute reserved_port_type; class udp_socket name_bind; diff --git a/refpolicy/policy/modules/kernel/corenetwork.if.m4 b/refpolicy/policy/modules/kernel/corenetwork.if.m4 index 682f22c..fea2b84 100644 --- a/refpolicy/policy/modules/kernel/corenetwork.if.m4 +++ b/refpolicy/policy/modules/kernel/corenetwork.if.m4 @@ -16,7 +16,7 @@ define(`create_netif_interfaces',`` ## ## # -define(`corenet_tcp_sendrecv_$1',` +interface(`corenet_tcp_sendrecv_$1',` gen_require(` type $1_netif_t; class netif { tcp_send tcp_recv }; @@ -36,7 +36,7 @@ define(`corenet_tcp_sendrecv_$1',` ## ## # -define(`corenet_udp_send_$1',` +interface(`corenet_udp_send_$1',` gen_require(` type $1_netif_t; class netif udp_send; @@ -56,7 +56,7 @@ define(`corenet_udp_send_$1',` ## ## # -define(`corenet_udp_receive_$1',` +interface(`corenet_udp_receive_$1',` gen_require(` type $1_netif_t; class netif udp_recv; @@ -76,7 +76,7 @@ define(`corenet_udp_receive_$1',` ## ## # -define(`corenet_udp_sendrecv_$1',` +interface(`corenet_udp_sendrecv_$1',` corenet_udp_send_$1(dollarsone) corenet_udp_receive_$1(dollarsone) ') @@ -92,7 +92,7 @@ define(`corenet_udp_sendrecv_$1',` ## ## # -define(`corenet_raw_send_$1',` +interface(`corenet_raw_send_$1',` gen_require(` type $1_netif_t; class netif rawip_send; @@ -114,7 +114,7 @@ define(`corenet_raw_send_$1',` ## ## # -define(`corenet_raw_receive_$1',` +interface(`corenet_raw_receive_$1',` gen_require(` type $1_netif_t; class netif rawip_recv; @@ -134,7 +134,7 @@ define(`corenet_raw_receive_$1',` ## ## # -define(`corenet_raw_sendrecv_$1',` +interface(`corenet_raw_sendrecv_$1',` corenet_raw_send_$1(dollarsone) corenet_raw_receive_$1(dollarsone) ') @@ -158,7 +158,7 @@ define(`create_node_interfaces',`` ## ## # -define(`corenet_tcp_sendrecv_$1_node',` +interface(`corenet_tcp_sendrecv_$1_node',` gen_require(` type $1_node_t; class node { tcp_send tcp_recv }; @@ -178,7 +178,7 @@ define(`corenet_tcp_sendrecv_$1_node',` ## ## # -define(`corenet_udp_send_$1_node',` +interface(`corenet_udp_send_$1_node',` gen_require(` type $1_node_t; class node udp_send; @@ -198,7 +198,7 @@ define(`corenet_udp_send_$1_node',` ## ## # -define(`corenet_udp_receive_$1_node',` +interface(`corenet_udp_receive_$1_node',` gen_require(` type $1_node_t; class node udp_recv; @@ -218,7 +218,7 @@ define(`corenet_udp_receive_$1_node',` ## ## # -define(`corenet_udp_sendrecv_$1_node',` +interface(`corenet_udp_sendrecv_$1_node',` corenet_udp_send_$1_node(dollarsone) corenet_udp_receive_$1_node(dollarsone) ') @@ -234,7 +234,7 @@ define(`corenet_udp_sendrecv_$1_node',` ## ## # -define(`corenet_raw_send_$1_node',` +interface(`corenet_raw_send_$1_node',` gen_require(` type $1_node_t; class node rawip_send; @@ -254,7 +254,7 @@ define(`corenet_raw_send_$1_node',` ## ## # -define(`corenet_raw_receive_$1_node',` +interface(`corenet_raw_receive_$1_node',` gen_require(` type $1_node_t; class node rawip_recv; @@ -274,7 +274,7 @@ define(`corenet_raw_receive_$1_node',` ## ## # -define(`corenet_raw_sendrecv_$1_node',` +interface(`corenet_raw_sendrecv_$1_node',` corenet_raw_send_$1_node(dollarsone) corenet_raw_receive_$1_node(dollarsone) ') @@ -290,7 +290,7 @@ define(`corenet_raw_sendrecv_$1_node',` ## ## # -define(`corenet_tcp_bind_$1_node',` +interface(`corenet_tcp_bind_$1_node',` gen_require(` type $1_node_t; class tcp_socket node_bind; @@ -310,7 +310,7 @@ define(`corenet_tcp_bind_$1_node',` ## ## # -define(`corenet_udp_bind_$1_node',` +interface(`corenet_udp_bind_$1_node',` gen_require(` type $1_node_t; class udp_socket node_bind; @@ -338,7 +338,7 @@ define(`create_port_interfaces',`` ## ## # -define(`corenet_tcp_sendrecv_$1_port',` +interface(`corenet_tcp_sendrecv_$1_port',` gen_require(` type $1_port_t; class tcp_socket { send_msg recv_msg }; @@ -358,7 +358,7 @@ define(`corenet_tcp_sendrecv_$1_port',` ## ## # -define(`corenet_udp_send_$1_port',` +interface(`corenet_udp_send_$1_port',` gen_require(` type $1_port_t; class udp_socket send_msg; @@ -378,7 +378,7 @@ define(`corenet_udp_send_$1_port',` ## ## # -define(`corenet_udp_receive_$1_port',` +interface(`corenet_udp_receive_$1_port',` gen_require(` type $1_port_t; class udp_socket recv_msg; @@ -398,7 +398,7 @@ define(`corenet_udp_receive_$1_port',` ## ## # -define(`corenet_udp_sendrecv_$1_port',` +interface(`corenet_udp_sendrecv_$1_port',` corenet_udp_send_$1_port(dollarsone) corenet_udp_receive_$1_port(dollarsone) ') @@ -414,7 +414,7 @@ define(`corenet_udp_sendrecv_$1_port',` ## ## # -define(`corenet_tcp_bind_$1_port',` +interface(`corenet_tcp_bind_$1_port',` gen_require(` type $1_port_t; class tcp_socket name_bind; @@ -435,7 +435,7 @@ define(`corenet_tcp_bind_$1_port',` ## ## # -define(`corenet_udp_bind_$1_port',` +interface(`corenet_udp_bind_$1_port',` gen_require(` type $1_port_t; class udp_socket name_bind; diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if index 326c70c..8d7e753 100644 --- a/refpolicy/policy/modules/kernel/devices.if +++ b/refpolicy/policy/modules/kernel/devices.if @@ -36,7 +36,7 @@ ## ## # -define(`dev_node',` +interface(`dev_node',` gen_require(` attribute device_node; ') @@ -60,7 +60,7 @@ define(`dev_node',` ## ## # -define(`dev_relabel_all_dev_nodes',` +interface(`dev_relabel_all_dev_nodes',` gen_require(` attribute device_node; type device_t; @@ -92,7 +92,7 @@ define(`dev_relabel_all_dev_nodes',` ## ## # -define(`dev_list_all_dev_nodes',` +interface(`dev_list_all_dev_nodes',` gen_require(` type device_t; class dir r_dir_perms; @@ -113,7 +113,7 @@ define(`dev_list_all_dev_nodes',` ## ## # -define(`dev_dontaudit_list_all_dev_nodes',` +interface(`dev_dontaudit_list_all_dev_nodes',` gen_require(` type device_t; class dir r_dir_perms; @@ -132,7 +132,7 @@ define(`dev_dontaudit_list_all_dev_nodes',` ## ## # -define(`dev_create_dir',` +interface(`dev_create_dir',` gen_require(` type device_t; class dir { ra_dir_perms create }; @@ -151,7 +151,7 @@ define(`dev_create_dir',` ## ## # -define(`dev_relabel_dev_dirs',` +interface(`dev_relabel_dev_dirs',` gen_require(` type device_t; class dir { r_dir_perms relabelfrom relabelto }; @@ -170,7 +170,7 @@ define(`dev_relabel_dev_dirs',` ## ## # -define(`dev_dontaudit_getattr_generic_pipe',` +interface(`dev_dontaudit_getattr_generic_pipe',` gen_require(` type device_t; class fifo_file getattr; @@ -189,7 +189,7 @@ define(`dev_dontaudit_getattr_generic_pipe',` ## ## # -define(`dev_getattr_generic_blk_file',` +interface(`dev_getattr_generic_blk_file',` gen_require(` type device_t; class dir r_dir_perms; @@ -210,7 +210,7 @@ define(`dev_getattr_generic_blk_file',` ## ## # -define(`dev_dontaudit_getattr_generic_blk_file',` +interface(`dev_dontaudit_getattr_generic_blk_file',` gen_require(` type device_t; class blk_file getattr; @@ -229,7 +229,7 @@ define(`dev_dontaudit_getattr_generic_blk_file',` ## ## # -define(`dev_dontaudit_setattr_generic_blk_file',` +interface(`dev_dontaudit_setattr_generic_blk_file',` gen_require(` type device_t; class blk_file setattr; @@ -249,7 +249,7 @@ define(`dev_dontaudit_setattr_generic_blk_file',` ## ## # -define(`dev_manage_generic_blk_file',` +interface(`dev_manage_generic_blk_file',` gen_require(` type device_t; class blk_file create_file_perms; @@ -269,7 +269,7 @@ define(`dev_manage_generic_blk_file',` ## ## # -define(`dev_create_generic_chr_file',` +interface(`dev_create_generic_chr_file',` gen_require(` type device_t; class dir ra_dir_perms; @@ -293,7 +293,7 @@ define(`dev_create_generic_chr_file',` ## ## # -define(`dev_getattr_generic_chr_file',` +interface(`dev_getattr_generic_chr_file',` gen_require(` type device_t; class dir r_dir_perms; @@ -314,7 +314,7 @@ define(`dev_getattr_generic_chr_file',` ## ## # -define(`dev_dontaudit_getattr_generic_chr_file',` +interface(`dev_dontaudit_getattr_generic_chr_file',` gen_require(` type device_t; class chr_file getattr; @@ -333,7 +333,7 @@ define(`dev_dontaudit_getattr_generic_chr_file',` ## ## # -define(`dev_dontaudit_setattr_generic_chr_file',` +interface(`dev_dontaudit_setattr_generic_chr_file',` gen_require(` type device_t; class chr_file setattr; @@ -352,7 +352,7 @@ define(`dev_dontaudit_setattr_generic_chr_file',` ## ## # -define(`dev_del_generic_symlinks',` +interface(`dev_del_generic_symlinks',` gen_require(` type device_t; class dir { getattr read write remove_name }; @@ -373,7 +373,7 @@ define(`dev_del_generic_symlinks',` ## ## # -define(`dev_manage_generic_symlinks',` +interface(`dev_manage_generic_symlinks',` gen_require(` type device_t; class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto }; @@ -394,7 +394,7 @@ define(`dev_manage_generic_symlinks',` ## ## # -define(`dev_manage_dev_nodes',` +interface(`dev_manage_dev_nodes',` gen_require(` attribute device_node, memory_raw_read, memory_raw_write; type device_t; @@ -432,7 +432,7 @@ define(`dev_manage_dev_nodes',` ## ## # -define(`dev_dontaudit_rw_generic_dev_nodes',` +interface(`dev_dontaudit_rw_generic_dev_nodes',` gen_require(` type device_t; class chr_file { getattr read write ioctl }; @@ -452,7 +452,7 @@ define(`dev_dontaudit_rw_generic_dev_nodes',` ## ## # -define(`dev_manage_generic_blk_file',` +interface(`dev_manage_generic_blk_file',` gen_require(` type device_t; class dir rw_dir_perms; @@ -473,7 +473,7 @@ define(`dev_manage_generic_blk_file',` ## ## # -define(`dev_manage_generic_chr_file',` +interface(`dev_manage_generic_chr_file',` gen_require(` type device_t; class dir rw_dir_perms; @@ -502,7 +502,7 @@ define(`dev_manage_generic_chr_file',` ## ## # -define(`dev_create_dev_node',` +interface(`dev_create_dev_node',` gen_require(` type device_t; class dir rw_dir_perms; @@ -526,7 +526,7 @@ define(`dev_create_dev_node',` ## ## # -define(`dev_getattr_all_blk_files',` +interface(`dev_getattr_all_blk_files',` gen_require(` attribute device_node; class blk_file getattr; @@ -547,7 +547,7 @@ define(`dev_getattr_all_blk_files',` ## ## # -define(`dev_dontaudit_getattr_all_blk_files',` +interface(`dev_dontaudit_getattr_all_blk_files',` gen_require(` attribute device_node; class blk_file getattr; @@ -566,7 +566,7 @@ define(`dev_dontaudit_getattr_all_blk_files',` ## ## # -define(`dev_getattr_all_chr_files',` +interface(`dev_getattr_all_chr_files',` gen_require(` attribute device_node; class chr_file getattr; @@ -587,7 +587,7 @@ define(`dev_getattr_all_chr_files',` ## ## # -define(`dev_dontaudit_getattr_all_chr_files',` +interface(`dev_dontaudit_getattr_all_chr_files',` gen_require(` attribute device_node; class chr_file getattr; @@ -606,7 +606,7 @@ define(`dev_dontaudit_getattr_all_chr_files',` ## ## # -define(`dev_setattr_all_blk_files',` +interface(`dev_setattr_all_blk_files',` gen_require(` attribute device_node; class dir r_dir_perms; @@ -627,7 +627,7 @@ define(`dev_setattr_all_blk_files',` ## ## # -define(`dev_setattr_all_chr_files',` +interface(`dev_setattr_all_chr_files',` gen_require(` attribute device_node; class dir r_dir_perms; @@ -648,7 +648,7 @@ define(`dev_setattr_all_chr_files',` ## ## # -define(`dev_manage_all_blk_files',` +interface(`dev_manage_all_blk_files',` gen_require(` attribute device_node; class dir rw_dir_perms; @@ -675,7 +675,7 @@ define(`dev_manage_all_blk_files',` ## ## # -define(`dev_manage_all_chr_files',` +interface(`dev_manage_all_chr_files',` gen_require(` attribute device_node, memory_raw_read, memory_raw_write; class dir rw_dir_perms; @@ -698,7 +698,7 @@ define(`dev_manage_all_chr_files',` ## ## # -define(`dev_read_raw_memory',` +interface(`dev_read_raw_memory',` gen_require(` type device_t, memory_device_t; attribute memory_raw_read; @@ -724,7 +724,7 @@ define(`dev_read_raw_memory',` ## ## # -define(`dev_write_raw_memory',` +interface(`dev_write_raw_memory',` gen_require(` type device_t, memory_device_t; attribute memory_raw_write; @@ -750,7 +750,7 @@ define(`dev_write_raw_memory',` ## ## # -define(`dev_rx_raw_memory',` +interface(`dev_rx_raw_memory',` gen_require(` type device_t, memory_device_t; class chr_file execute; @@ -770,7 +770,7 @@ define(`dev_rx_raw_memory',` ## ## # -define(`dev_wx_raw_memory',` +interface(`dev_wx_raw_memory',` gen_require(` type device_t, memory_device_t; class chr_file execute; @@ -790,7 +790,7 @@ define(`dev_wx_raw_memory',` ## ## # -define(`dev_read_rand',` +interface(`dev_read_rand',` gen_require(` type device_t, random_device_t; class dir r_dir_perms; @@ -811,7 +811,7 @@ define(`dev_read_rand',` ## ## # -define(`dev_read_urand',` +interface(`dev_read_urand',` gen_require(` type device_t, urandom_device_t; class dir r_dir_perms; @@ -834,7 +834,7 @@ define(`dev_read_urand',` ## ## # -define(`dev_write_rand',` +interface(`dev_write_rand',` gen_require(` type device_t, random_device_t; class dir r_dir_perms; @@ -856,7 +856,7 @@ define(`dev_write_rand',` ## ## # -define(`dev_write_urand',` +interface(`dev_write_urand',` gen_require(` type device_t, urandom_device_t; class dir r_dir_perms; @@ -877,7 +877,7 @@ define(`dev_write_urand',` ## ## # -define(`dev_rw_null_dev',` +interface(`dev_rw_null_dev',` gen_require(` type device_t, null_device_t; class device_t:dir r_dir_perms; @@ -898,7 +898,7 @@ define(`dev_rw_null_dev',` ## ## # -define(`dev_rw_zero_dev',` +interface(`dev_rw_zero_dev',` gen_require(` type device_t, zero_device_t; class device_t:dir r_dir_perms; @@ -919,7 +919,7 @@ define(`dev_rw_zero_dev',` ## ## # -define(`dev_rwx_zero_dev',` +interface(`dev_rwx_zero_dev',` gen_require(` type zero_device_t; class chr_file execute; @@ -939,7 +939,7 @@ define(`dev_rwx_zero_dev',` ## ## # -define(`dev_read_realtime_clock',` +interface(`dev_read_realtime_clock',` gen_require(` type device_t, clock_device_t; class dir r_dir_perms; @@ -960,7 +960,7 @@ define(`dev_read_realtime_clock',` ## ## # -define(`dev_write_realtime_clock',` +interface(`dev_write_realtime_clock',` gen_require(` type device_t, clock_device_t; class dir r_dir_perms; @@ -981,7 +981,7 @@ define(`dev_write_realtime_clock',` ## ## # -define(`dev_rw_realtime_clock',` +interface(`dev_rw_realtime_clock',` dev_read_realtime_clock($1) dev_write_realtime_clock($1) ') @@ -996,7 +996,7 @@ define(`dev_rw_realtime_clock',` ## ## # -define(`dev_getattr_snd_dev',` +interface(`dev_getattr_snd_dev',` gen_require(` type device_t, sound_device_t; class dir r_dir_perms; @@ -1017,7 +1017,7 @@ define(`dev_getattr_snd_dev',` ## ## # -define(`dev_setattr_snd_dev',` +interface(`dev_setattr_snd_dev',` gen_require(` type device_t, sound_device_t; class dir r_dir_perms; @@ -1038,7 +1038,7 @@ define(`dev_setattr_snd_dev',` ## ## # -define(`dev_read_snd_dev',` +interface(`dev_read_snd_dev',` gen_require(` type device_t, sound_device_t; class dir r_dir_perms; @@ -1059,7 +1059,7 @@ define(`dev_read_snd_dev',` ## ## # -define(`dev_write_snd_dev',` +interface(`dev_write_snd_dev',` gen_require(` type device_t, sound_device_t; class dir r_dir_perms; @@ -1080,7 +1080,7 @@ define(`dev_write_snd_dev',` ## ## # -define(`dev_read_snd_mixer_dev',` +interface(`dev_read_snd_mixer_dev',` gen_require(` type device_t, sound_device_t; class dir r_dir_perms; @@ -1101,7 +1101,7 @@ define(`dev_read_snd_mixer_dev',` ## ## # -define(`dev_write_snd_mixer_dev',` +interface(`dev_write_snd_mixer_dev',` gen_require(` type device_t, sound_device_t; class dir r_dir_perms; @@ -1122,7 +1122,7 @@ define(`dev_write_snd_mixer_dev',` ## ## # -define(`dev_rw_agp_dev',` +interface(`dev_rw_agp_dev',` gen_require(` type device_t, agp_device_t; class dir r_dir_perms; @@ -1143,7 +1143,7 @@ define(`dev_rw_agp_dev',` ## ## # -define(`dev_getattr_agp_dev',` +interface(`dev_getattr_agp_dev',` gen_require(` type device_t, dri_device_t; class dir r_dir_perms; @@ -1164,7 +1164,7 @@ define(`dev_getattr_agp_dev',` ## ## # -define(`dev_rw_dri_dev',` +interface(`dev_rw_dri_dev',` gen_require(` type device_t, dri_device_t; class dir r_dir_perms; @@ -1185,7 +1185,7 @@ define(`dev_rw_dri_dev',` ## ## # -define(`dev_dontaudit_rw_dri_dev',` +interface(`dev_dontaudit_rw_dri_dev',` gen_require(` type dri_device_t; class chr_file { getattr read write ioctl }; @@ -1204,7 +1204,7 @@ define(`dev_dontaudit_rw_dri_dev',` ## ## # -define(`dev_read_mtrr',` +interface(`dev_read_mtrr',` gen_require(` type device_t, mtrr_device_t; class dir r_dir_perms; @@ -1225,7 +1225,7 @@ define(`dev_read_mtrr',` ## ## # -define(`dev_write_mtrr',` +interface(`dev_write_mtrr',` gen_require(` type device_t, mtrr_device_t; class dir r_dir_perms; @@ -1246,7 +1246,7 @@ define(`dev_write_mtrr',` ## ## # -define(`dev_getattr_framebuffer',` +interface(`dev_getattr_framebuffer',` gen_require(` type framebuf_device_t; class dir r_dir_perms; @@ -1267,7 +1267,7 @@ define(`dev_getattr_framebuffer',` ## ## # -define(`dev_setattr_framebuffer',` +interface(`dev_setattr_framebuffer',` gen_require(` type framebuf_device_t; class dir r_dir_perms; @@ -1288,7 +1288,7 @@ define(`dev_setattr_framebuffer',` ## ## # -define(`dev_read_framebuffer',` +interface(`dev_read_framebuffer',` gen_require(` type framebuf_device_t; class dir r_dir_perms; @@ -1309,7 +1309,7 @@ define(`dev_read_framebuffer',` ## ## # -define(`dev_write_framebuffer',` +interface(`dev_write_framebuffer',` gen_require(` type device_t, framebuf_device_t; class dir r_dir_perms; @@ -1330,7 +1330,7 @@ define(`dev_write_framebuffer',` ## ## # -define(`dev_read_lvm_control',` +interface(`dev_read_lvm_control',` gen_require(` type device_t, lvm_control_t; class dir r_dir_perms; @@ -1351,7 +1351,7 @@ define(`dev_read_lvm_control',` ## ## # -define(`dev_rw_lvm_control',` +interface(`dev_rw_lvm_control',` gen_require(` type device_t, lvm_control_t; class dir r_dir_perms; @@ -1372,7 +1372,7 @@ define(`dev_rw_lvm_control',` ## ## # -define(`dev_delete_lvm_control',` +interface(`dev_delete_lvm_control',` gen_require(` type device_t, lvm_control_t; class dir { getattr search read write remove_name }; @@ -1393,7 +1393,7 @@ define(`dev_delete_lvm_control',` ## ## # -define(`dev_getattr_misc',` +interface(`dev_getattr_misc',` gen_require(` type device_t, misc_device_t; class dir r_dir_perms; @@ -1415,7 +1415,7 @@ define(`dev_getattr_misc',` ## ## # -define(`dev_dontaudit_getattr_misc',` +interface(`dev_dontaudit_getattr_misc',` gen_require(` type misc_device_t; class chr_file getattr; @@ -1434,7 +1434,7 @@ define(`dev_dontaudit_getattr_misc',` ## ## # -define(`dev_setattr_misc',` +interface(`dev_setattr_misc',` gen_require(` type device_t, misc_device_t; class dir r_dir_perms; @@ -1456,7 +1456,7 @@ define(`dev_setattr_misc',` ## ## # -define(`dev_dontaudit_setattr_misc',` +interface(`dev_dontaudit_setattr_misc',` gen_require(` type misc_device_t; class chr_file setattr; @@ -1475,7 +1475,7 @@ define(`dev_dontaudit_setattr_misc',` ## ## # -define(`dev_read_misc',` +interface(`dev_read_misc',` gen_require(` type device_t, misc_device_t; class dir r_dir_perms; @@ -1496,7 +1496,7 @@ define(`dev_read_misc',` ## ## # -define(`dev_write_misc',` +interface(`dev_write_misc',` gen_require(` type device_t, misc_device_t; class dir r_dir_perms; @@ -1517,7 +1517,7 @@ define(`dev_write_misc',` ## ## # -define(`dev_getattr_mouse',` +interface(`dev_getattr_mouse',` gen_require(` type device_t, mouse_device_t; class dir r_dir_perms; @@ -1538,7 +1538,7 @@ define(`dev_getattr_mouse',` ## ## # -define(`dev_setattr_mouse',` +interface(`dev_setattr_mouse',` gen_require(` type device_t, mouse_device_t; class dir r_dir_perms; @@ -1559,7 +1559,7 @@ define(`dev_setattr_mouse',` ## ## # -define(`dev_read_mouse',` +interface(`dev_read_mouse',` gen_require(` type device_t, mouse_device_t; class dir r_dir_perms; @@ -1580,7 +1580,7 @@ define(`dev_read_mouse',` ## ## # -define(`dev_read_input',` +interface(`dev_read_input',` gen_require(` type device_t, event_device_t; class dir r_dir_perms; @@ -1601,7 +1601,7 @@ define(`dev_read_input',` ## ## # -define(`dev_read_cpuid',` +interface(`dev_read_cpuid',` gen_require(` type device_t, cpu_device_t; class dir r_dir_perms; @@ -1623,7 +1623,7 @@ define(`dev_read_cpuid',` ## ## # -define(`dev_rw_cpu_microcode',` +interface(`dev_rw_cpu_microcode',` gen_require(` type device_t, cpu_device_t; class dir r_dir_perms; @@ -1644,7 +1644,7 @@ define(`dev_rw_cpu_microcode',` ## ## # -define(`dev_getattr_scanner',` +interface(`dev_getattr_scanner',` gen_require(` type device_t, scanner_device_t; class dir r_dir_perms; @@ -1666,7 +1666,7 @@ define(`dev_getattr_scanner',` ## ## # -define(`dev_dontaudit_getattr_scanner',` +interface(`dev_dontaudit_getattr_scanner',` gen_require(` type scanner_device_t; class chr_file getattr; @@ -1685,7 +1685,7 @@ define(`dev_dontaudit_getattr_scanner',` ## ## # -define(`dev_setattr_scanner',` +interface(`dev_setattr_scanner',` gen_require(` type device_t, scanner_device_t; class dir r_dir_perms; @@ -1707,7 +1707,7 @@ define(`dev_setattr_scanner',` ## ## # -define(`dev_dontaudit_setattr_scanner',` +interface(`dev_dontaudit_setattr_scanner',` gen_require(` type scanner_device_t; class chr_file getattr; @@ -1726,7 +1726,7 @@ define(`dev_dontaudit_setattr_scanner',` ## ## # -define(`dev_rw_scanner',` +interface(`dev_rw_scanner',` gen_require(` type device_t, scanner_device_t; class dir r_dir_perms; @@ -1747,7 +1747,7 @@ define(`dev_rw_scanner',` ## ## # -define(`dev_getattr_power_management',` +interface(`dev_getattr_power_management',` gen_require(` type device_t, power_device_t; class dir r_dir_perms; @@ -1768,7 +1768,7 @@ define(`dev_getattr_power_management',` ## ## # -define(`dev_setattr_power_management',` +interface(`dev_setattr_power_management',` gen_require(` type device_t, power_device_t; class dir r_dir_perms; @@ -1789,7 +1789,7 @@ define(`dev_setattr_power_management',` ## ## # -define(`dev_rw_power_management',` +interface(`dev_rw_power_management',` gen_require(` type device_t, power_device_t; class dir r_dir_perms; @@ -1810,7 +1810,7 @@ define(`dev_rw_power_management',` ## ## # -define(`dev_getattr_sysfs_dir',` +interface(`dev_getattr_sysfs_dir',` gen_require(` type sysfs_t; class dir getattr; @@ -1829,7 +1829,7 @@ define(`dev_getattr_sysfs_dir',` ## ## # -define(`dev_search_sysfs',` +interface(`dev_search_sysfs',` gen_require(` type sysfs_t; class dir search; @@ -1848,7 +1848,7 @@ define(`dev_search_sysfs',` ## ## # -define(`dev_read_sysfs',` +interface(`dev_read_sysfs',` gen_require(` type sysfs_t; class dir r_dir_perms; @@ -1870,7 +1870,7 @@ define(`dev_read_sysfs',` ## ## # -define(`dev_rw_sysfs',` +interface(`dev_rw_sysfs',` gen_require(` type sysfs_t; class dir r_dir_perms; @@ -1893,7 +1893,7 @@ define(`dev_rw_sysfs',` ## ## # -define(`dev_search_usbfs',` +interface(`dev_search_usbfs',` gen_require(` type usbfs_t; class dir search; @@ -1912,7 +1912,7 @@ define(`dev_search_usbfs',` ## ## # -define(`dev_list_usbfs',` +interface(`dev_list_usbfs',` gen_require(` type usbfs_t; class dir r_dir_perms; @@ -1936,7 +1936,7 @@ define(`dev_list_usbfs',` ## ## # -define(`dev_read_usbfs',` +interface(`dev_read_usbfs',` gen_require(` type usbfs_t; class dir r_dir_perms; @@ -1958,7 +1958,7 @@ define(`dev_read_usbfs',` ## ## # -define(`dev_rw_usbfs',` +interface(`dev_rw_usbfs',` gen_require(` type usbfs_t; class dir r_dir_perms; @@ -1981,7 +1981,7 @@ define(`dev_rw_usbfs',` ## ## # -define(`dev_getattr_video_dev',` +interface(`dev_getattr_video_dev',` gen_require(` type device_t, v4l_device_t; class dir r_dir_perms; @@ -2002,7 +2002,7 @@ define(`dev_getattr_video_dev',` ## ## # -define(`dev_setattr_video_dev',` +interface(`dev_setattr_video_dev',` gen_require(` type device_t, v4l_device_t; class dir r_dir_perms; diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if index 8bdc175..e3e5442 100644 --- a/refpolicy/policy/modules/kernel/filesystem.if +++ b/refpolicy/policy/modules/kernel/filesystem.if @@ -11,7 +11,7 @@ ## ## # -define(`fs_make_fs',` +interface(`fs_make_fs',` gen_require(` attribute fs_type; ') @@ -31,7 +31,7 @@ define(`fs_make_fs',` ## ## # -define(`fs_make_noxattr_fs',` +interface(`fs_make_noxattr_fs',` gen_require(` attribute noxattrfs; ') @@ -54,7 +54,7 @@ define(`fs_make_noxattr_fs',` ## ## # -define(`fs_associate',` +interface(`fs_associate',` gen_require(` type fs_t; class filesystem associate; @@ -77,7 +77,7 @@ define(`fs_associate',` ## ## # -define(`fs_associate_noxattr',` +interface(`fs_associate_noxattr',` gen_require(` attribute noxattrfs; class filesystem associate; @@ -98,7 +98,7 @@ define(`fs_associate_noxattr',` ## ## # -define(`fs_mount_xattr_fs',` +interface(`fs_mount_xattr_fs',` gen_require(` type fs_t; class filesystem mount; @@ -120,7 +120,7 @@ define(`fs_mount_xattr_fs',` ## ## # -define(`fs_remount_xattr_fs',` +interface(`fs_remount_xattr_fs',` gen_require(` type fs_t; class filesystem remount; @@ -141,7 +141,7 @@ define(`fs_remount_xattr_fs',` ## ## # -define(`fs_unmount_xattr_fs',` +interface(`fs_unmount_xattr_fs',` gen_require(` type fs_t; class filesystem unmount; @@ -163,7 +163,7 @@ define(`fs_unmount_xattr_fs',` ## ## # -define(`fs_getattr_xattr_fs',` +interface(`fs_getattr_xattr_fs',` gen_require(` type fs_t; class filesystem getattr; @@ -185,7 +185,7 @@ define(`fs_getattr_xattr_fs',` ## ## # -define(`fs_dontaudit_getattr_xattr_fs',` +interface(`fs_dontaudit_getattr_xattr_fs',` gen_require(` type fs_t; class filesystem getattr; @@ -206,7 +206,7 @@ define(`fs_dontaudit_getattr_xattr_fs',` ## ## # -define(`fs_relabelfrom_xattr_fs',` +interface(`fs_relabelfrom_xattr_fs',` gen_require(` type fs_t; class filesystem relabelfrom; @@ -225,7 +225,7 @@ define(`fs_relabelfrom_xattr_fs',` ## ## # -define(`fs_mount_autofs',` +interface(`fs_mount_autofs',` gen_require(` type autofs_t; class filesystem mount; @@ -246,7 +246,7 @@ define(`fs_mount_autofs',` ## ## # -define(`fs_remount_autofs',` +interface(`fs_remount_autofs',` gen_require(` type autofs_t; class filesystem remount; @@ -265,7 +265,7 @@ define(`fs_remount_autofs',` ## ## # -define(`fs_unmount_autofs',` +interface(`fs_unmount_autofs',` gen_require(` type autofs_t; class filesystem unmount; @@ -286,7 +286,7 @@ define(`fs_unmount_autofs',` ## ## # -define(`fs_getattr_autofs',` +interface(`fs_getattr_autofs',` gen_require(` type autofs_t; class filesystem getattr; @@ -312,7 +312,7 @@ define(`fs_getattr_autofs',` ## ## # -define(`fs_register_binary_executable_type',` +interface(`fs_register_binary_executable_type',` gen_require(` type binfmt_misc_fs_t; class dir { getattr search }; @@ -333,7 +333,7 @@ define(`fs_register_binary_executable_type',` ## ## # -define(`fs_mount_cifs',` +interface(`fs_mount_cifs',` gen_require(` type cifs_t; class filesystem mount; @@ -353,7 +353,7 @@ define(`fs_mount_cifs',` ## ## # -define(`fs_remount_cifs',` +interface(`fs_remount_cifs',` gen_require(` type cifs_t; class filesystem remount; @@ -372,7 +372,7 @@ define(`fs_remount_cifs',` ## ## # -define(`fs_unmount_cifs',` +interface(`fs_unmount_cifs',` gen_require(` type cifs_t; class filesystem unmount; @@ -393,7 +393,7 @@ define(`fs_unmount_cifs',` ## ## # -define(`fs_getattr_cifs',` +interface(`fs_getattr_cifs',` gen_require(` type cifs_t; class filesystem getattr; @@ -412,7 +412,7 @@ define(`fs_getattr_cifs',` ## ## # -define(`fs_read_cifs_files',` +interface(`fs_read_cifs_files',` gen_require(` type cifs_t; class dir r_dir_perms; @@ -434,7 +434,7 @@ define(`fs_read_cifs_files',` ## ## # -define(`fs_dontaudit_rw_cifs_files',` +interface(`fs_dontaudit_rw_cifs_files',` gen_require(` type cifs_t; class file { read write }; @@ -453,7 +453,7 @@ define(`fs_dontaudit_rw_cifs_files',` ## ## # -define(`fs_read_cifs_symlinks',` +interface(`fs_read_cifs_symlinks',` gen_require(` type cifs_t; class dir r_dir_perms; @@ -476,7 +476,7 @@ define(`fs_read_cifs_symlinks',` ## ## # -define(`fs_execute_cifs_files',` +interface(`fs_execute_cifs_files',` gen_require(` type cifs_t; class dir r_dir_perms; @@ -497,7 +497,7 @@ define(`fs_execute_cifs_files',` ## ## # -define(`fs_read_cifs_files',` +interface(`fs_read_cifs_files',` gen_require(` type cifs_t; class file { read write }; @@ -517,7 +517,7 @@ define(`fs_read_cifs_files',` ## ## # -define(`fs_manage_cifs_dirs',` +interface(`fs_manage_cifs_dirs',` gen_require(` type cifs_t; class dir create_dir_perms; @@ -537,7 +537,7 @@ define(`fs_manage_cifs_dirs',` ## ## # -define(`fs_manage_cifs_files',` +interface(`fs_manage_cifs_files',` gen_require(` type cifs_t; class dir rw_dir_perms; @@ -559,7 +559,7 @@ define(`fs_manage_cifs_files',` ## ## # -define(`fs_manage_cifs_symlinks',` +interface(`fs_manage_cifs_symlinks',` gen_require(` type cifs_t; class dir rw_dir_perms; @@ -581,7 +581,7 @@ define(`fs_manage_cifs_symlinks',` ## ## # -define(`fs_manage_cifs_named_pipes',` +interface(`fs_manage_cifs_named_pipes',` gen_require(` type cifs_t; class dir rw_dir_perms; @@ -603,7 +603,7 @@ define(`fs_manage_cifs_named_pipes',` ## ## # -define(`fs_manage_cifs_named_sockets',` +interface(`fs_manage_cifs_named_sockets',` gen_require(` type cifs_t; class dir rw_dir_perms; @@ -625,7 +625,7 @@ define(`fs_manage_cifs_named_sockets',` ## ## # -define(`fs_mount_dos_fs',` +interface(`fs_mount_dos_fs',` gen_require(` type dosfs_t; class filesystem mount; @@ -646,7 +646,7 @@ define(`fs_mount_dos_fs',` ## ## # -define(`fs_remount_dos_fs',` +interface(`fs_remount_dos_fs',` gen_require(` type dosfs_t; class filesystem remount; @@ -666,7 +666,7 @@ define(`fs_remount_dos_fs',` ## ## # -define(`fs_unmount_dos_fs',` +interface(`fs_unmount_dos_fs',` gen_require(` type dosfs_t; class filesystem unmount; @@ -687,7 +687,7 @@ define(`fs_unmount_dos_fs',` ## ## # -define(`fs_getattr_dos_fs',` +interface(`fs_getattr_dos_fs',` gen_require(` type dosfs_t; class filesystem getattr; @@ -707,7 +707,7 @@ define(`fs_getattr_dos_fs',` ## ## # -define(`fs_relabelfrom_dos_fs',` +interface(`fs_relabelfrom_dos_fs',` gen_require(` type dosfs_t; class filesystem relabelfrom; @@ -727,7 +727,7 @@ define(`fs_relabelfrom_dos_fs',` ## ## # -define(`fs_mount_iso9660_fs',` +interface(`fs_mount_iso9660_fs',` gen_require(` type iso9660_t; class filesystem mount; @@ -748,7 +748,7 @@ define(`fs_mount_iso9660_fs',` ## ## # -define(`fs_remount_iso9660_fs',` +interface(`fs_remount_iso9660_fs',` gen_require(` type iso9660_t; class filesystem remount; @@ -768,7 +768,7 @@ define(`fs_remount_iso9660_fs',` ## ## # -define(`fs_unmount_iso9660_fs',` +interface(`fs_unmount_iso9660_fs',` gen_require(` type iso9660_t; class filesystem unmount; @@ -789,7 +789,7 @@ define(`fs_unmount_iso9660_fs',` ## ## # -define(`fs_getattr_iso9660_fs',` +interface(`fs_getattr_iso9660_fs',` gen_require(` type iso9660_t; class filesystem getattr; @@ -808,7 +808,7 @@ define(`fs_getattr_iso9660_fs',` ## ## # -define(`fs_mount_nfs',` +interface(`fs_mount_nfs',` gen_require(` type nfs_t; class filesystem mount; @@ -828,7 +828,7 @@ define(`fs_mount_nfs',` ## ## # -define(`fs_remount_nfs',` +interface(`fs_remount_nfs',` gen_require(` type nfs_t; class filesystem remount; @@ -847,7 +847,7 @@ define(`fs_remount_nfs',` ## ## # -define(`fs_unmount_nfs',` +interface(`fs_unmount_nfs',` gen_require(` type nfs_t; class filesystem unmount; @@ -867,7 +867,7 @@ define(`fs_unmount_nfs',` ## ## # -define(`fs_getattr_nfs',` +interface(`fs_getattr_nfs',` gen_require(` type nfs_t; class filesystem getattr; @@ -886,7 +886,7 @@ define(`fs_getattr_nfs',` ## ## # -define(`fs_read_nfs_files',` +interface(`fs_read_nfs_files',` gen_require(` type nfs_t; class dir r_dir_perms; @@ -907,7 +907,7 @@ define(`fs_read_nfs_files',` ## ## # -define(`fs_execute_nfs_files',` +interface(`fs_execute_nfs_files',` gen_require(` type nfs_t; class dir r_dir_perms; @@ -928,7 +928,7 @@ define(`fs_execute_nfs_files',` ## ## # -define(`fs_dontaudit_rw_nfs_files',` +interface(`fs_dontaudit_rw_nfs_files',` gen_require(` type nfs_t; class file { read write }; @@ -947,7 +947,7 @@ define(`fs_dontaudit_rw_nfs_files',` ## ## # -define(`fs_read_nfs_symlinks',` +interface(`fs_read_nfs_symlinks',` gen_require(` type nfs_t; class dir r_dir_perms; @@ -969,7 +969,7 @@ define(`fs_read_nfs_symlinks',` ## ## # -define(`fs_manage_nfs_dirs',` +interface(`fs_manage_nfs_dirs',` gen_require(` type nfs_t; class dir create_dir_perms; @@ -989,7 +989,7 @@ define(`fs_manage_nfs_dirs',` ## ## # -define(`fs_manage_nfs_files',` +interface(`fs_manage_nfs_files',` gen_require(` type nfs_t; class dir rw_dir_perms; @@ -1011,7 +1011,7 @@ define(`fs_manage_nfs_files',` ## ## # -define(`fs_manage_nfs_symlinks',` +interface(`fs_manage_nfs_symlinks',` gen_require(` type nfs_t; class dir r_dir_perms; @@ -1033,7 +1033,7 @@ define(`fs_manage_nfs_symlinks',` ## ## # -define(`fs_manage_nfs_named_pipes',` +interface(`fs_manage_nfs_named_pipes',` gen_require(` type nfs_t; class dir rw_dir_perms; @@ -1055,7 +1055,7 @@ define(`fs_manage_nfs_named_pipes',` ## ## # -define(`fs_manage_nfs_named_sockets',` +interface(`fs_manage_nfs_named_sockets',` gen_require(` type nfs_t; class dir rw_dir_perms; @@ -1076,7 +1076,7 @@ define(`fs_manage_nfs_named_sockets',` ## ## # -define(`fs_mount_nfsd_fs',` +interface(`fs_mount_nfsd_fs',` gen_require(` type nfsd_fs_t; class filesystem mount; @@ -1096,7 +1096,7 @@ define(`fs_mount_nfsd_fs',` ## ## # -define(`fs_remount_nfsd_fs',` +interface(`fs_remount_nfsd_fs',` gen_require(` type nfsd_fs_t; class filesystem remount; @@ -1115,7 +1115,7 @@ define(`fs_remount_nfsd_fs',` ## ## # -define(`fs_unmount_nfsd_fs',` +interface(`fs_unmount_nfsd_fs',` gen_require(` type nfsd_fs_t; class filesystem unmount; @@ -1136,7 +1136,7 @@ define(`fs_unmount_nfsd_fs',` ## ## # -define(`fs_getattr_nfsd_fs',` +interface(`fs_getattr_nfsd_fs',` gen_require(` type nfsd_fs_t; class filesystem getattr; @@ -1155,7 +1155,7 @@ define(`fs_getattr_nfsd_fs',` ## ## # -define(`fs_mount_ramfs',` +interface(`fs_mount_ramfs',` gen_require(` type