diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if index a9050a2..1f1dd8d 100644 --- a/refpolicy/policy/modules/kernel/kernel.if +++ b/refpolicy/policy/modules/kernel/kernel.if @@ -5,8 +5,22 @@ ## ######################################## -# -# kernel_make_userland_entrypoint(domain,entrypoint) +## +## +## Gives kernel an entrypoint to the caller via +## the entrypoint type. +## +## +## ... +## +## +## The process type entered by kernel. +## +## +## The executable type for the entrypoint. +## +## +## # define(`kernel_make_userland_entrypoint',` requires_block_template(`$0'_depend) @@ -33,8 +47,20 @@ define(`kernel_make_userland_entrypoint_depend',` ') ######################################## -# -# kernel_share_state(domain) +## +## +## Allows the kernel to share state information with +## the caller. +## +## +## Gives a type access to state information about +## kernel processes +## +## +## The type of the process with which to share state information. +## +## +## # define(`kernel_share_state',` requires_block_template(`$0'_depend) @@ -49,8 +75,18 @@ define(`kernel_share_state_depend',` ') ######################################## -# -# kernel_use_file_descriptors(domain) +## +## +## Permits caller to use kernel file descriptors. +## +## +## Permits use of kernel file descriptors. +## +## +## The type of the process using the descriptors. +## +## +## # define(`kernel_use_file_descriptors',` requires_block_template(`$0'_depend) @@ -65,8 +101,20 @@ define(`kernel_use_file_descriptors_depend',` ') ######################################## -# -# kernel_ignore_use_file_descriptors(domain) +## +## +## Do not audit attempts by the caller to use +## kernel file descriptors. +## +## +## Causes attempts to use kernel file descriptors +## to not be audited for caller. +## +## +## The type of process not to audit. +## +## +## # define(`kernel_ignore_use_file_descriptors',` requires_block_template(`$0'_depend) @@ -81,8 +129,20 @@ define(`kernel_ignore_use_file_descriptors_depend',` ') ######################################## -# -# kernel_make_root_filesystem_mountpoint(domain) +## +## +## Allows the kernel to mount filesystems on +## the caller. +## +## +## Givers kernel permission to mount on directories +## of the calling type. +## +## +## The type of the directory to use as a mountpoint. +## +## +## # define(`kernel_make_root_filesystem_mountpoint',` requires_block_template(`$0'_depend) @@ -97,8 +157,19 @@ define(`kernel_make_root_filesystem_mountpoint_depend',` ') ######################################## -# -# kernel_make_process_identity_change_constraint_exception(domain) +## +## +## Makes caller an exception to the constraint preventing +## changing of user identity. +## +## +## Allows changing of user identity in context of the calling process. +## +## +## The process type to make an exception to the constraint. +## +## +## # define(`kernel_make_process_identity_change_constraint_exception',` requires_block_template(`$0'_depend) @@ -111,8 +182,19 @@ define(`kernel_make_process_identity_change_constraint_exception_depend',` ') ######################################## -# -# kernel_make_role_change_constraint_exception(domain) +## +## +## Makes caller an exception to the constraint preventing +## changing of role. +## +## +## Allows changing of role in the context of the calling process. +## +## +## The process type to make an exception to the constraint. +## +## +## # define(`kernel_make_role_change_constraint_exception',` requires_block_template(`$0'_depend) @@ -125,8 +207,19 @@ define(`kernel_make_role_change_constraint_exception_depend',` ') ######################################## -# -# kernel_make_object_identity_change_constraint_exception(domain) +## +## +## Makes caller an exception to the constraint preventing +## changing the user identity in object contexts. +## +## +## Allows caller to change user identities on objects +## +## +## The process type to make an exception to the constraint. +## +## +## # define(`kernel_make_object_identity_change_constraint_exception',` requires_block_template(`$0'_depend) @@ -139,8 +232,19 @@ define(`kernel_make_object_identity_change_constraint_exception_depend',` ') ######################################## -# -# kernel_load_module(domain) +## +## +## +## Allows caller to load kernel modules +## +## +## Allows loading of kernel modules. +## +## +## The process type to allow to load kernel modules. +## +## +## # define(`kernel_load_module',` requires_block_template(`$0'_depend) @@ -156,8 +260,20 @@ define(`kernel_load_module_depend',` ') ######################################## -# -# kernel_get_selinux_enforcement_mode(domain) +## +## +## +## Allows the caller to get the mode of policy enforcement +## (enforcing or permissive mode). +## +## +## Gives caller access to system state data. +## +## +## The process type to allow to get the enforcing mode. +## +## +## # define(`kernel_get_selinux_enforcement_mode',` requires_block_template(`$0'_depend) @@ -174,8 +290,19 @@ define(`kernel_get_selinux_enforcement_mode_depend',