ramfs_t; class filesystem mount; @@ -1175,7 +1175,7 @@ define(`fs_mount_ramfs',` ## ## # -define(`fs_remount_ramfs',` +interface(`fs_remount_ramfs',` gen_require(` type ramfs_t; class filesystem remount; @@ -1194,7 +1194,7 @@ define(`fs_remount_ramfs',` ## ## # -define(`fs_unmount_ramfs',` +interface(`fs_unmount_ramfs',` gen_require(` type ramfs_t; class filesystem unmount; @@ -1214,7 +1214,7 @@ define(`fs_unmount_ramfs',` ## ## # -define(`fs_getattr_ramfs',` +interface(`fs_getattr_ramfs',` gen_require(` type ramfs_t; class filesystem getattr; @@ -1233,7 +1233,7 @@ define(`fs_getattr_ramfs',` ## ## # -define(`fs_mount_romfs',` +interface(`fs_mount_romfs',` gen_require(` type romfs_t; class filesystem mount; @@ -1253,7 +1253,7 @@ define(`fs_mount_romfs',` ## ## # -define(`fs_remount_romfs',` +interface(`fs_remount_romfs',` gen_require(` type romfs_t; class filesystem remount; @@ -1272,7 +1272,7 @@ define(`fs_remount_romfs',` ## ## # -define(`fs_unmount_romfs',` +interface(`fs_unmount_romfs',` gen_require(` type romfs_t; class filesystem unmount; @@ -1293,7 +1293,7 @@ define(`fs_unmount_romfs',` ## ## # -define(`fs_getattr_romfs',` +interface(`fs_getattr_romfs',` gen_require(` type romfs_t; class filesystem getattr; @@ -1312,7 +1312,7 @@ define(`fs_getattr_romfs',` ## ## # -define(`fs_mount_rpc_pipefs',` +interface(`fs_mount_rpc_pipefs',` gen_require(` type rpc_pipefs_t; class filesystem mount; @@ -1332,7 +1332,7 @@ define(`fs_mount_rpc_pipefs',` ## ## # -define(`fs_remount_rpc_pipefs',` +interface(`fs_remount_rpc_pipefs',` gen_require(` type rpc_pipefs_t; class filesystem remount; @@ -1351,7 +1351,7 @@ define(`fs_remount_rpc_pipefs',` ## ## # -define(`fs_unmount_rpc_pipefs',` +interface(`fs_unmount_rpc_pipefs',` gen_require(` type rpc_pipefs_t; class filesystem unmount; @@ -1372,7 +1372,7 @@ define(`fs_unmount_rpc_pipefs',` ## ## # -define(`fs_getattr_rpc_pipefs',` +interface(`fs_getattr_rpc_pipefs',` gen_require(` type rpc_pipefs_t; class filesystem getattr; @@ -1391,7 +1391,7 @@ define(`fs_getattr_rpc_pipefs',` ## ## # -define(`fs_mount_tmpfs',` +interface(`fs_mount_tmpfs',` gen_require(` type tmpfs_t; class filesystem mount; @@ -1410,7 +1410,7 @@ define(`fs_mount_tmpfs',` ## ## # -define(`fs_remount_tmpfs',` +interface(`fs_remount_tmpfs',` gen_require(` type tmpfs_t; class filesystem remount; @@ -1429,7 +1429,7 @@ define(`fs_remount_tmpfs',` ## ## # -define(`fs_unmount_tmpfs',` +interface(`fs_unmount_tmpfs',` gen_require(` type tmpfs_t; class filesystem unmount; @@ -1450,7 +1450,7 @@ define(`fs_unmount_tmpfs',` ## ## # -define(`fs_getattr_tmpfs',` +interface(`fs_getattr_tmpfs',` gen_require(` type tmpfs_t; class filesystem getattr; @@ -1469,7 +1469,7 @@ define(`fs_getattr_tmpfs',` ## ## # -define(`fs_associate_tmpfs',` +interface(`fs_associate_tmpfs',` gen_require(` type tmpfs_t; class filesystem associate; @@ -1482,7 +1482,7 @@ define(`fs_associate_tmpfs',` # # fs_create_tmpfs_data(domain,derivedtype,[class]) # -define(`fs_create_tmpfs_data',` +interface(`fs_create_tmpfs_data',` gen_require(` type tmpfs_t; class filesystem associate; @@ -1509,7 +1509,7 @@ define(`fs_create_tmpfs_data',` ## ## # -define(`fs_use_tmpfs_character_devices',` +interface(`fs_use_tmpfs_character_devices',` gen_require(` type tmpfs_t; class dir r_dir_perms; @@ -1530,7 +1530,7 @@ define(`fs_use_tmpfs_character_devices',` ## ## # -define(`fs_relabel_tmpfs_character_devices',` +interface(`fs_relabel_tmpfs_character_devices',` gen_require(` type tmpfs_t; class dir r_dir_perms; @@ -1551,7 +1551,7 @@ define(`fs_relabel_tmpfs_character_devices',` ## ## # -define(`fs_use_tmpfs_block_devices',` +interface(`fs_use_tmpfs_block_devices',` gen_require(` type tmpfs_t; class dir r_dir_perms; @@ -1572,7 +1572,7 @@ define(`fs_use_tmpfs_block_devices',` ## ## # -define(`fs_relabel_tmpfs_block_devices',` +interface(`fs_relabel_tmpfs_block_devices',` gen_require(` type tmpfs_t; class dir r_dir_perms; @@ -1594,7 +1594,7 @@ define(`fs_relabel_tmpfs_block_devices',` ## ## # -define(`fs_manage_tmpfs_character_devices',` +interface(`fs_manage_tmpfs_character_devices',` gen_require(` type tmpfs_t; class dir rw_dir_perms; @@ -1616,7 +1616,7 @@ define(`fs_manage_tmpfs_character_devices',` ## ## # -define(`fs_manage_tmpfs_block_devices',` +interface(`fs_manage_tmpfs_block_devices',` gen_require(` type tmpfs_t; class dir rw_dir_perms; @@ -1637,7 +1637,7 @@ define(`fs_manage_tmpfs_block_devices',` ## ## # -define(`fs_mount_all_fs',` +interface(`fs_mount_all_fs',` gen_require(` attribute fs_type; class filesystem mount; @@ -1657,7 +1657,7 @@ define(`fs_mount_all_fs',` ## ## # -define(`fs_remount_all_fs',` +interface(`fs_remount_all_fs',` gen_require(` attribute fs_type; class filesystem remount; @@ -1676,7 +1676,7 @@ define(`fs_remount_all_fs',` ## ## # -define(`fs_unmount_all_fs',` +interface(`fs_unmount_all_fs',` gen_require(` attribute fs_type; class filesystem unmount; @@ -1697,7 +1697,7 @@ define(`fs_unmount_all_fs',` ## ## # -define(`fs_getattr_all_fs',` +interface(`fs_getattr_all_fs',` gen_require(` attribute fs_type; class filesystem getattr; @@ -1716,7 +1716,7 @@ define(`fs_getattr_all_fs',` ## ## # -define(`fs_get_all_fs_quotas',` +interface(`fs_get_all_fs_quotas',` gen_require(` attribute fs_type; class filesystem quotaget; @@ -1735,7 +1735,7 @@ define(`fs_get_all_fs_quotas',` ## ## # -define(`fs_set_all_quotas',` +interface(`fs_set_all_quotas',` gen_require(` attribute fs_type; class filesystem quotamod; @@ -1748,7 +1748,7 @@ define(`fs_set_all_quotas',` # # fs_getattr_all_files(type) # -define(`fs_getattr_all_files',` +interface(`fs_getattr_all_files',` gen_require(` attribute fs_type; class dir { search getattr }; diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if index e9183db..8c13fdf 100644 --- a/refpolicy/policy/modules/kernel/kernel.if +++ b/refpolicy/policy/modules/kernel/kernel.if @@ -18,7 +18,7 @@ ## ## # -define(`kernel_userland_entry',` +interface(`kernel_userland_entry',` gen_require(` type kernel_t; class process sigchld; @@ -45,7 +45,7 @@ define(`kernel_userland_entry',` ## ## # -define(`kernel_rootfs_mountpoint',` +interface(`kernel_rootfs_mountpoint',` gen_require(` type kernel_t; class dir mounton; @@ -64,7 +64,7 @@ define(`kernel_rootfs_mountpoint',` ## ## # -define(`kernel_sigchld',` +interface(`kernel_sigchld',` gen_require(` type kernel_t; class process sigchld; @@ -84,7 +84,7 @@ define(`kernel_sigchld',` ## ## # -define(`kernel_share_state',` +interface(`kernel_share_state',` gen_require(` type kernel_t; class process share; @@ -103,7 +103,7 @@ define(`kernel_share_state',` ## ## # -define(`kernel_use_fd',` +interface(`kernel_use_fd',` gen_require(` type kernel_t; class fd use; @@ -123,7 +123,7 @@ define(`kernel_use_fd',` ## ## # -define(`kernel_dontaudit_use_fd',` +interface(`kernel_dontaudit_use_fd',` gen_require(` type kernel_t; class fd use; @@ -142,7 +142,7 @@ define(`kernel_dontaudit_use_fd',` ## ## # -define(`kernel_load_module',` +interface(`kernel_load_module',` gen_require(` attribute can_load_kernmodule; class capability sys_module; @@ -162,7 +162,7 @@ define(`kernel_load_module',` ## ## # -define(`kernel_read_ring_buffer',` +interface(`kernel_read_ring_buffer',` gen_require(` type kernel_t; class system syslog_read; @@ -181,7 +181,7 @@ define(`kernel_read_ring_buffer',` ## ## # -define(`kernel_dontaudit_read_ring_buffer',` +interface(`kernel_dontaudit_read_ring_buffer',` gen_require(` type kernel_t; class system syslog_read; @@ -200,7 +200,7 @@ define(`kernel_dontaudit_read_ring_buffer',` ## ## # -define(`kernel_change_ring_buffer_level',` +interface(`kernel_change_ring_buffer_level',` gen_require(` type kernel_t; class system syslog_console; @@ -219,7 +219,7 @@ define(`kernel_change_ring_buffer_level',` ## ## # -define(`kernel_clear_ring_buffer',` +interface(`kernel_clear_ring_buffer',` gen_require(` type kernel_t; class system syslog_mod; @@ -238,7 +238,7 @@ define(`kernel_clear_ring_buffer',` ## ## # -define(`kernel_get_sysvipc_info',` +interface(`kernel_get_sysvipc_info',` gen_require(` type kernel_t; class system ipc_info; @@ -257,7 +257,7 @@ define(`kernel_get_sysvipc_info',` ## ## # -define(`kernel_read_system_state',` +interface(`kernel_read_system_state',` gen_require(` type proc_t; class dir r_dir_perms; @@ -281,7 +281,7 @@ define(`kernel_read_system_state',` ## ## # -define(`kernel_dontaudit_read_system_state',` +interface(`kernel_dontaudit_read_system_state',` gen_require(` type proc_t; class file read; @@ -300,7 +300,7 @@ define(`kernel_dontaudit_read_system_state',` ## ## # -define(`kernel_read_software_raid_state',` +interface(`kernel_read_software_raid_state',` gen_require(` type proc_t, proc_mdstat_t; class dir r_dir_perms; @@ -321,7 +321,7 @@ define(`kernel_read_software_raid_state',` ## ## # -define(`kernel_getattr_core',` +interface(`kernel_getattr_core',` gen_require(` type proc_t, proc_kcore_t; class dir { search getattr read }; @@ -343,7 +343,7 @@ define(`kernel_getattr_core',` ## ## # -define(`kernel_dontaudit_getattr_core',` +interface(`kernel_dontaudit_getattr_core',` gen_require(` type proc_kcore_t; class file getattr; @@ -363,7 +363,7 @@ define(`kernel_dontaudit_getattr_core',` ## ## # -define(`kernel_read_messages',` +interface(`kernel_read_messages',` gen_require(` attribute can_receive_kernel_messages; type proc_kmsg_t, proc_t; @@ -387,7 +387,7 @@ define(`kernel_read_messages',` ## ## # -define(`kernel_getattr_message_if',` +interface(`kernel_getattr_message_if',` gen_require(` type proc_kmsg_t, proc_t; class dir search; @@ -409,7 +409,7 @@ define(`kernel_getattr_message_if',` ## ## # -define(`kernel_dontaudit_getattr_message_if',` +interface(`kernel_dontaudit_getattr_message_if',` gen_require(` type proc_kmsg_t, proc_t; class file getattr; @@ -429,7 +429,7 @@ define(`kernel_dontaudit_getattr_message_if',` ## ## # -define(`kernel_read_network_state',` +interface(`kernel_read_network_state',` gen_require(` type proc_t, proc_net_t; class dir r_dir_perms; @@ -452,7 +452,7 @@ define(`kernel_read_network_state',` ## ## # -define(`kernel_dontaudit_search_sysctl_dir',` +interface(`kernel_dontaudit_search_sysctl_dir',` gen_require(` type sysctl_t; class dir search; @@ -471,7 +471,7 @@ define(`kernel_dontaudit_search_sysctl_dir',` ## ## # -define(`kernel_read_device_sysctl',` +interface(`kernel_read_device_sysctl',` gen_require(` type proc_t, sysctl_t, sysctl_dev_t; class dir r_dir_perms; @@ -494,7 +494,7 @@ define(`kernel_read_device_sysctl',` ## ## # -define(`kernel_rw_device_sysctl',` +interface(`kernel_rw_device_sysctl',` gen_require(` type proc_t, sysctl_t, sysctl_dev_t; class dir r_dir_perms; @@ -517,7 +517,7 @@ define(`kernel_rw_device_sysctl',` ## ## # -define(`kernel_read_vm_sysctl',` +interface(`kernel_read_vm_sysctl',` gen_require(` type proc_t, sysctl_t, sysctl_vm_t; class dir r_dir_perms; @@ -539,7 +539,7 @@ define(`kernel_read_vm_sysctl',` ## ## # -define(`kernel_rw_vm_sysctl',` +interface(`kernel_rw_vm_sysctl',` gen_require(` type proc_t, sysctl_t, sysctl_vm_t; class dir r_dir_perms; @@ -561,7 +561,7 @@ define(`kernel_rw_vm_sysctl',` ## ## # -define(`kernel_dontaudit_search_network_sysctl_dir',` +interface(`kernel_dontaudit_search_network_sysctl_dir',` gen_require(` type sysctl_net_t; class dir search; @@ -581,7 +581,7 @@ define(`kernel_dontaudit_search_network_sysctl_dir',` ## ## # -define(`kernel_read_net_sysctl',` +interface(`kernel_read_net_sysctl',` gen_require(` type proc_t, sysctl_t, sysctl_net_t; class dir r_dir_perms; @@ -604,7 +604,7 @@ define(`kernel_read_net_sysctl',` ## ## # -define(`kernel_rw_net_sysctl',` +interface(`kernel_rw_net_sysctl',` gen_require(` type proc_t, sysctl_t, sysctl_net_t; class dir r_dir_perms; @@ -628,7 +628,7 @@ define(`kernel_rw_net_sysctl',` ## ## # -define(`kernel_read_unix_sysctl',` +interface(`kernel_read_unix_sysctl',` gen_require(` type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t; class dir r_dir_perms; @@ -652,7 +652,7 @@ define(`kernel_read_unix_sysctl',` ## ## # -define(`kernel_rw_unix_sysctl',` +interface(`kernel_rw_unix_sysctl',` gen_require(` type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t; class dir r_dir_perms; @@ -675,7 +675,7 @@ define(`kernel_rw_unix_sysctl',` ## ## # -define(`kernel_read_hotplug_sysctl',` +interface(`kernel_read_hotplug_sysctl',` gen_require(` type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t; class dir r_dir_perms; @@ -698,7 +698,7 @@ define(`kernel_read_hotplug_sysctl',` ## ## # -define(`kernel_rw_hotplug_sysctl',` +interface(`kernel_rw_hotplug_sysctl',` gen_require(` type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t; class dir r_dir_perms; @@ -721,7 +721,7 @@ define(`kernel_rw_hotplug_sysctl',` ## ## # -define(`kernel_read_modprobe_sysctl',` +interface(`kernel_read_modprobe_sysctl',` gen_require(` type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t; class dir r_dir_perms; @@ -744,7 +744,7 @@ define(`kernel_read_modprobe_sysctl',` ## ## # -define(`kernel_rw_modprobe_sysctl',` +interface(`kernel_rw_modprobe_sysctl',` gen_require(` type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t; class dir r_dir_perms; @@ -767,7 +767,7 @@ define(`kernel_rw_modprobe_sysctl',` ## ## # -define(`kernel_read_kernel_sysctl',` +interface(`kernel_read_kernel_sysctl',` gen_require(` type proc_t, sysctl_t, sysctl_kernel_t; class dir r_dir_perms; @@ -790,7 +790,7 @@ define(`kernel_read_kernel_sysctl',` ## ## # -define(`kernel_rw_kernel_sysctl',` +interface(`kernel_rw_kernel_sysctl',` gen_require(` type proc_t, sysctl_t, sysctl_kernel_t; class dir r_dir_perms; @@ -813,7 +813,7 @@ define(`kernel_rw_kernel_sysctl',` ## ## # -define(`kernel_read_fs_sysctl',` +interface(`kernel_read_fs_sysctl',` gen_require(` type proc_t, sysctl_t, sysctl_fs_t; class dir r_dir_perms; @@ -836,7 +836,7 @@ define(`kernel_read_fs_sysctl',` ## ## # -define(`kernel_rw_fs_sysctl',` +interface(`kernel_rw_fs_sysctl',` gen_require(` type proc_t, sysctl_t, sysctl_fs_t; class dir r_dir_perms; @@ -859,7 +859,7 @@ define(`kernel_rw_fs_sysctl',` ## ## # -define(`kernel_read_irq_sysctl',` +interface(`kernel_read_irq_sysctl',` gen_require(` type proc_t, sysctl_irq_t; class dir r_dir_perms; @@ -882,7 +882,7 @@ define(`kernel_read_irq_sysctl',` ## ## # -define(`kernel_rw_irq_sysctl',` +interface(`kernel_rw_irq_sysctl',` gen_require(` type proc_t, sysctl_irq_t; class dir r_dir_perms; @@ -898,7 +898,7 @@ define(`kernel_rw_irq_sysctl',` # # kernel_read_rpc_sysctl(domain) # -define(`kernel_read_rpc_sysctl',` +interface(`kernel_read_rpc_sysctl',` gen_require(` type proc_t, proc_net_t, sysctl_rpc_t; class dir r_dir_perms; @@ -915,7 +915,7 @@ define(`kernel_read_rpc_sysctl',` # # kernel_rw_rpc_sysctl(domain) # -define(`kernel_rw_rpc_sysctl',` +interface(`kernel_rw_rpc_sysctl',` gen_require(` type proc_t, proc_net_t, sysctl_rpc_t; class dir r_dir_perms; @@ -938,7 +938,7 @@ define(`kernel_rw_rpc_sysctl',` ## ## # -define(`kernel_read_all_sysctl',` +interface(`kernel_read_all_sysctl',` kernel_read_device_sysctl($1) kernel_read_vm_sysctl($1) kernel_read_net_sysctl($1) @@ -961,7 +961,7 @@ define(`kernel_read_all_sysctl',` ## ## # -define(`kernel_rw_all_sysctl',` +interface(`kernel_rw_all_sysctl',` kernel_rw_device_sysctl($1) kernel_rw_vm_sysctl($1) kernel_rw_net_sysctl($1) @@ -984,7 +984,7 @@ define(`kernel_rw_all_sysctl',` ## ## # -define(`kernel_kill_unlabeled',` +interface(`kernel_kill_unlabeled',` gen_require(` type unlabeled_t; class process sigkill; @@ -1003,7 +1003,7 @@ define(`kernel_kill_unlabeled',` ## ## # -define(`kernel_signal_unlabeled',` +interface(`kernel_signal_unlabeled',` gen_require(` type unlabeled_t; class process signal; @@ -1022,7 +1022,7 @@ define(`kernel_signal_unlabeled',` ## ## # -define(`kernel_signull_unlabeled',` +interface(`kernel_signull_unlabeled',` gen_require(` type unlabeled_t; class process signull; @@ -1041,7 +1041,7 @@ define(`kernel_signull_unlabeled',` ## ## # -define(`kernel_sigstop_unlabeled',` +interface(`kernel_sigstop_unlabeled',` gen_require(` type unlabeled_t; class process sigstop; @@ -1060,7 +1060,7 @@ define(`kernel_sigstop_unlabeled',` ## ## # -define(`kernel_sigchld_unlabeled',` +interface(`kernel_sigchld_unlabeled',` gen_require(` type unlabeled_t; class process sigchld; @@ -1080,7 +1080,7 @@ define(`kernel_sigchld_unlabeled',` ## ## # -define(`kernel_dontaudit_getattr_unlabeled_blk_dev',` +interface(`kernel_dontaudit_getattr_unlabeled_blk_dev',` gen_require(` type unlabeled_t; class process getattr; @@ -1099,7 +1099,7 @@ define(`kernel_dontaudit_getattr_unlabeled_blk_dev',` ## ## # -define(`kernel_relabel_unlabeled',` +interface(`kernel_relabel_unlabeled',` gen_require(` type unlabeled_t; class dir { getattr relabelfrom }; diff --git a/refpolicy/policy/modules/kernel/selinux.if b/refpolicy/policy/modules/kernel/selinux.if index 9ca08fd..52e5c8d 100644 --- a/refpolicy/policy/modules/kernel/selinux.if +++ b/refpolicy/policy/modules/kernel/selinux.if @@ -13,7 +13,7 @@ ## ## # -define(`selinux_get_fs_mount',` +interface(`selinux_get_fs_mount',` # read /proc/filesystems to see if selinuxfs is supported # then read /proc/self/mount to see where selinuxfs is mounted kernel_read_system_state($1) @@ -30,7 +30,7 @@ define(`selinux_get_fs_mount',` ## ## # -define(`selinux_get_enforce_mode',` +interface(`selinux_get_enforce_mode',` gen_require(` type security_t; class dir { read search getattr }; @@ -52,7 +52,7 @@ define(`selinux_get_enforce_mode',` ## ## # -define(`selinux_set_enforce_mode',` +interface(`selinux_set_enforce_mode',` gen_require(` type security_t; attribute can_setenforce; @@ -78,7 +78,7 @@ define(`selinux_set_enforce_mode',` ## ## # -define(`selinux_load_policy',` +interface(`selinux_load_policy',` gen_require(` type security_t; attribute can_load_policy; @@ -108,7 +108,7 @@ define(`selinux_load_policy',` ## ## # -define(`selinux_set_boolean',` +interface(`selinux_set_boolean',` gen_require(` type security_t; class dir { read search getattr }; @@ -139,7 +139,7 @@ define(`selinux_set_boolean',` ## ## # -define(`selinux_set_parameters',` +interface(`selinux_set_parameters',` gen_require(` type security_t; attribute can_setsecparam; @@ -165,7 +165,7 @@ define(`selinux_set_parameters',` ## ## # -define(`selinux_validate_context',` +interface(`selinux_validate_context',` gen_require(` type security_t; class dir { read search getattr }; @@ -188,7 +188,7 @@ define(`selinux_validate_context',` ## ## # -define(`selinux_compute_access_vector',` +interface(`selinux_compute_access_vector',` gen_require(` type security_t; class dir { read search getattr }; @@ -211,7 +211,7 @@ define(`selinux_compute_access_vector',` ## ## # -define(`selinux_compute_create_context',` +interface(`selinux_compute_create_context',` gen_require(` type security_t; class dir { read search getattr }; @@ -234,7 +234,7 @@ define(`selinux_compute_create_context',` ## ## # -define(`selinux_compute_relabel_context',` +interface(`selinux_compute_relabel_context',` gen_require(` type security_t; class dir { read search getattr }; @@ -257,7 +257,7 @@ define(`selinux_compute_relabel_context',` ## ## # -define(`selinux_compute_user_contexts',` +interface(`selinux_compute_user_contexts',` gen_require(` type security_t; class dir { read search getattr }; diff --git a/refpolicy/policy/modules/kernel/storage.if b/refpolicy/policy/modules/kernel/storage.if index 854ce59..d6c1a70 100644 --- a/refpolicy/policy/modules/kernel/storage.if +++ b/refpolicy/policy/modules/kernel/storage.if @@ -12,7 +12,7 @@ ## ## # -define(`storage_getattr_fixed_disk',` +interface(`storage_getattr_fixed_disk',` gen_require(` type fixed_disk_device_t; class blk_file getattr; @@ -33,7 +33,7 @@ define(`storage_getattr_fixed_disk',` ## ## # -define(`storage_dontaudit_getattr_fixed_disk',` +interface(`storage_dontaudit_getattr_fixed_disk',` gen_require(` type fixed_disk_device_t; class blk_file getattr; @@ -53,7 +53,7 @@ define(`storage_dontaudit_getattr_fixed_disk',` ## ## # -define(`storage_setattr_fixed_disk',` +interface(`storage_setattr_fixed_disk',` gen_require(` type fixed_disk_device_t; class blk_file setattr; @@ -74,7 +74,7 @@ define(`storage_setattr_fixed_disk',` ## ## # -define(`storage_dontaudit_setattr_fixed_disk',` +interface(`storage_dontaudit_setattr_fixed_disk',` gen_require(` type fixed_disk_device_t; class blk_file getattr; @@ -96,7 +96,7 @@ define(`storage_dontaudit_setattr_fixed_disk',` ## ## # -define(`storage_raw_read_fixed_disk',` +interface(`storage_raw_read_fixed_disk',` gen_require(` attribute fixed_disk_raw_read; type fixed_disk_device_t; @@ -121,7 +121,7 @@ define(`storage_raw_read_fixed_disk',` ## ## # -define(`storage_raw_write_fixed_disk',` +interface(`storage_raw_write_fixed_disk',` gen_require(` attribute fixed_disk_raw_write; type fixed_disk_device_t; @@ -143,7 +143,7 @@ define(`storage_raw_write_fixed_disk',` ## ## # -define(`storage_create_fixed_disk_dev_entry',` +interface(`storage_create_fixed_disk_dev_entry',` gen_require(` attribute fixed_disk_raw_read, fixed_disk_raw_write; type fixed_disk_device_t; @@ -165,7 +165,7 @@ define(`storage_create_fixed_disk_dev_entry',` ## ## # -define(`storage_manage_fixed_disk',` +interface(`storage_manage_fixed_disk',` gen_require(` attribute fixed_disk_raw_read, fixed_disk_raw_write; type fixed_disk_device_t; @@ -190,7 +190,7 @@ define(`storage_manage_fixed_disk',` ## ## # -define(`storage_raw_read_lvm_volume',` +interface(`storage_raw_read_lvm_volume',` gen_require(` attribute fixed_disk_raw_read; type lvm_vg_t; @@ -215,7 +215,7 @@ define(`storage_raw_read_lvm_volume',` ## ## # -define(`storage_raw_write_lvm_volume',` +interface(`storage_raw_write_lvm_volume',` gen_require(` attribute fixed_disk_raw_write; type lvm_vg_t; @@ -238,7 +238,7 @@ define(`storage_raw_write_lvm_volume',` ## ## # -define(`storage_getattr_scsi_generic',` +interface(`storage_getattr_scsi_generic',` gen_require(` type scsi_generic_device_t; class blk_file getattr; @@ -259,7 +259,7 @@ define(`storage_getattr_scsi_generic',` ## ## # -define(`storage_setattr_scsi_generic',` +interface(`storage_setattr_scsi_generic',` gen_require(` type scsi_generic_device_t; class blk_file setattr; @@ -283,7 +283,7 @@ define(`storage_setattr_scsi_generic',` ## ## # -define(`storage_read_scsi_generic',` +interface(`storage_read_scsi_generic',` gen_require(` attribute scsi_generic_read; type scsi_generic_device_t; @@ -309,7 +309,7 @@ define(`storage_read_scsi_generic',` ## ## # -define(`storage_write_scsi_generic',` +interface(`storage_write_scsi_generic',` gen_require(` attribute scsi_generic_write; type scsi_generic_device_t; @@ -332,7 +332,7 @@ define(`storage_write_scsi_generic',` ## ## # -define(`storage_getattr_scsi_generic',` +interface(`storage_getattr_scsi_generic',` gen_require(` type scsi_generic_device_t; class blk_file getattr; @@ -353,7 +353,7 @@ define(`storage_getattr_scsi_generic',` ## ## # -define(`storage_set_scsi_generic_attributes',` +interface(`storage_set_scsi_generic_attributes',` gen_require(` type scsi_generic_device_t; class blk_file setattr; @@ -374,7 +374,7 @@ define(`storage_set_scsi_generic_attributes',` ## ## # -define(`storage_getattr_removable_device',` +interface(`storage_getattr_removable_device',` gen_require(` type removable_device_t; class blk_file getattr; @@ -395,7 +395,7 @@ define(`storage_getattr_removable_device',` ## ## # -define(`storage_dontaudit_getattr_removable_device',` +interface(`storage_dontaudit_getattr_removable_device',` gen_require(` type removable_device_t; class blk_file getattr; @@ -415,7 +415,7 @@ define(`storage_dontaudit_getattr_removable_device',` ## ## # -define(`storage_setattr_removable_device',` +interface(`storage_setattr_removable_device',` gen_require(` type removable_device_t; class blk_file setattr; @@ -436,7 +436,7 @@ define(`storage_setattr_removable_device',` ## ## # -define(`storage_dontaudit_setattr_removable_device',` +interface(`storage_dontaudit_setattr_removable_device',` gen_require(` type removable_device_t; class blk_file setattr; @@ -459,7 +459,7 @@ define(`storage_dontaudit_setattr_removable_device',` ## ## # -define(`storage_raw_read_removable_device',` +interface(`storage_raw_read_removable_device',` gen_require(` type removable_device_t; class blk_file r_file_perms; @@ -483,7 +483,7 @@ define(`storage_raw_read_removable_device',` ## ## # -define(`storage_raw_write_removable_device',` +interface(`storage_raw_write_removable_device',` gen_require(` type removable_device_t; class blk_file { getattr write ioctl }; @@ -504,7 +504,7 @@ define(`storage_raw_write_removable_device',` ## ## # -define(`storage_read_tape_device',` +interface(`storage_read_tape_device',` gen_require(` type tape_device_t; class blk_file r_file_perms; @@ -525,7 +525,7 @@ define(`storage_read_tape_device',` ## ## # -define(`storage_write_tape_device',` +interface(`storage_write_tape_device',` gen_require(` type tape_device_t; class blk_file { getattr write ioctl }; @@ -546,7 +546,7 @@ define(`storage_write_tape_device',` ## ## # -define(`storage_getattr_tape_device',` +interface(`storage_getattr_tape_device',` gen_require(` type tape_device_t; class blk_file getattr; @@ -567,7 +567,7 @@ define(`storage_getattr_tape_device',` ## ## # -define(`storage_setattr_tape_device',` +interface(`storage_setattr_tape_device',` gen_require(` type tape_device_t; class blk_file setattr; diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if index a9871a0..b18b441 100644 --- a/refpolicy/policy/modules/kernel/terminal.if +++ b/refpolicy/policy/modules/kernel/terminal.if @@ -11,7 +11,7 @@ ## ## # -define(`term_pty',` +interface(`term_pty',` gen_require(` attribute ptynode; type devpts_t; @@ -38,7 +38,7 @@ define(`term_pty',` ## ## # -define(`term_user_pty',` +interface(`term_user_pty',` gen_require(` attribute server_ptynode; ') @@ -58,7 +58,7 @@ define(`term_user_pty',` ## ## # -define(`term_login_pty',` +interface(`term_login_pty',` gen_require(` attribute server_ptynode; ') @@ -77,7 +77,7 @@ define(`term_login_pty',` ## ## # -define(`term_tty',` +interface(`term_tty',` gen_require(` attribute ttynode; type tty_device_t; @@ -110,7 +110,7 @@ define(`term_tty',` ## ## # -define(`term_create_pty',` +interface(`term_create_pty',` gen_require(` type bsdpty_device_t, devpts_t, ptmx_t; class filesystem getattr; @@ -138,7 +138,7 @@ define(`term_create_pty',` ## ## # -define(`term_use_all_terms',` +interface(`term_use_all_terms',` gen_require(` attribute ttynode, ptynode; type console_device_t, devpts_t, tty_device_t; @@ -161,7 +161,7 @@ define(`term_use_all_terms',` ## ## # -define(`term_write_console',` +interface(`term_write_console',` gen_require(` type console_device_t; class chr_file write; @@ -181,7 +181,7 @@ define(`term_write_console',` ## ## # -define(`term_use_console',` +interface(`term_use_console',` gen_require(` type console_device_t; class chr_file rw_file_perms; @@ -202,7 +202,7 @@ define(`term_use_console',` ## ## # -define(`term_dontaudit_use_console',` +interface(`term_dontaudit_use_console',` gen_require(` type console_device_t; class chr_file { read write }; @@ -222,7 +222,7 @@ define(`term_dontaudit_use_console',` ## ## # -define(`term_setattr_console',` +interface(`term_setattr_console',` gen_require(` type console_device_t; class chr_file setattr; @@ -243,7 +243,7 @@ define(`term_setattr_console',` ## ## # -define(`term_list_ptys',` +interface(`term_list_ptys',` gen_require(` type devpts_t; class dir r_dir_perms; @@ -264,7 +264,7 @@ define(`term_list_ptys',` ## ## # -define(`term_dontaudit_list_ptys',` +interface(`term_dontaudit_list_ptys',` gen_require(` type devpts_t; class dir { getattr search read }; @@ -285,7 +285,7 @@ define(`term_dontaudit_list_ptys',` ## ## # -define(`term_use_generic_pty',` +interface(`term_use_generic_pty',` gen_require(` type devpts_t; class chr_file { read write }; @@ -307,7 +307,7 @@ define(`term_use_generic_pty',` ## ## # -define(`term_dontaudit_use_generic_pty',` +interface(`term_dontaudit_use_generic_pty',` gen_require(` type devpts_t; class chr_file { read write }; @@ -327,7 +327,7 @@ define(`term_dontaudit_use_generic_pty',` ## ## # -define(`term_use_controlling_term',` +interface(`term_use_controlling_term',` gen_require(` type devtty_t; class chr_file { getattr read write ioctl }; @@ -348,7 +348,7 @@ define(`term_use_controlling_term',` ## ## # -define(`term_dontaudit_use_ptmx',` +interface(`term_dontaudit_use_ptmx',` gen_require(` type ptmx_t; class chr_file { getattr read write }; @@ -368,7 +368,7 @@ define(`term_dontaudit_use_ptmx',` ## ## # -define(`term_getattr_all_user_ptys',` +interface(`term_getattr_all_user_ptys',` gen_require(` attribute ptynode; class dir r_dir_perms; @@ -390,7 +390,7 @@ define(`term_getattr_all_user_ptys',` ## ## # -define(`term_use_all_user_ptys',` +interface(`term_use_all_user_ptys',` gen_require(` attribute ptynode; class dir r_dir_perms; @@ -413,7 +413,7 @@ define(`term_use_all_user_ptys',` ## ## # -define(`term_dontaudit_use_all_user_ptys',` +interface(`term_dontaudit_use_all_user_ptys',` gen_require(` attribute ptynode; class chr_file { read write }; @@ -433,7 +433,7 @@ define(`term_dontaudit_use_all_user_ptys',` ## ## # -define(`term_relabel_all_user_ptys',` +interface(`term_relabel_all_user_ptys',` gen_require(` attribute ptynode; class chr_file { relabelfrom relabelto }; @@ -454,7 +454,7 @@ define(`term_relabel_all_user_ptys',` ## ## # -define(`term_getattr_unallocated_ttys',` +interface(`term_getattr_unallocated_ttys',` gen_require(` type tty_device_t; class chr_file getattr; @@ -475,7 +475,7 @@ define(`term_getattr_unallocated_ttys',` ## ## # -define(`term_setattr_unallocated_ttys',` +interface(`term_setattr_unallocated_ttys',` gen_require(` type tty_device_t; class chr_file setattr; @@ -496,7 +496,7 @@ define(`term_setattr_unallocated_ttys',` ## ## # -define(`term_relabel_unallocated_ttys',` +interface(`term_relabel_unallocated_ttys',` gen_require(` type tty_device_t; class chr_file { relabelfrom relabelto }; @@ -517,7 +517,7 @@ define(`term_relabel_unallocated_ttys',` ## ## # -define(`term_reset_tty_labels',` +interface(`term_reset_tty_labels',` gen_require(` attribute ttynode; type tty_device_t; @@ -539,7 +539,7 @@ define(`term_reset_tty_labels',` ## ## # -define(`term_write_unallocated_ttys',` +interface(`term_write_unallocated_ttys',` gen_require(` type tty_device_t; class chr_file { getattr write }; @@ -559,7 +559,7 @@ define(`term_write_unallocated_ttys',` ## ## # -define(`term_use_unallocated_tty',` +interface(`term_use_unallocated_tty',` gen_require(` type tty_device_t; class chr_file { getattr read write ioctl }; @@ -580,7 +580,7 @@ define(`term_use_unallocated_tty',` ## ## # -define(`term_dontaudit_use_unallocated_tty',` +interface(`term_dontaudit_use_unallocated_tty',` gen_require(` type tty_device_t; class chr_file { read write }; @@ -600,7 +600,7 @@ define(`term_dontaudit_use_unallocated_tty',` ## ## # -define(`term_getattr_all_user_ttys',` +interface(`term_getattr_all_user_ttys',` gen_require(` attribute ttynode; class chr_file getattr; @@ -622,7 +622,7 @@ define(`term_getattr_all_user_ttys',` ## ## # -define(`term_dontaudit_getattr_all_user_ttys',` +interface(`term_dontaudit_getattr_all_user_ttys',` gen_require(` attribute ttynode; class chr_file getattr; @@ -643,7 +643,7 @@ define(`term_dontaudit_getattr_all_user_ttys',` ## ## # -define(`term_setattr_all_user_ttys',` +interface(`term_setattr_all_user_ttys',` gen_require(` attribute ttynode; class chr_file setattr; @@ -664,7 +664,7 @@ define(`term_setattr_all_user_ttys',` ## ## # -define(`term_relabel_all_user_ttys',` +interface(`term_relabel_all_user_ttys',` gen_require(` attribute ttynode; class chr_file { relabelfrom relabelto }; @@ -684,7 +684,7 @@ define(`term_relabel_all_user_ttys',` ## ## # -define(`term_write_all_user_ttys',` +interface(`term_write_all_user_ttys',` gen_require(` attribute ttynode; class chr_file { getattr write }; @@ -704,7 +704,7 @@ define(`term_write_all_user_ttys',` ## ## # -define(`term_use_all_user_ttys',` +interface(`term_use_all_user_ttys',` gen_require(` attribute ttynode; class chr_file { getattr read write ioctl }; @@ -725,7 +725,7 @@ define(`term_use_all_user_ttys',` ## ## # -define(`term_dontaudit_use_all_user_ttys',` +interface(`term_dontaudit_use_all_user_ttys',` gen_require(` attribute ttynode; class chr_file { read write }; diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if index 52b4980..1b6ef8a 100644 --- a/refpolicy/policy/modules/services/cron.if +++ b/refpolicy/policy/modules/services/cron.if @@ -4,7 +4,7 @@ # cron_per_userdomain_template(domainprefix) # -define(`cron_per_userdomain_template',` +template(`cron_per_userdomain_template',` # Type of user crontabs once moved to cron spool. type $1_cron_spool_t; @@ -217,7 +217,7 @@ define(`cron_per_userdomain_template',` # cron_admin_template(domainprefix) # -define(`cron_admin_template',` +template(`cron_admin_template',` logging_read_generic_logs($1_crond_t) # Allow our crontab domain to unlink a user cron spool file. @@ -243,7 +243,7 @@ define(`cron_admin_template',` # # cron_rw_log(domain) # -define(`cron_rw_log',` +interface(`cron_rw_log',` gen_require(` type crond_log_t; class file rw_file_perms; diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if index 6726287..679f6ff 100644 --- a/refpolicy/policy/modules/services/mta.if +++ b/refpolicy/policy/modules/services/mta.if @@ -7,7 +7,7 @@ # # mta_per_userdomain_template(userdomain_prefix) # -define(`mta_per_userdomain_template',` +template(`mta_per_userdomain_template',` type $1_mail_t; # , user_mail_domain, nscd_client_domain; domain_type($1_mail_t) role $1_r types $1_mail_t; @@ -138,7 +138,7 @@ define(`mta_per_userdomain_template',` # # mta_mailserver(domain,entrypointtype) # -define(`mta_mailserver',` +interface(`mta_mailserver',` gen_require(` attribute mailserver_domain; ') @@ -151,7 +151,7 @@ define(`mta_mailserver',` # # mta_sendmail_mailserver(domain,entrypointtype) # -define(`mta_sendmail_mailserver',` +interface(`mta_sendmail_mailserver',` gen_require(` type sendmail_exec_t; ') @@ -163,7 +163,7 @@ define(`mta_sendmail_mailserver',` # # mta_send_mail(domain) # -define(`mta_send_mail',` +interface(`mta_send_mail',` gen_require(` type system_mail_t, sendmail_exec_t; class lnk_file r_file_perms; @@ -185,7 +185,7 @@ define(`mta_send_mail',` # # mta_exec(domain) # -define(`mta_exec',` +interface(`mta_exec',` gen_require(` type sendmail_exec_t; ') @@ -203,7 +203,7 @@ define(`mta_exec',` ## ## # -define(`mta_read_aliases',` +interface(`mta_read_aliases',` gen_require(` type etc_aliases_t; class file r_file_perms; @@ -217,7 +217,7 @@ define(`mta_read_aliases',` # # mta_rw_aliases(domain) # -define(`mta_rw_aliases',` +interface(`mta_rw_aliases',` gen_require(` type etc_aliases_t; class file { rw_file_perms setattr }; @@ -231,7 +231,7 @@ define(`mta_rw_aliases',` # # mta_getattr_spool(domain) # -define(`mta_getattr_spool',` +interface(`mta_getattr_spool',` gen_require(` type mail_spool_t; class dir r_dir_perms; @@ -249,7 +249,7 @@ define(`mta_getattr_spool',` # # mta_rw_spool(domain) # -define(`mta_rw_spool',` +interface(`mta_rw_spool',` gen_require(` type mail_spool_t; class dir r_dir_perms; @@ -265,7 +265,7 @@ define(`mta_rw_spool',` # # mta_manage_spool(domain) # -define(`mta_manage_spool',` +interface(`mta_manage_spool',` gen_require(` type mail_spool_t; class dir rw_dir_perms; @@ -281,7 +281,7 @@ define(`mta_manage_spool',` # # mta_manage_queue(domain) # -define(`mta_manage_queue',` +interface(`mta_manage_queue',` gen_require(` type mqueue_spool_t; class dir rw_dir_perms; diff --git a/refpolicy/policy/modules/services/remotelogin.if b/refpolicy/policy/modules/services/remotelogin.if index 5fbe4ca..ed1f2d0 100644 --- a/refpolicy/policy/modules/services/remotelogin.if +++ b/refpolicy/policy/modules/services/remotelogin.if @@ -11,7 +11,7 @@ ## ## # -define(`remotelogin_domtrans',` +interface(`remotelogin_domtrans',` gen_require(` type remote_login_t; ') diff --git a/refpolicy/policy/modules/services/sendmail.if b/refpolicy/policy/modules/services/sendmail.if index 99ba008..b69e0a3 100644 --- a/refpolicy/policy/modules/services/sendmail.if +++ b/refpolicy/policy/modules/services/sendmail.if @@ -11,7 +11,7 @@ ## ## # -define(`sendmail_domtrans',` +interface(`sendmail_domtrans',` gen_require(` type sendmail_exec_t, sendmail_t; class process sigchld; diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if index ad7afd5..132fc81 100644 --- a/refpolicy/policy/modules/services/ssh.if +++ b/refpolicy/policy/modules/services/ssh.if @@ -1,4 +1,4 @@ -define(`ssh_per_userdomain_template',` +template(`ssh_per_userdomain_template',` # Derived domain based on the calling user domain and the program. type $1_ssh_t; #, privlog, nscd_client_domain; domain_type($1_ssh_t) @@ -155,7 +155,7 @@ define(`ssh_per_userdomain_template',` # # # -define(`sshd_program_domain', ` +template(`sshd_program_domain', ` # auth_chkpwd is for running unix_chkpwd and unix_verify. type $1_t; #, nscd_client_domain; role system_r types $1_t; diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if index 26f39f5..1021d61 100644 --- a/refpolicy/policy/modules/system/authlogin.if +++ b/refpolicy/policy/modules/system/authlogin.if @@ -7,7 +7,7 @@ # # authlogin_per_userdomain_template(userdomain_prefix) # -define(`authlogin_per_userdomain_template',` +interface(`authlogin_per_userdomain_template',` gen_require(` attribute can_read_shadow_passwords; type chkpwd_exec_t, system_chkpwd_t, shadow_t; @@ -98,7 +98,7 @@ define(`authlogin_per_userdomain_template',` ## ## # -define(`auth_login_entry_type',` +interface(`auth_login_entry_type',` gen_require(` type login_exec_t; ') @@ -119,7 +119,7 @@ define(`auth_login_entry_type',` ## ## # -define(`auth_domtrans_login_program',` +interface(`auth_domtrans_login_program',` gen_require(` type login_exec_t; class process sigchld; @@ -146,7 +146,7 @@ define(`auth_domtrans_login_program',` ## ## # -define(`auth_domtrans_chk_passwd',` +interface(`auth_domtrans_chk_passwd',` gen_require(` type system_chkpwd_t, chkpwd_exec_t, shadow_t; class process sigchld; @@ -190,7 +190,7 @@ define(`auth_domtrans_chk_passwd',` ## ## # -define(`auth_dontaudit_getattr_shadow',` +interface(`auth_dontaudit_getattr_shadow',` gen_require(` type shadow_t; class file stat_file_perms; @@ -209,7 +209,7 @@ define(`auth_dontaudit_getattr_shadow',` ## ## # -define(`auth_read_shadow',` +interface(`auth_read_shadow',` gen_require(` attribute can_read_shadow_passwords; type shadow_t; @@ -232,7 +232,7 @@ define(`auth_read_shadow',` ## ## # -define(`auth_dontaudit_read_shadow',` +interface(`auth_dontaudit_read_shadow',` gen_require(` type shadow_t; class file r_file_perms; @@ -251,7 +251,7 @@ define(`auth_dontaudit_read_shadow',` ## ## # -define(`auth_rw_shadow',` +interface(`auth_rw_shadow',` gen_require(` attribute can_read_shadow_passwords, can_write_shadow_passwords; type shadow_t; @@ -267,7 +267,7 @@ define(`auth_rw_shadow',` # # auth_manage_shadow(domain) # -define(`auth_manage_shadow',` +interface(`auth_manage_shadow',` gen_require(` attribute can_read_shadow_passwords, can_write_shadow_passwords; type shadow_t; @@ -284,7 +284,7 @@ define(`auth_manage_shadow',` # # auth_relabelto_shadow(domain) # -define(`auth_relabelto_shadow',` +interface(`auth_relabelto_shadow',` gen_require(` attribute can_relabelto_shadow_passwords; type shadow_t; @@ -300,7 +300,7 @@ define(`auth_relabelto_shadow',` # # auth_rw_faillog(domain) # -define(`auth_rw_faillog',` +interface(`auth_rw_faillog',` gen_require(` type faillog_t; class file rw_file_perms; @@ -314,7 +314,7 @@ define(`auth_rw_faillog',` # # auth_rw_lastlog(domain) # -define(`auth_rw_lastlog',` +interface(`auth_rw_lastlog',` gen_require(` type lastlog_t; class file { getattr read write setattr }; @@ -334,7 +334,7 @@ define(`auth_rw_lastlog',` ## ## # -define(`auth_domtrans_pam',` +interface(`auth_domtrans_pam',` gen_require(` type pam_t, pam_exec_t; class process sigchld; @@ -366,7 +366,7 @@ define(`auth_domtrans_pam',` ## ## # -define(`auth_run_pam',` +interface(`auth_run_pam',` gen_require(` type pam_t; class chr_file rw_file_perms; @@ -387,7 +387,7 @@ define(`auth_run_pam',` ## ## # -define(`auth_exec_pam',` +interface(`auth_exec_pam',` gen_require(` type pam_exec_t; ') @@ -399,7 +399,7 @@ define(`auth_exec_pam',` # # auth_read_pam_pid(domain) # -define(`auth_read_pam_pid',` +interface(`auth_read_pam_pid',` gen_require(` type pam_var_run_t; class dir r_dir_perms; @@ -422,7 +422,7 @@ define(`auth_read_pam_pid',` ## ## # -define(`auth_delete_pam_pid',` +interface(`auth_delete_pam_pid',` gen_require(` type pam_var_run_t; class dir { getattr search read write remove_name }; @@ -439,7 +439,7 @@ define(`auth_delete_pam_pid',` # # auth_domtrans_pam_console(domain) # -define(`auth_domtrans_pam_console',` +interface(`auth_domtrans_pam_console',` gen_require(` type pam_console_t, pam_console_exec_t; class process sigchld; @@ -459,7 +459,7 @@ define(`auth_domtrans_pam_console',` # # auth_list_pam_console_data(domain) # -define(`auth_list_pam_console_data',` +interface(`auth_list_pam_console_data',` gen_require(` type pam_var_console_t; class dir r_dir_perms; @@ -474,7 +474,7 @@ define(`auth_list_pam_console_data',` # # auth_read_pam_console_data(domain) # -define(`auth_read_pam_console_data',` +interface(`auth_read_pam_console_data',` gen_require(` type pam_var_console_t; class dir r_dir_perms; @@ -491,7 +491,7 @@ define(`auth_read_pam_console_data',` # # auth_manage_pam_console_data(domain) # -define(`auth_manage_pam_console_data',` +interface(`auth_manage_pam_console_data',` gen_require(` type pam_var_console_t; class dir rw_dir_perms; @@ -522,7 +522,7 @@ define(`auth_manage_pam_console_data',` ## # -define(`auth_relabel_all_files_except_shadow',` +interface(`auth_relabel_all_files_except_shadow',` gen_require(` type shadow_t; ') @@ -546,7 +546,7 @@ define(`auth_relabel_all_files_except_shadow',` ## # -define(`auth_manage_all_files_except_shadow',` +interface(`auth_manage_all_files_except_shadow',` gen_require(` type shadow_t; ') @@ -564,7 +564,7 @@ define(`auth_manage_all_files_except_shadow',` ## ## # -define(`auth_domtrans_utempter',` +interface(`auth_domtrans_utempter',` gen_require(` type utempter_t, utempter_exec_t; class process sigchld; @@ -596,7 +596,7 @@ define(`auth_domtrans_utempter',` ## ## # -define(`auth_run_utempter',` +interface(`auth_run_utempter',` gen_require(` type utempter_t; class chr_file rw_file_perms; @@ -611,7 +611,7 @@ define(`auth_run_utempter',` # # auth_read_login_records(domain) # -define(`auth_read_login_records',` +interface(`auth_read_login_records',` gen_require(` type wtmp_t; class file r_file_perms; @@ -625,7 +625,7 @@ define(`auth_read_login_records',` # # auth_dontaudit_write_login_records(domain) # -define(`auth_dontaudit_write_login_records',` +interface(`auth_dontaudit_write_login_records',` gen_require(` type wtmp_t; class file write; @@ -638,7 +638,7 @@ define(`auth_dontaudit_write_login_records',` # # auth_rw_login_records(domain) # -define(`auth_rw_login_records',` +interface(`auth_rw_login_records',` gen_require(` type wtmp_t; class file rw_file_perms; diff --git a/refpolicy/policy/modules/system/clock.if b/refpolicy/policy/modules/system/clock.if index 42449ca..71fd8ab 100644 --- a/refpolicy/policy/modules/system/clock.if +++ b/refpolicy/policy/modules/system/clock.if @@ -11,7 +11,7 @@ ## ## # -define(`clock_domtrans',` +interface(`clock_domtrans',` gen_require(` type hwclock_t, hwclock_exec_t; class fd use; @@ -43,7 +43,7 @@ define(`clock_domtrans',` ## ## # -define(`clock_run',` +interface(`clock_run',` gen_require(` type hwclock_t; class chr_file { getattr read write ioctl }; @@ -64,7 +64,7 @@ define(`clock_run',` ## ## # -define(`clock_exec',` +interface(`clock_exec',` gen_require(` type hwclock_exec_t; ') @@ -82,7 +82,7 @@ define(`clock_exec',` ## ## # -define(`clock_rw_adjtime',` +interface(`clock_rw_adjtime',` gen_require(` type adjtime_t; class file rw_file_perms; diff --git a/refpolicy/policy/modules/system/corecommands.if b/refpolicy/policy/modules/system/corecommands.if index fb32f23..77ab469 100644 --- a/refpolicy/policy/modules/system/corecommands.if +++ b/refpolicy/policy/modules/system/corecommands.if @@ -8,7 +8,7 @@ # # corecmd_shell_entry_type(domain) # -define(`corecmd_shell_entry_type',` +interface(`corecmd_shell_entry_type',` gen_require(` type shell_exec_t; ') @@ -20,7 +20,7 @@ define(`corecmd_shell_entry_type',` # # corecmd_search_bin(domain) # -define(`corecmd_search_bin',` +interface(`corecmd_search_bin',` gen_require(` type bin_t; class dir search; @@ -33,7 +33,7 @@ define(`corecmd_search_bin',` # # corecmd_list_bin(domain) # -define(`corecmd_list_bin',` +interface(`corecmd_list_bin',` gen_require(` type bin_t; class dir r_dir_perms; @@ -46,7 +46,7 @@ define(`corecmd_list_bin',` # # corecmd_exec_bin(domain) # -define(`corecmd_exec_bin',` +interface(`corecmd_exec_bin',` gen_require(` type bin_t; class dir r_dir_perms; @@ -63,7 +63,7 @@ define(`corecmd_exec_bin',` # # corecmd_search_sbin(domain) # -define(`corecmd_search_sbin',` +interface(`corecmd_search_sbin',` gen_require(` type sbin_t; class dir search; @@ -76,7 +76,7 @@ define(`corecmd_search_sbin',` # # corecmd_list_sbin(domain) # -define(`corecmd_list_sbin',` +interface(`corecmd_list_sbin',` gen_require(` type sbin_t; class dir r_dir_perms; @@ -89,7 +89,7 @@ define(`corecmd_list_sbin',` # # corecmd_dontaudit_getattr_sbin_file(domain) # -define(`corecmd_dontaudit_getattr_sbin_file',` +interface(`corecmd_dontaudit_getattr_sbin_file',` gen_require(` type sbin_t; class file getattr; @@ -102,7 +102,7 @@ define(`corecmd_dontaudit_getattr_sbin_file',` # # corecmd_exec_sbin(domain) # -define(`corecmd_exec_sbin',` +interface(`corecmd_exec_sbin',` gen_require(` type sbin_t; class dir r_dir_perms; @@ -119,7 +119,7 @@ define(`corecmd_exec_sbin',` # # corecmd_exec_shell(domain) # -define(`corecmd_exec_shell',` +interface(`corecmd_exec_shell',` gen_require(` type bin_t, shell_exec_t; class dir r_dir_perms; @@ -135,7 +135,7 @@ define(`corecmd_exec_shell',` # # corecmd_exec_ls(domain) # -define(`corecmd_exec_ls',` +interface(`corecmd_exec_ls',` gen_require(` type bin_t, ls_exec_t; class dir r_dir_perms; @@ -162,7 +162,7 @@ define(`corecmd_exec_ls',` ## ## # -define(`corecmd_shell_spec_domtrans',` +interface(`corecmd_shell_spec_domtrans',` gen_require(` type bin_t, shell_exec_t; class dir r_dir_perms; @@ -196,7 +196,7 @@ define(`corecmd_shell_spec_domtrans',` ## ## # -define(`corecmd_domtrans_shell',` +interface(`corecmd_domtrans_shell',` gen_require(` type shell_exec_t; ') @@ -209,7 +209,7 @@ define(`corecmd_domtrans_shell',` # # corecmd_chroot_exec_chroot(domain) # -define(`corecmd_chroot_exec_chroot',` +interface(`corecmd_chroot_exec_chroot',` gen_require(` type chroot_exec_t; class capability sys_chroot; diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if index 018375e..3cec277 100644 --- a/refpolicy/policy/modules/system/domain.if +++ b/refpolicy/policy/modules/system/domain.if @@ -5,7 +5,7 @@ # # domain_base_domain_type(domain) # -define(`domain_base_domain_type',` +interface(`domain_base_domain_type',` gen_require(` attribute domain; class dir r_dir_perms; @@ -30,7 +30,7 @@ define(`domain_base_domain_type',` # # domain_type(domain) # -define(`domain_type',` +interface(`domain_type',` # start with basic domain domain_base_domain_type($1) @@ -56,7 +56,7 @@ define(`domain_type',` # # domain_entry_file(domain,entrypointfile) # -define(`domain_entry_file',` +interface(`domain_entry_file',` gen_require(` attribute entry_type; class file entrypoint; @@ -71,7 +71,7 @@ define(`domain_entry_file',` # # domain_wide_inherit_fd(domain) # -define(`domain_wide_inherit_fd',` +interface(`domain_wide_inherit_fd',` gen_require(` attribute privfd; ') @@ -90,7 +90,7 @@ define(`domain_wide_inherit_fd',` ## ## # -define(`domain_subj_id_change_exempt',` +interface(`domain_subj_id_change_exempt',` gen_require(` attribute can_change_process_identity; ') @@ -109,7 +109,7 @@ define(`domain_subj_id_change_exempt',` ## ## # -define(`domain_role_change_exempt',` +interface(`domain_role_change_exempt',` gen_require(` attribute can_change_process_role; ') @@ -128,7 +128,7 @@ define(`domain_role_change_exempt',` ## ## # -define(`domain_obj_id_change_exempt',` +interface(`domain_obj_id_change_exempt',` gen_require(` attribute can_change_object_identity; ') @@ -140,7 +140,7 @@ define(`domain_obj_id_change_exempt',` # # domain_use_wide_inherit_fd(domain) # -define(`domain_use_wide_inherit_fd',` +interface(`domain_use_wide_inherit_fd',` gen_require(` attribute privfd; class fd use; @@ -153,7 +153,7 @@ define(`domain_use_wide_inherit_fd',` # # domain_dontaudit_use_wide_inherit_fd(domain) # -define(`domain_dontaudit_use_wide_inherit_fd',` +interface(`domain_dontaudit_use_wide_inherit_fd',` gen_require(` attribute privfd; class fd use; @@ -166,7 +166,7 @@ define(`domain_dontaudit_use_wide_inherit_fd',` # # domain_setpriority_all_domains(domain) # -define(`domain_setpriority_all_domains',` +interface(`domain_setpriority_all_domains',` gen_require(` attribute domain; class process setsched; @@ -185,7 +185,7 @@ define(`domain_setpriority_all_domains',` ## ## # -define(`domain_signal_all_domains',` +interface(`domain_signal_all_domains',` gen_require(` attribute domain; class process signal; @@ -204,7 +204,7 @@ define(`domain_signal_all_domains',` ## ## # -define(`domain_signull_all_domains',` +interface(`domain_signull_all_domains',` gen_require(` attribute domain; class process signull; @@ -223,7 +223,7 @@ define(`domain_signull_all_domains',` ## ## # -define(`domain_sigstop_all_domains',` +interface(`domain_sigstop_all_domains',` gen_require(` attribute domain; class process sigstop; @@ -242,7 +242,7 @@ define(`domain_sigstop_all_domains',` ## ## # -define(`domain_sigchld_all_domains',` +interface(`domain_sigchld_all_domains',` gen_require(` attribute domain; class process sigchld; @@ -261,7 +261,7 @@ define(`domain_sigchld_all_domains',` ## ## # -define(`domain_kill_all_domains',` +interface(`domain_kill_all_domains',` gen_require(` attribute domain; class process sigkill; @@ -282,7 +282,7 @@ define(`domain_kill_all_domains',` ## ## # -define(`domain_read_all_domains_state',` +interface(`domain_read_all_domains_state',` gen_require(` attribute domain; class dir r_dir_perms; @@ -314,7 +314,7 @@ define(`domain_read_all_domains_state',` ## ## # -define(`domain_dontaudit_list_all_domains_proc',` +interface(`domain_dontaudit_list_all_domains_proc',` gen_require(` attribute domain; class dir r_dir_perms; @@ -333,7 +333,7 @@ define(`domain_dontaudit_list_all_domains_proc',` ## ## # -define(`domain_getsession_all_domains',` +interface(`domain_getsession_all_domains',` gen_require(` attribute domain; class process getsession; @@ -353,7 +353,7 @@ define(`domain_getsession_all_domains',` ## ## # -define(`domain_dontaudit_getattr_all_udp_sockets',` +interface(`domain_dontaudit_getattr_all_udp_sockets',` gen_require(` attribute domain; class udp_socket getattr; @@ -373,7 +373,7 @@ define(`domain_dontaudit_getattr_all_udp_sockets',` ## ## # -define(`domain_dontaudit_getattr_all_tcp_sockets',` +interface(`domain_dontaudit_getattr_all_tcp_sockets',` gen_require(` attribute domain; class tcp_socket getattr; @@ -393,7 +393,7 @@ define(`domain_dontaudit_getattr_all_tcp_sockets',` ## ## # -define(`domain_dontaudit_getattr_all_unix_dgram_sockets',` +interface(`domain_dontaudit_getattr_all_unix_dgram_sockets',` gen_require(` attribute domain; class unix_dgram_socket getattr; @@ -413,7 +413,7 @@ define(`domain_dontaudit_getattr_all_unix_dgram_sockets',` ## ## # -define(`domain_dontaudit_getattr_all_unnamed_pipes',` +interface(`domain_dontaudit_getattr_all_unnamed_pipes',` gen_require(` attribute domain; class fifo_file getattr; @@ -426,7 +426,7 @@ define(`domain_dontaudit_getattr_all_unnamed_pipes',` # # domain_exec_all_entry_files(domain) # -define(`domain_exec_all_entry_files',` +interface(`domain_exec_all_entry_files',` gen_require(` attribute entry_type; ') @@ -438,7 +438,7 @@ define(`domain_exec_all_entry_files',` # # domain_read_all_entry_files(domain) # -define(`domain_read_all_entry_files',` +interface(`domain_read_all_entry_files',` gen_require(` attribute entry_type; class file r_file_perms; @@ -461,7 +461,7 @@ define(`domain_read_all_entry_files',` # # domain_trans(source_domain,entrypoint_file,target_domain) # -define(`domain_trans',` +interface(`domain_trans',` gen_require(` class file rx_file_perms; process { transition noatsecure siginh rlimitinh }; @@ -476,7 +476,7 @@ define(`domain_trans',` # # domain_auto_trans(source_domain,entrypoint_file,target_domain) # -define(`domain_auto_trans',` +interface(`domain_auto_trans',` domain_trans($1,$2,$3) type_transition $1 $2:process $3; ') diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if index e99eb53..7510c01 100644 --- a/refpolicy/policy/modules/system/files.if +++ b/refpolicy/policy/modules/system/files.if @@ -20,7 +20,7 @@ # # files_file_type(type) # -define(`files_file_type',` +interface(`files_file_type',` gen_require(` attribute file_type; ') @@ -34,7 +34,7 @@ define(`files_file_type',` # # files_lock_file(type) # -define(`files_lock_file',` +interface(`files_lock_file',` gen_require(` attribute lockfile; ') @@ -47,7 +47,7 @@ define(`files_lock_file',` # # files_mountpoint(type) # -define(`files_mountpoint',` +interface(`files_mountpoint',` gen_require(` attribute mountpoint; ') @@ -60,7 +60,7 @@ define(`files_mountpoint',` # # files_pid_file(type) # -define(`files_pid_file',` +interface(`files_pid_file',` gen_require(` attribute pidfile; ') @@ -73,7 +73,7 @@ define(`files_pid_file',` # # files_tmp_file(type) # -define(`files_tmp_file',` +interface(`files_tmp_file',` gen_require(` attribute tmpfile; ') @@ -93,7 +93,7 @@ define(`files_tmp_file',` ## ## # -define(`files_tmpfs_file',` +interface(`files_tmpfs_file',` gen_require(` attribute tmpfsfile; ') @@ -107,7 +107,7 @@ define(`files_tmpfs_file',` # # files_getattr_all_files(domain) -define(`files_getattr_all_files',` +interface(`files_getattr_all_files',` gen_require(` attribute file_type; class dir { search getattr }; @@ -139,7 +139,7 @@ define(`files_getattr_all_files',` ## ## # -define(`files_relabel_all_files',` +interface(`files_relabel_all_files',` gen_require(` attribute file_type; class dir { r_dir_perms relabelfrom relabelto }; @@ -178,7 +178,7 @@ define(`files_relabel_all_files',` ## ## # -define(`files_manage_all_files',` +interface(`files_manage_all_files',` gen_require(` attribute file_type; class dir create_dir_perms; @@ -203,7 +203,7 @@ define(`files_manage_all_files',` # # files_search_all_dirs(domain) # -define(`files_search_all_dirs',` +interface(`files_search_all_dirs',` gen_require(` attribute file_type; class dir search; @@ -216,7 +216,7 @@ define(`files_search_all_dirs',` # # files_list_all_dirs(domain) # -define(`files_list_all_dirs',` +interface(`files_list_all_dirs',` gen_require(` attribute file_type; class dir r_dir_perms; @@ -229,7 +229,7 @@ define(`files_list_all_dirs',` # # files_dontaudit_search_all_dirs(domain) # -define(`files_dontaudit_search_all_dirs',` +interface(`files_dontaudit_search_all_dirs',` gen_require(` attribute file_type; class dir search; @@ -242,7 +242,7 @@ define(`files_dontaudit_search_all_dirs',` # # files_relabelto_all_file_type_fs(domain) # -define(`files_relabelto_all_file_type_fs',` +interface(`files_relabelto_all_file_type_fs',` gen_require(` attribute file_type; filesystem relabelto; @@ -255,7 +255,7 @@ define(`files_relabelto_all_file_type_fs',` # # files_mount_all_file_type_fs(domain) # -define(`files_mount_all_file_type_fs',` +interface(`files_mount_all_file_type_fs',` gen_require(` attribute file_type; filesystem mount; @@ -268,7 +268,7 @@ define(`files_mount_all_file_type_fs',` # # files_unmount_all_file_type_fs(domain) # -define(`files_unmount_all_file_type_fs',` +interface(`files_unmount_all_file_type_fs',` gen_require(` attribute file_type; filesystem mount; @@ -281,7 +281,7 @@ define(`files_unmount_all_file_type_fs',` # # files_mounton_all_mountpoints(domain) # -define(`files_mounton_all_mountpoints',` +interface(`files_mounton_all_mountpoints',` gen_require(` attribute mountpoint; class dir { getattr search mounton }; @@ -294,7 +294,7 @@ define(`files_mounton_all_mountpoints',` # # files_list_root(domain) # -define(`files_list_root',` +interface(`files_list_root',` gen_require(` type root_t; class dir r_dir_perms; @@ -326,7 +326,7 @@ define(`files_list_root',` ## ## # -define(`files_create_root',` +interface(`files_create_root',` gen_require(` type root_t; class dir create_dir_perms; @@ -359,7 +359,7 @@ define(`files_create_root',` # # files_dontaudit_read_root_file(domain) # -define(`files_dontaudit_read_root_file',` +interface(`files_dontaudit_read_root_file',` gen_require(` type root_t; class file read; @@ -372,7 +372,7 @@ define(`files_dontaudit_read_root_file',` # # files_dontaudit_rw_root_file(domain) # -define(`files_dontaudit_rw_root_file',` +interface(`files_dontaudit_rw_root_file',` gen_require(` type root_t; class file { read write }; @@ -385,7 +385,7 @@ define(`files_dontaudit_rw_root_file',` # # files_dontaudit_rw_root_chr_dev(domain) # -define(`files_dontaudit_rw_root_chr_dev',` +interface(`files_dontaudit_rw_root_chr_dev',` gen_require(` type root_t; class chr_file { read write }; @@ -398,7 +398,7 @@ define(`files_dontaudit_rw_root_chr_dev',` # # files_delete_root_dir_entry(domain) # -define(`files_delete_root_dir_entry',` +interface(`files_delete_root_dir_entry',` gen_require(` type root_t; class dir rw_dir_perms; @@ -411,7 +411,7 @@ define(`files_delete_root_dir_entry',` # # files_unmount_rootfs(domain) # -define(`files_unmount_rootfs',` +interface(`files_unmount_rootfs',` gen_require(` type root_t; class filesystem unmount; @@ -424,7 +424,7 @@ define(`files_unmount_rootfs',` # # files_search_etc(domain) # -define(`files_search_etc',` +interface(`files_search_etc',` gen_require(` type etc_t; class dir search; @@ -437,7 +437,7 @@ define(`files_search_etc',` # # files_list_etc(domain) # -define(`files_list_etc',` +interface(`files_list_etc',` gen_require(` type etc_t; class dir r_dir_perms; @@ -450,7 +450,7 @@ define(`files_list_etc',` # # files_read_generic_etc_files(domain) # -define(`files_read_generic_etc_files',` +interface(`files_read_generic_etc_files',` gen_require(` type etc_t; class dir r_dir_perms; @@ -467,7 +467,7 @@ define(`files_read_generic_etc_files',` # # files_rw_generic_etc_files(domain) # -define(`files_rw_generic_etc_files',` +interface(`files_rw_generic_etc_files',` gen_require(` type etc_t; class dir r_dir_perms; @@ -484,7 +484,7 @@ define(`files_rw_generic_etc_files',` # # files_manage_generic_etc_files(domain) # -define(`files_manage_generic_etc_files',` +interface(`files_manage_generic_etc_files',` gen_require(` type etc_t; class dir rw_dir_perms; @@ -507,7 +507,7 @@ define(`files_manage_generic_etc_files',` ## ## # -define(`files_delete_generic_etc_files',` +interface(`files_delete_generic_etc_files',` gen_require(` type etc_t; class dir rw_dir_perms; @@ -522,7 +522,7 @@ define(`files_delete_generic_etc_files',` # # files_exec_generic_etc_files(domain) # -define(`files_exec_generic_etc_files',` +interface(`files_exec_generic_etc_files',` gen_require(` type etc_t; class dir r_dir_perms; @@ -541,7 +541,7 @@ define(`files_exec_generic_etc_files',` # # /halt, /.autofsck, etc # -define(`files_create_boot_flag',` +interface(`files_create_boot_flag',` gen_require(` type root_t, etc_runtime_t; class dir rw_dir_perms; @@ -557,7 +557,7 @@ define(`files_create_boot_flag',` # # files_manage_etc_runtime_files(type) # -define(`files_manage_etc_runtime_files',` +interface(`files_manage_etc_runtime_files',` gen_require(` type etc_t, etc_runtime_t; class dir rw_dir_perms; @@ -573,7 +573,7 @@ define(`files_manage_etc_runtime_files',` # # files_read_etc_runtime_files(domain) # -define(`files_read_etc_runtime_files',` +interface(`files_read_etc_runtime_files',` gen_require(` type etc_t, etc_runtime_t; class dir r_dir_perms; @@ -588,7 +588,7 @@ define(`files_read_etc_runtime_files',` # # files_create_etc_config(domain,privatetype,[class(es)]) # -define(`files_create_etc_config',` +interface(`files_create_etc_config',` gen_require(` type etc_t; class dir rw_dir_perms; @@ -606,7 +606,7 @@ define(`files_create_etc_config',` # # files_rw_isid_type_dir(domain) # -define(`files_rw_isid_type_dir',` +interface(`files_rw_isid_type_dir',` gen_require(` type file_t; class dir rw_dir_perms; @@ -619,7 +619,7 @@ define(`files_rw_isid_type_dir',` # # files_dontaudit_getattr_isid_type_dir(domain) # -define(`files_dontaudit_getattr_isid_type_dir',` +interface(`files_dontaudit_getattr_isid_type_dir',` gen_require(` type file_t; class dir search; @@ -632,7 +632,7 @@ define(`files_dontaudit_getattr_isid_type_dir',` # # files_dontaudit_search_isid_type_dir(domain) # -define(`files_dontaudit_search_isid_type_dir',` +interface(`files_dontaudit_search_isid_type_dir',` gen_require(` type file_t; class dir search; @@ -651,7 +651,7 @@ define(`files_dontaudit_search_isid_type_dir',` ## ## # -define(`files_list_home',` +interface(`files_list_home',` gen_require(` type home_root_t; class dir r_dir_perms; @@ -664,7 +664,7 @@ define(`files_list_home',` # # files_list_mnt(domain) # -define(`files_list_mnt',` +interface(`files_list_mnt',` gen_require(` type mnt_t; class dir r_dir_perms; @@ -677,7 +677,7 @@ define(`files_list_mnt',` # # files_create_tmp_files(domain,private_type,[object class(es)]) # -define(`files_create_tmp_files',` +interface(`files_create_tmp_files',` gen_require(` type tmp_t; class dir rw_dir_perms; @@ -696,7 +696,7 @@ define(`files_create_tmp_files',` # # files_delete_all_tmp_files(domain) # -define(`files_delete_all_tmp_files',` +interface(`files_delete_all_tmp_files',` gen_require(` attribute tmpfile; class dir { getattr search read write add_name remove_name rmdir }; @@ -717,7 +717,7 @@ define(`files_delete_all_tmp_files',` # # files_search_usr(domain) # -define(`files_search_usr',` +interface(`files_search_usr',` gen_require(` type usr_t; class dir search; @@ -730,7 +730,7 @@ define(`files_search_usr',` # # files_read_usr_files(domain) # -define(`files_read_usr_files',` +interface(`files_read_usr_files',` gen_require(` type usr_t; class dir r_dir_perms; @@ -752,7 +752,7 @@ define(`files_read_usr_files',` ## ## # -define(`files_exec_usr_files',` +interface(`files_exec_usr_files',` gen_require(` type usr_t, src_t; class dir r_dir_perms; @@ -770,7 +770,7 @@ define(`files_exec_usr_files',` # # files_read_usr_src(domain) # -define(`files_read_usr_src',` +interface(`files_read_usr_src',` gen_require(` type usr_t, src_t; class dir r_dir_perms; @@ -787,7 +787,7 @@ define(`files_read_usr_src',` # # files_search_var(domain) # -define(`files_search_var',` +interface(`files_search_var',` gen_require(` type var_t; class dir search; @@ -800,7 +800,7 @@ define(`files_search_var',` # # files_dontaudit_search_var(domain) # -define(`files_dontaudit_search_var',` +interface(`files_dontaudit_search_var',` gen_require(` type var_t; class dir search; @@ -819,7 +819,7 @@ define(`files_dontaudit_search_var',` ## ## # -define(`files_search_var_lib',` +interface(`files_search_var_lib',` gen_require(` type var_t, var_lib_t; class dir search; @@ -832,7 +832,7 @@ define(`files_search_var_lib',` # # files_manage_urandom_seed(domain) # -define(`files_manage_urandom_seed',` +interface(`files_manage_urandom_seed',` gen_require(` type var_t, var_lib_t; class dir rw_file_perms; @@ -848,7 +848,7 @@ define(`files_manage_urandom_seed',` # # files_getattr_generic_lock_files(domain) # -define(`files_getattr_generic_lock_files',` +interface(`files_getattr_generic_lock_files',` gen_require(` type var_lock_t; class dir r_dir_perms; @@ -863,7 +863,7 @@ define(`files_getattr_generic_lock_files',` # # files_manage_generic_lock_files(domain) # -define(`files_manage_generic_lock_files',` +interface(`files_manage_generic_lock_files',` gen_require(` type var_lock_t; class dir { getattr search create read write setattr add_name remove_name rmdir }; @@ -878,7 +878,7 @@ define(`files_manage_generic_lock_files',` # # files_delete_all_lock_files(domain) # -define(`files_delete_all_lock_files',` +interface(`files_delete_all_lock_files',` gen_require(` attribute lockfile; class dir rw_dir_perms; @@ -893,7 +893,7 @@ define(`files_delete_all_lock_files',` # # files_create_lock_file(domain,private_type,[object class(es)]) # -define(`files_create_lock_file',` +interface(`files_create_lock_file',` gen_require(` type var_t, var_lock_t; class dir rw_dir_perms; @@ -913,7 +913,7 @@ define(`files_create_lock_file',` # # files_search_pids(domain) # -define(`files_search_pids',` +interface(`files_search_pids',` gen_require(` type var_t, var_run_t; class dir search; @@ -927,7 +927,7 @@ define(`files_search_pids',` # # files_dontaudit_search_pids(domain) # -define(`files_dontaudit_search_pids',` +interface(`files_dontaudit_search_pids',` gen_require(` type var_run_t; class dir search; @@ -940,7 +940,7 @@ define(`files_dontaudit_search_pids',` # # files_list_pids(domain) # -define(`files_list_pids',` +interface(`files_list_pids',` gen_require(` type var_t, var_run_t; class dir r_dir_perms; @@ -954,7 +954,7 @@ define(`files_list_pids',` # # files_create_pid(domain,pidfile,[object class(es)]) # -define(`files_create_pid',` +interface(`files_create_pid',` gen_require(` type var_t, var_run_t; class dir rw_dir_perms; @@ -974,7 +974,7 @@ define(`files_create_pid',` # # files_rw_generic_pids(domain) # -define(`files_rw_generic_pids',` +interface(`files_rw_generic_pids',` gen_require(` type var_t, var_run_t; class dir r_dir_perms; @@ -996,7 +996,7 @@ define(`files_rw_generic_pids',` ## ## # -define(`files_dontaudit_write_all_pids',` +interface(`files_dontaudit_write_all_pids',` gen_require(` attribute pidfile; class file write; @@ -1015,7 +1015,7 @@ define(`files_dontaudit_write_all_pids',` ## ## # -define(`files_dontaudit_ioctl_all_pids',` +interface(`files_dontaudit_ioctl_all_pids',` gen_require(` attribute pidfile; class file ioctl; @@ -1028,7 +1028,7 @@ define(`files_dontaudit_ioctl_all_pids',` # # files_read_all_pids(domain) # -define(`files_read_all_pids',` +interface(`files_read_all_pids',` gen_require(` attribute pidfile; type var_t; @@ -1045,7 +1045,7 @@ define(`files_read_all_pids',` # # files_delete_all_pids(domain) # -define(`files_delete_all_pids',` +interface(`files_delete_all_pids',` gen_require(` attribute pidfile; type var_t, var_run_t; @@ -1067,7 +1067,7 @@ define(`files_delete_all_pids',` # # files_search_spool(domain) # -define(`files_search_spool',` +interface(`files_search_spool',` gen_require(` type var_t, var_spool_t; class dir search; @@ -1081,7 +1081,7 @@ define(`files_search_spool',` # # files_list_spool(domain) # -define(`files_list_spool',` +interface(`files_list_spool',` gen_require(` type var_t, var_spool_t; class dir r_dir_perms; @@ -1095,7 +1095,7 @@ define(`files_list_spool',` # # files_read_spools(domain) # -define(`files_read_spools',` +interface(`files_read_spools',` gen_require(` type var_t, var_spool_t; class dir r_dir_perms; @@ -1111,7 +1111,7 @@ define(`files_read_spools',` # # files_manage_spools(domain) # -define(`files_manage_spools',` +interface(`files_manage_spools',` gen_require(` type var_t, var_spool_t; class dir rw_dir_perms; diff --git a/refpolicy/policy/modules/system/getty.if b/refpolicy/policy/modules/system/getty.if index 41850c1..adef284 100644 --- a/refpolicy/policy/modules/system/getty.if +++ b/refpolicy/policy/modules/system/getty.if @@ -11,7 +11,7 @@ ## ## # -define(`getty_domtrans',` +interface(`getty_domtrans',` gen_require(` type getty_t, getty_exec_t; class process sigchld; @@ -38,7 +38,7 @@ define(`getty_domtrans',` ## ## # -define(`getty_read_log',` +interface(`getty_read_log',` gen_require(` type getty_log_t; class file { getattr read }; @@ -58,7 +58,7 @@ define(`getty_read_log',` ## ## # -define(`getty_read_config',` +interface(`getty_read_config',` gen_require(` type getty_etc_t; class file { getattr read }; @@ -78,7 +78,7 @@ define(`getty_read_config',` ## ## # -define(`getty_modify_config',` +interface(`getty_modify_config',` gen_require(` type getty_etc_t; class file rw_file_perms; diff --git a/refpolicy/policy/modules/system/hostname.if b/refpolicy/policy/modules/system/hostname.if index 28b679d..9d0f67c 100644 --- a/refpolicy/policy/modules/system/hostname.if +++ b/refpolicy/policy/modules/system/hostname.if @@ -12,7 +12,7 @@ ## ## # -define(`hostname_domtrans',` +interface(`hostname_domtrans',` gen_require(` type hostname_t, hostname_exec_t; class process sigchld; @@ -47,7 +47,7 @@ define(`hostname_domtrans',` ## ## # -define(`hostname_run',` +interface(`hostname_run',` gen_require(` type hostname_t; class chr_file { getattr read write ioctl }; @@ -69,7 +69,7 @@ define(`hostname_run',` ## ## # -define(`hostname_exec',` +interface(`hostname_exec',` gen_require(` type hostname_exec_t; ') diff --git a/refpolicy/policy/modules/system/hotplug.if b/refpolicy/policy/modules/system/hotplug.if index 9f6dd58..94ec505 100644 --- a/refpolicy/policy/modules/system/hotplug.if +++ b/refpolicy/policy/modules/system/hotplug.if @@ -8,7 +8,7 @@ # # hotplug_domtrans(domain) # -define(`hotplug_domtrans',` +interface(`hotplug_domtrans',` gen_require(` type hotplug_t, hotplug_exec_t; class process sigchld; @@ -29,7 +29,7 @@ define(`hotplug_domtrans',` # # hotplug_exec(domain) # -define(`hotplug_exec',` +interface(`hotplug_exec',` gen_require(` type hotplug_t; ') @@ -42,7 +42,7 @@ define(`hotplug_exec',` # # hotplug_use_fd(domain) # -define(`hotplug_use_fd',` +interface(`hotplug_use_fd',` gen_require(` type hotplug_t; class fd use; @@ -55,7 +55,7 @@ define(`hotplug_use_fd',` # # hotplug_dontaudit_use_fd(domain) # -define(`hotplug_dontaudit_use_fd',` +interface(`hotplug_dontaudit_use_fd',` gen_require(` type hotplug_t; class fd use; @@ -68,7 +68,7 @@ define(`hotplug_dontaudit_use_fd',` # # hotplug_dontaudit_search_config(domain) # -define(`hotplug_dontaudit_search_config',` +interface(`hotplug_dontaudit_search_config',` gen_require(` type hotplug_etc_t; class dir search; @@ -87,7 +87,7 @@ define(`hotplug_dontaudit_search_config',` ## ## # -define(`hotplug_read_config',` +interface(`hotplug_read_config',` gen_require(` type hotplug_etc_t; class file r_file_perms; diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if index ce8b55e..ef2354f 100644 --- a/refpolicy/policy/modules/system/init.if +++ b/refpolicy/policy/modules/system/init.if @@ -5,7 +5,7 @@ # # init_domain(domain,entrypointfile) # -define(`init_domain',` +interface(`init_domain',` gen_require(` type init_t; role system_r; @@ -38,7 +38,7 @@ define(`init_domain',` # # init_daemon_domain(domain,entrypointfile) # -define(`init_daemon_domain',` +interface(`init_daemon_domain',` gen_require(` type initrc_t; role system_r; @@ -71,7 +71,7 @@ define(`init_daemon_domain',` # # init_system_domain(domain,entrypointfile) # -define(`init_system_domain',` +interface(`init_system_domain',` gen_require(` type initrc_t; role system_r; @@ -104,7 +104,7 @@ define(`init_system_domain',` # # init_domtrans(domain) # -define(`init_domtrans',` +interface(`init_domtrans',` gen_require(` type init_t, init_exec_t; class process sigchld; @@ -124,7 +124,7 @@ define(`init_domtrans',` # # init_get_process_group(domain) # -define(`init_get_process_group',` +interface(`init_get_process_group',` gen_require(` type init_t; class process getpgid; @@ -137,7 +137,7 @@ define(`init_get_process_group',` # # init_getattr_initctl(domain) # -define(`init_getattr_initctl',` +interface(`init_getattr_initctl',` gen_require(` type initctl_t; class fifo_file getattr; @@ -150,7 +150,7 @@ define(`init_getattr_initctl',` # # init_dontaudit_getattr_initctl(domain) # -define(`init_dontaudit_getattr_initctl',` +interface(`init_dontaudit_getattr_initctl',` gen_require(` type initctl_t; class fifo_file getattr; @@ -163,7 +163,7 @@ define(`init_dontaudit_getattr_initctl',` # # init_use_initctl(domain) # -define(`init_use_initctl',` +interface(`init_use_initctl',` gen_require(` type initctl_t; class fifo_file rw_file_perms; @@ -177,7 +177,7 @@ define(`init_use_initctl',` # # init_dontaudit_use_initctl(domain) # -define(`init_dontaudit_use_initctl',` +interface(`init_dontaudit_use_initctl',` gen_require(` type initctl_t; class fifo_file { read write }; @@ -190,7 +190,7 @@ define(`init_dontaudit_use_initctl',` # # init_sigchld(domain) # -define(`init_sigchld',` +interface(`init_sigchld',` gen_require(` type init_t; class process sigchld; @@ -203,7 +203,7 @@ define(`init_sigchld',` # # init_use_fd(domain) # -define(`init_use_fd',` +interface(`init_use_fd',` gen_require(` type init_t; class fd use; @@ -216,7 +216,7 @@ define(`init_use_fd',` # # init_dontaudit_use_fd(domain) # -define(`init_dontaudit_use_fd',` +interface(`init_dontaudit_use_fd',` gen_require(` type init_t; class fd use; @@ -229,7 +229,7 @@ define(`init_dontaudit_use_fd',` # # init_domtrans_script(domain) # -define(`init_domtrans_script',` +interface(`init_domtrans_script',` gen_require(` type initrc_t, initrc_exec_t; class process sigchld; @@ -250,7 +250,7 @@ define(`init_domtrans_script',` # # init_exec_script(domain) # -define(`init_exec_script',` +interface(`init_exec_script',` gen_require(` type initrc_exec_t; ') @@ -269,7 +269,7 @@ define(`init_exec_script',` ## ## # -define(`init_read_script_process_state',` +interface(`init_read_script_process_state',` gen_require(` type initrc_t; class dir r_dir_perms; @@ -294,7 +294,7 @@ define(`init_read_script_process_state',` # # init_use_script_fd(domain) # -define(`init_use_script_fd',` +interface(`init_use_script_fd',` gen_require(` type initrc_t; class fd use; @@ -307,7 +307,7 @@ define(`init_use_script_fd',` # # init_dontaudit_use_script_fd(domain) # -define(`init_dontaudit_use_script_fd',` +interface(`init_dontaudit_use_script_fd',` gen_require(` type initrc_t; class fd use; @@ -320,7 +320,7 @@ define(`init_dontaudit_use_script_fd',` # # init_get_script_process_group(domain) # -define(`init_get_script_process_group',` +interface(`init_get_script_process_group',` gen_require(` type initrc_t; class process getpgid; @@ -339,7 +339,7 @@ define(`init_get_script_process_group',` ## ## # -define(`init_rw_script_pipe',` +interface(`init_rw_script_pipe',` gen_require(` type initrc_t; class chr_file { read write }; @@ -352,7 +352,7 @@ define(`init_rw_script_pipe',` # # init_use_script_pty(domain) # -define(`init_use_script_pty',` +interface(`init_use_script_pty',` gen_require(` type initrc_devpts_t; class chr_file rw_term_perms; @@ -366,7 +366,7 @@ define(`init_use_script_pty',` # # init_dontaudit_use_script_pty(domain) # -define(`init_dontaudit_use_script_pty',` +interface(`init_dontaudit_use_script_pty',` gen_require(` type initrc_devpts_t; class chr_file { read write ioctl }; @@ -385,7 +385,7 @@ define(`init_dontaudit_use_script_pty',` ## ## # -define(`init_rw_script_tmp_files',` +interface(`init_rw_script_tmp_files',` gen_require(` type initrc_var_run_t; class file rw_file_perms; @@ -399,7 +399,7 @@ define(`init_rw_script_tmp_files',` # # init_read_script_pid(domain) # -define(`init_read_script_pid',` +interface(`init_read_script_pid',` gen_require(` type initrc_var_run_t; class file r_file_perms; @@ -413,7 +413,7 @@ define(`init_read_script_pid',` # # init_dontaudit_write_script_pid(domain) # -define(`init_dontaudit_write_script_pid',` +interface(`init_dontaudit_write_script_pid',` gen_require(` type initrc_var_run_t; class file { write lock }; @@ -426,7 +426,7 @@ define(`init_dontaudit_write_script_pid',` # # init_rw_script_pid(domain) # -define(`init_rw_script_pid',` +interface(`init_rw_script_pid',` gen_require(` type initrc_var_run_t; class file rw_file_perms; @@ -440,7 +440,7 @@ define(`init_rw_script_pid',` # # init_dontaudit_rw_script_pid(domain) # -define(`init_dontaudit_rw_script_pid',` +interface(`init_dontaudit_rw_script_pid',` gen_require(` type initrc_var_run_t; class file rw_file_perms; diff --git a/refpolicy/policy/modules/system/iptables.if b/refpolicy/policy/modules/system/iptables.if index c41a5c0..60d4da5 100644 --- a/refpolicy/policy/modules/system/iptables.if +++ b/refpolicy/policy/modules/system/iptables.if @@ -11,7 +11,7 @@ ## ## # -define(`iptables_domtrans',` +interface(`iptables_domtrans',` gen_require(` type iptables_t, iptables_exec_t; class process sigchld; @@ -45,7 +45,7 @@ define(`iptables_domtrans',` ## ## # -define(`iptables_run',` +interface(`iptables_run',` gen_require(` type iptables_t; class chr_file rw_term_perms; @@ -66,7 +66,7 @@ define(`iptables_run',` ## ## # -define(`iptables_exec',` +interface(`iptables_exec',` gen_require(` type iptables_exec_t; ') diff --git a/refpolicy/policy/modules/system/libraries.if b/refpolicy/policy/modules/system/libraries.if index f187806..58b587e 100644 --- a/refpolicy/policy/modules/system/libraries.if +++ b/refpolicy/policy/modules/system/libraries.if @@ -11,7 +11,7 @@ ## ## # -define(`libs_domtrans_ldconfig',` +interface(`libs_domtrans_ldconfig',` gen_require(` type ldconfig_t, ldconfig_exec_t; class process sigchld; @@ -44,7 +44,7 @@ define(`libs_domtrans_ldconfig',` ## ## # -define(`libs_run_ldconfig',` +interface(`libs_run_ldconfig',` gen_require(` type ldconfig_t; class chr_file rw_term_perms; @@ -66,7 +66,7 @@ define(`libs_run_ldconfig',` ## ## # -define(`libs_use_ld_so',` +interface(`libs_use_ld_so',` gen_require(` type lib_t, ld_so_t, ld_so_cache_t; class dir r_dir_perms; @@ -93,7 +93,7 @@ define(`libs_use_ld_so',` ## ## # -define(`libs_legacy_use_ld_so',` +interface(`libs_legacy_use_ld_so',` gen_require(` type ld_so_t, ld_so_cache_t; class file { execute execmod }; @@ -119,7 +119,7 @@ define(`libs_legacy_use_ld_so',` ## ## # -define(`libs_exec_ld_so',` +interface(`libs_exec_ld_so',` gen_require(` type lib_t, ld_so_t; class dir r_dir_perms; @@ -143,7 +143,7 @@ define(`libs_exec_ld_so',` ## ## # -define(`libs_rw_ld_so_cache',` +interface(`libs_rw_ld_so_cache',` gen_require(` type ld_so_cache_t; class file rw_file_perms; @@ -163,7 +163,7 @@ define(`libs_rw_ld_so_cache',` ## ## # -define(`libs_search_lib',` +interface(`libs_search_lib',` gen_require(` type lib_t; class dir search; @@ -183,7 +183,7 @@ define(`libs_search_lib',` ## ## # -define(`libs_read_lib',` +interface(`libs_read_lib',` gen_require(` type lib_t; class dir r_dir_perms; @@ -206,7 +206,7 @@ define(`libs_read_lib',` ## ## # -define(`libs_exec_lib_files',` +interface(`libs_exec_lib_files',` gen_require(` type lib_t; class dir r_dir_perms; @@ -229,7 +229,7 @@ define(`libs_exec_lib_files',` ## ## # -define(`libs_use_shared_libs',` +interface(`libs_use_shared_libs',` gen_require(` type lib_t, shlib_t, texrel_shlib_t; class dir r_dir_perms; @@ -255,7 +255,7 @@ define(`libs_use_shared_libs',` ## ## # -define(`libs_legacy_use_shared_libs',` +interface(`libs_legacy_use_shared_libs',` gen_require(` type shlib_t, texrel_shlib_t; class file execmod; diff --git a/refpolicy/policy/modules/system/locallogin.if b/refpolicy/policy/modules/system/locallogin.if index 281da20..f089e62 100644 --- a/refpolicy/policy/modules/system/locallogin.if +++ b/refpolicy/policy/modules/system/locallogin.if @@ -11,7 +11,7 @@ ## ## # -define(`locallogin_domtrans',` +interface(`locallogin_domtrans',` gen_require(` type local_login_t; ') @@ -29,7 +29,7 @@ define(`locallogin_domtrans',` ## ## # -define(`locallogin_use_fd',` +interface(`locallogin_use_fd',` gen_require(` type local_login_t; class fd use; diff --git a/refpolicy/policy/modules/system/logging.if b/refpolicy/policy/modules/system/logging.if index df1b2c5..b4271bd 100644 --- a/refpolicy/policy/modules/system/logging.if +++ b/refpolicy/policy/modules/system/logging.if @@ -5,7 +5,7 @@ # # logging_log_file(domain) # -define(`logging_log_file',` +interface(`logging_log_file',` gen_require(` attribute logfile; ') @@ -18,7 +18,7 @@ define(`logging_log_file',` # # logging_create_log(domain,privatetype,[class(es)]) # -define(`logging_create_log',` +interface(`logging_create_log',` gen_require(` type var_log_t; class dir rw_dir_perms; @@ -37,7 +37,7 @@ define(`logging_create_log',` # # logging_send_syslog_msg(domain) # -define(`logging_send_syslog_msg',` +interface(`logging_send_syslog_msg',` gen_require(` type syslogd_t, devlog_t; class lnk_file read; @@ -71,7 +71,7 @@ define(`logging_send_syslog_msg',` ## ## # -define(`logging_search_logs',` +interface(`logging_search_logs',` gen_require(` type var_log_t; class dir search; @@ -85,7 +85,7 @@ define(`logging_search_logs',` # # logging_dontaudit_getattr_all_logs(domain) # -define(`logging_dontaudit_getattr_all_logs',` +interface(`logging_dontaudit_getattr_all_logs',` gen_require(` attribute logfile; class file getattr; @@ -98,7 +98,7 @@ define(`logging_dontaudit_getattr_all_logs',` # # logging_append_all_logs(domain) # -define(`logging_append_all_logs',` +interface(`logging_append_all_logs',` gen_require(` attribute logfile; type var_log_t; @@ -115,7 +115,7 @@ define(`logging_append_all_logs',` # # logging_read_all_logs(domain) # -define(`logging_read_all_logs',` +interface(`logging_read_all_logs',` gen_require(` attribute logfile; type var_log_t; @@ -132,7 +132,7 @@ define(`logging_read_all_logs',` # # logging_read_generic_logs(domain) # -define(`logging_read_generic_logs',` +interface(`logging_read_generic_logs',` gen_require(` type var_log_t; class dir r_dir_perms; @@ -148,7 +148,7 @@ define(`logging_read_generic_logs',` # # logging_write_generic_logs(domain) # -define(`logging_write_generic_logs',` +interface(`logging_write_generic_logs',` gen_require(` type var_log_t; class dir r_dir_perms; @@ -164,7 +164,7 @@ define(`logging_write_generic_logs',` # # logging_rw_generic_logs(domain) # -define(`logging_rw_generic_logs',` +interface(`logging_rw_generic_logs',` gen_require(` type var_log_t; class dir r_dir_perms; diff --git a/refpolicy/policy/modules/system/lvm.if b/refpolicy/policy/modules/system/lvm.if index adc7b50..9e90c7d 100644 --- a/refpolicy/policy/modules/system/lvm.if +++ b/refpolicy/policy/modules/system/lvm.if @@ -11,7 +11,7 @@ ## ## # -define(`lvm_domtrans',` +interface(`lvm_domtrans',` gen_require(` type lvm_t, lvm_exec_t; class process sigchld; @@ -44,7 +44,7 @@ define(`lvm_domtrans',` ## ## # -define(`lvm_run',` +interface(`lvm_run',` gen_require(` type lvm_t; class chr_file rw_term_perms; @@ -65,7 +65,7 @@ define(`lvm_run',` ## ## # -define(`lvm_read_config',` +interface(`lvm_read_config',` gen_require(` type lvm_t, lvm_exec_t; class dir r_dir_perms; diff --git a/refpolicy/policy/modules/system/miscfiles.if b/refpolicy/policy/modules/system/miscfiles.if index cef50ff..385af70 100644 --- a/refpolicy/policy/modules/system/miscfiles.if +++ b/refpolicy/policy/modules/system/miscfiles.if @@ -12,7 +12,7 @@ ## ## # -define(`miscfiles_rw_man_cache',` +interface(`miscfiles_rw_man_cache',` gen_require(` type catman_t; class dir create_dir_perms; @@ -34,7 +34,7 @@ define(`miscfiles_rw_man_cache',` ## ## # -define(`miscfiles_read_fonts',` +interface(`miscfiles_read_fonts',` gen_require(` type fonts_t; class dir r_dir_perms; @@ -59,7 +59,7 @@ define(`miscfiles_read_fonts',` ## ## # -define(`miscfiles_read_localization',` +interface(`miscfiles_read_localization',` gen_require(` type locale_t; class dir r_dir_perms; @@ -88,7 +88,7 @@ define(`miscfiles_read_localization',` ## ## # -define(`miscfiles_legacy_read_localization',` +interface(`miscfiles_legacy_read_localization',` gen_require(` type locale_t; class file execute; @@ -108,7 +108,7 @@ define(`miscfiles_legacy_read_localization',` ## ## # -define(`miscfiles_read_man_pages',` +interface(`miscfiles_read_man_pages',` gen_require(` type man_t; class dir r_dir_perms; diff --git a/refpolicy/policy/modules/system/modutils.if b/refpolicy/policy/modules/system/modutils.if index 2c310cf..46af240 100644 --- a/refpolicy/policy/modules/system/modutils.if +++ b/refpolicy/policy/modules/system/modutils.if @@ -11,7 +11,7 @@ ## ## # -define(`modutils_read_kernel_module_dependencies',` +interface(`modutils_read_kernel_module_dependencies',` gen_require(` type modules_dep_t; class file r_file_perms; @@ -32,7 +32,7 @@ define(`modutils_read_kernel_module_dependencies',` ## ## # -define(`modutils_read_module_conf',` +interface(`modutils_read_module_conf',` gen_require(` type modules_conf_t; class file r_file_perms; @@ -56,7 +56,7 @@ define(`modutils_read_module_conf',` ## ## # -define(`modutils_domtrans_insmod',` +interface(`modutils_domtrans_insmod',` gen_require(` type insmod_t, insmod_exec_t; class process sigchld; @@ -92,7 +92,7 @@ define(`modutils_domtrans_insmod',` ## ## # -define(`modutils_run_insmod',` +interface(`modutils_run_insmod',` gen_require(` type insmod_t; class chr_file rw_term_perms; @@ -107,7 +107,7 @@ define(`modutils_run_insmod',` # # modutils_exec_insmod(domain) # -define(`modutils_exec_insmod',` +interface(`modutils_exec_insmod',` gen_require(` type insmod_t; ') @@ -126,7 +126,7 @@ define(`modutils_exec_insmod',` ## ## # -define(`modutils_domtrans_depmod',` +interface(`modutils_domtrans_depmod',` gen_require(` type depmod_t, depmod_exec_t; class process sigchld; @@ -159,7 +159,7 @@ define(`modutils_domtrans_depmod',` ## ## # -define(`modutils_run_depmod',` +interface(`modutils_run_depmod',` gen_require(` type depmod_t; class chr_file rw_term_perms; @@ -174,7 +174,7 @@ define(`modutils_run_depmod',` # # modutils_exec_depmod(domain) # -define(`modutils_exec_depmod',` +interface(`modutils_exec_depmod',` gen_require(` type depmod_t; ') @@ -193,7 +193,7 @@ define(`modutils_exec_depmod',` ## ## # -define(`modutils_domtrans_update_mods',` +interface(`modutils_domtrans_update_mods',` gen_require(` type update_modules_t, update_modules_exec_t; class process signal; @@ -226,7 +226,7 @@ define(`modutils_domtrans_update_mods',` ## ## # -define(`modutils_run_update_mods',` +interface(`modutils_run_update_mods',` gen_require(` type update_modules_t; class chr_file rw_term_perms; @@ -241,7 +241,7 @@ define(`modutils_run_update_mods',` # # modutils_exec_update_mods(domain) # -define(`modutils_exec_update_mods',` +interface(`modutils_exec_update_mods',` gen_require(` type update_modules_t; ') diff --git a/refpolicy/policy/modules/system/mount.if b/refpolicy/policy/modules/system/mount.if index e7cbdc1..3c63e29 100644 --- a/refpolicy/policy/modules/system/mount.if +++ b/refpolicy/policy/modules/system/mount.if @@ -11,7 +11,7 @@ ## ## # -define(`mount_domtrans',` +interface(`mount_domtrans',` gen_require(` type mount_t, mount_exec_t; class process sigchld; @@ -45,7 +45,7 @@ define(`mount_domtrans',` ## ## # -define(`mount_run',` +interface(`mount_run',` gen_require(` type mount_t; class chr_file rw_file_perms; @@ -66,7 +66,7 @@ define(`mount_run',` ## ## # -define(`mount_use_fd',` +interface(`mount_use_fd',` gen_require(` type mount_t; class fd use; @@ -86,7 +86,7 @@ define(`mount_use_fd',` ## ## # -define(`mount_send_nfs_client_request',` +interface(`mount_send_nfs_client_request',` gen_require(` type mount_t; class udp_socket rw_socket_perms; diff --git a/refpolicy/policy/modules/system/selinuxutil.if b/refpolicy/policy/modules/system/selinuxutil.if index a4108b0..0767bb7 100644 --- a/refpolicy/policy/modules/system/selinuxutil.if +++ b/refpolicy/policy/modules/system/selinuxutil.if @@ -11,7 +11,7 @@ ## ## # -define(`seutil_domtrans_checkpol',` +interface(`seutil_domtrans_checkpol',` gen_require(` type checkpolicy_t, checkpolicy_exec_t; class process sigchld; @@ -48,7 +48,7 @@ define(`seutil_domtrans_checkpol',` ## ## # -define(`seutil_run_checkpol',` +interface(`seutil_run_checkpol',` gen_require(` type checkpolicy_t; class chr_file rw_term_perms; @@ -63,7 +63,7 @@ define(`seutil_run_checkpol',` # # seutil_exec_checkpol(domain) # -define(`seutil_exec_checkpol',` +interface(`seutil_exec_checkpol',` gen_require(` type checkpolicy_exec_t; ') @@ -83,7 +83,7 @@ define(`seutil_exec_checkpol',` ## ## # -define(`seutil_domtrans_loadpol',` +interface(`seutil_domtrans_loadpol',` gen_require(` type load_policy_t, load_policy_exec_t; class process sigchld; @@ -119,7 +119,7 @@ define(`seutil_domtrans_loadpol',` ## ## # -define(`seutil_run_loadpol',` +interface(`seutil_run_loadpol',` gen_require(` type load_policy_t; class chr_file rw_term_perms; @@ -134,7 +134,7 @@ define(`seutil_run_loadpol',` # # seutil_exec_loadpol(domain) # -define(`seutil_exec_loadpol',` +interface(`seutil_exec_loadpol',` gen_require(` type load_policy_exec_t; ') @@ -147,7 +147,7 @@ define(`seutil_exec_loadpol',` # # seutil_read_loadpol(domain) # -define(`seutil_read_loadpol',` +interface(`seutil_read_loadpol',` gen_require(` type load_policy_exec_t; class file r_file_perms @@ -167,7 +167,7 @@ define(`seutil_read_loadpol',` ## ## # -define(`seutil_domtrans_newrole',` +interface(`seutil_domtrans_newrole',` gen_require(` type newrole_t, newrole_exec_t; class process sigchld; @@ -203,7 +203,7 @@ define(`seutil_domtrans_newrole',` ## ## # -define(`seutil_run_newrole',` +interface(`seutil_run_newrole',` gen_require(` type newrole_t; class chr_file rw_term_perms; @@ -218,7 +218,7 @@ define(`seutil_run_newrole',` # # seutil_exec_newrole(domain) # -define(`seutil_exec_newrole',` +interface(`seutil_exec_newrole',` gen_require(` type newrole_t, newrole_exec_t; ') @@ -239,7 +239,7 @@ define(`seutil_exec_newrole',` ## ## # -define(`seutil_dontaudit_newrole_signal',` +interface(`seutil_dontaudit_newrole_signal',` gen_require(` type newrole_t; class process signal; @@ -252,7 +252,7 @@ define(`seutil_dontaudit_newrole_signal',` # # seutil_newrole_sigchld(domain) # -define(`seutil_newrole_sigchld',` +interface(`seutil_newrole_sigchld',` gen_require(` type newrole_t; class process sigchld; @@ -265,7 +265,7 @@ define(`seutil_newrole_sigchld',` # # seutil_use_newrole_fd(domain) # -define(`seutil_use_newrole_fd',` +interface(`seutil_use_newrole_fd',` gen_require(` type newrole_t; class fd use; @@ -284,7 +284,7 @@ define(`seutil_use_newrole_fd',` ## ## # -define(`seutil_domtrans_restorecon',` +interface(`seutil_domtrans_restorecon',` gen_require(` type restorecon_t, restorecon_exec_t; class process sigchld; @@ -319,7 +319,7 @@ define(`seutil_domtrans_restorecon',` ## ## # -define(`seutil_run_restorecon',` +interface(`seutil_run_restorecon',` gen_require(` type restorecon_t; class chr_file rw_term_perms; @@ -334,7 +334,7 @@ define(`seutil_run_restorecon',` # # seutil_exec_restorecon(domain) # -define(`seutil_exec_restorecon',` +interface(`seutil_exec_restorecon',` gen_require(` type restorecon_t, restorecon_exec_t; ') @@ -353,7 +353,7 @@ define(`seutil_exec_restorecon',` ## ## # -define(`seutil_domtrans_runinit',` +interface(`seutil_domtrans_runinit',` gen_require(` type run_init_t, run_init_exec_t; class process sigchld; @@ -389,7 +389,7 @@ define(`seutil_domtrans_runinit',` ## ## # -define(`seutil_run_runinit',` +interface(`seutil_run_runinit',` gen_require(` type run_init_t; class chr_file rw_term_perms; @@ -404,7 +404,7 @@ define(`seutil_run_runinit',` # # seutil_use_runinit_fd(domain) # -define(`seutil_use_runinit_fd',` +interface(`seutil_use_runinit_fd',` gen_require(` type run_init_t; class fd use; @@ -423,7 +423,7 @@ define(`seutil_use_runinit_fd',` ## ## # -define(`seutil_domtrans_setfiles',` +interface(`seutil_domtrans_setfiles',` gen_require(` type setfiles_t, setfiles_exec_t; class process sigchld; @@ -459,7 +459,7 @@ define(`seutil_domtrans_setfiles',` ## ## # -define(`seutil_run_setfiles',` +interface(`seutil_run_setfiles',` gen_require(` type setfiles_t; class chr_file rw_term_perms; @@ -474,7 +474,7 @@ define(`seutil_run_setfiles',` # # seutil_exec_setfiles(domain) # -define(`seutil_exec_setfiles',` +interface(`seutil_exec_setfiles',` gen_require(` type setfiles_exec_t; ') @@ -488,7 +488,7 @@ define(`seutil_exec_setfiles',` # # seutil_read_config(domain) # -define(`seutil_read_config',` +interface(`seutil_read_config',` gen_require(` type selinux_config_t; class dir r_dir_perms; @@ -504,7 +504,7 @@ define(`seutil_read_config',` # # seutil_read_default_contexts(domain) # -define(`seutil_read_default_contexts',` +interface(`seutil_read_default_contexts',` gen_require(` type selinux_config_t, default_context_t; class dir r_dir_perms; @@ -521,7 +521,7 @@ define(`seutil_read_default_contexts',` # # seutil_read_file_contexts(domain) # -define(`seutil_read_file_contexts',` +interface(`seutil_read_file_contexts',` gen_require(` type selinux_config_t, file_context_t; class dir r_dir_perms; @@ -538,7 +538,7 @@ define(`seutil_read_file_contexts',` # # seutil_read_binary_pol(domain) # -define(`seutil_read_binary_pol',` +interface(`seutil_read_binary_pol',` gen_require(` type selinux_config_t, policy_config_t; class dir r_dir_perms; @@ -555,7 +555,7 @@ define(`seutil_read_binary_pol',` # # seutil_create_binary_pol(domain) # -define(`seutil_create_binary_pol',` +interface(`seutil_create_binary_pol',` gen_require(` attribute can_write_binary_policy; type selinux_config_t, policy_config_t; @@ -580,7 +580,7 @@ define(`seutil_create_binary_pol',` ## ## # -define(`seutil_relabelto_binary_pol',` +interface(`seutil_relabelto_binary_pol',` gen_require(` attribute can_relabelto_binary_policy; type policy_config_t; @@ -595,7 +595,7 @@ define(`seutil_relabelto_binary_pol',` # # seutil_manage_binary_pol(domain) # -define(`seutil_manage_binary_pol',` +interface(`seutil_manage_binary_pol',` gen_require(` attribute can_write_binary_policy; type selinux_config_t, policy_config_t; @@ -614,7 +614,7 @@ define(`seutil_manage_binary_pol',` # # seutil_read_src_pol(domain) # -define(`seutil_read_src_pol',` +interface(`seutil_read_src_pol',` gen_require(` type selinux_config_t, policy_src_t; class dir r_dir_perms; @@ -631,7 +631,7 @@ define(`seutil_read_src_pol',` # # seutil_manage_src_pol(domain) # -define(`seutil_manage_src_pol',` +interface(`seutil_manage_src_pol',` gen_require(` type selinux_config_t, policy_src_t; class dir create_dir_perms; diff --git a/refpolicy/policy/modules/system/sysnetwork.if b/refpolicy/policy/modules/system/sysnetwork.if index ce884dc..d5a0808 100644 --- a/refpolicy/policy/modules/system/sysnetwork.if +++ b/refpolicy/policy/modules/system/sysnetwork.if @@ -11,7 +11,7 @@ ## ## # -define(`sysnet_domtrans_dhcpc',` +interface(`sysnet_domtrans_dhcpc',` gen_require(` type dhcpc_t, dhcpc_exec_t; class process sigchld; @@ -38,7 +38,7 @@ define(`sysnet_domtrans_dhcpc',` ## ## # -define(`sysnet_domtrans_ifconfig',` +interface(`sysnet_domtrans_ifconfig',` gen_require(` type ifconfig_t, ifconfig_exec_t; class process sigchld; @@ -73,7 +73,7 @@ define(`sysnet_domtrans_ifconfig',` ## ## # -define(`sysnet_run_ifconfig',` +interface(`sysnet_run_ifconfig',` gen_require(` type ifconfig_t; class chr_file rw_term_perms; @@ -95,7 +95,7 @@ define(`sysnet_run_ifconfig',` ## ## # -define(`sysnet_read_config',` +interface(`sysnet_read_config',` gen_require(` type net_conf_t; class file r_file_perms; diff --git a/refpolicy/policy/modules/system/udev.if b/refpolicy/policy/modules/system/udev.if index 4b986f5..0dd6da7 100644 --- a/refpolicy/policy/modules/system/udev.if +++ b/refpolicy/policy/modules/system/udev.if @@ -11,7 +11,7 @@ ## ## # -define(`udev_domtrans',` +interface(`udev_domtrans',` gen_require(` type udev_t, udev_exec_t; class process sigchld; @@ -37,7 +37,7 @@ define(`udev_domtrans',` ## ## # -define(`udev_read_db',` +interface(`udev_read_db',` gen_require(` type udev_tdb_t; class file r_file_perms; @@ -57,7 +57,7 @@ define(`udev_read_db',` ## ## # -define(`udev_rw_db',` +interface(`udev_rw_db',` gen_require(` type udev_tdb_t; class file rw_file_perms; diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index 7b17ad9..22927d5 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -7,7 +7,7 @@ # # This is common to user and admin domain -define(`base_user_domain',` +template(`base_user_domain',` attribute $1_file_type; @@ -403,7 +403,7 @@ define(`base_user_domain',` # User domain template # -define(`user_domain_template', ` +template(`user_domain_template', ` ############################## # # Declarations @@ -604,7 +604,7 @@ define(`user_domain_template', ` # # Admin domain template # -define(`admin_domain_template',` +template(`admin_domain_template',` ############################## # # Declarations @@ -820,7 +820,7 @@ define(`admin_domain_template',` ## ## # -define(`userdom_spec_domtrans_all_users',` +interface(`userdom_spec_domtrans_all_users',` gen_require(` attribute userdomain; ') @@ -840,7 +840,7 @@ define(`userdom_spec_domtrans_all_users',` ## ## # -define(`userdom_spec_domtrans_unpriv_users',` +interface(`userdom_spec_domtrans_unpriv_users',` gen_require(` attribute unpriv_userdomain; ') @@ -858,7 +858,7 @@ define(`userdom_spec_domtrans_unpriv_users',` ## ## # -define(`userdom_shell_domtrans_sysadm',` +interface(`userdom_shell_domtrans_sysadm',` gen_require(` type sysadm_t; ') @@ -876,7 +876,7 @@ define(`userdom_shell_domtrans_sysadm',` ## ## # -define(`userdom_use_sysadm_tty',` +interface(`userdom_use_sysadm_tty',` gen_require(` type sysadm_tty_device_t; class chr_file { getattr read write ioctl }; @@ -897,7 +897,7 @@ define(`userdom_use_sysadm_tty',` ## ## # -define(`userdom_use_sysadm_terms',` +interface(`userdom_use_sysadm_terms',` gen_require(` attribute admin_terminal; class chr_file { getattr read write ioctl }; @@ -918,7 +918,7 @@ define(`userdom_use_sysadm_terms',` ## ## # -define(`userdom_dontaudit_use_sysadm_terms',` +interface(`userdom_dontaudit_use_sysadm_terms',` gen_require(` attribute admin_terminal; class chr_file { read write }; @@ -937,7 +937,7 @@ define(`userdom_dontaudit_use_sysadm_terms',` ## ## # -define(`userdom_search_all_users_home',` +interface(`userdom_search_all_users_home',` gen_require(` attribute home_dir_type, home_type; class dir search; @@ -957,7 +957,7 @@ define(`userdom_search_all_users_home',` ## ## # -define(`userdom_read_all_user_data',` +interface(`userdom_read_all_user_data',` gen_require(` attribute home_type; class dir r_dir_perms; @@ -979,7 +979,7 @@ define(`userdom_read_all_user_data',` ## ## # -define(`userdom_use_all_user_fd',` +interface(`userdom_use_all_user_fd',` gen_require(` attribute userdomain; class fd use; @@ -998,7 +998,7 @@ define(`userdom_use_all_user_fd',` ## ## # -define(`userdom_signal_all_users',` +interface(`userdom_signal_all_users',` gen_require(` attribute userdomain; class process signal; @@ -1017,7 +1017,7 @@ define(`userdom_signal_all_users',` ## ## # -define(`userdom_signal_unpriv_users',` +interface(`userdom_signal_unpriv_users',` gen_require(` attribute unpriv_userdomain; class process signal; @@ -1036,7 +1036,7 @@ define(`userdom_signal_unpriv_users',` ## ## # -define(`userdom_use_unpriv_users_fd',` +interface(`userdom_use_unpriv_users_fd',` gen_require(` attribute unpriv_userdomain; class fd use; @@ -1056,7 +1056,7 @@ define(`userdom_use_unpriv_users_fd',` ## ## # -define(`userdom_dontaudit_use_unpriv_user_fd',` +interface(`userdom_dontaudit_use_unpriv_user_fd',` gen_require(` attribute unpriv_userdomain; class fd use; diff --git a/refpolicy/policy/support/loadable_module.spt b/refpolicy/policy/support/loadable_module.spt index be921cc..0faaff7 100644 --- a/refpolicy/policy/support/loadable_module.spt +++ b/refpolicy/policy/support/loadable_module.spt @@ -28,17 +28,52 @@ define(`gen_require',` ############################## # -# In the future interfaces could be in loadable modules +# In the future interfaces should be in loadable modules # -# module_interface(name,rules) +# template(name,rules) # -define(`module_interface',` - define(`$1',` - gen_require(`$1'_depend) +define(`template',` + `define(`$1',` +###### begin $1(dollarsstar) $2 - ') +###### end $1(dollarsstar) + '') ') +# helper function, since m4 wont expand macros +# if a line is a comment (#): +define(`policy_m4_comment',`dnl +##### $2 depth: $1 +')dnl + +############################## +# +# In the future interfaces should be in loadable modules +# +# interface(name,rules) +# +define(`interface',` + `define(`$1',` + + define(`policy_temp',incr(policy_call_depth)) + pushdef(`policy_call_depth',policy_temp) + undefine(`policy_temp') + + policy_m4_comment(policy_call_depth,begin `$1'(dollarsstar)) + + $2 + + define(`policy_temp',decr(policy_call_depth)) + pushdef(`policy_call_depth',policy_temp) + undefine(`policy_temp') + + policy_m4_comment(policy_call_depth,end `$1'(dollarsstar)) + + '') +') + +define(`policy_call_depth',0) + ############################## # # Optional policy handling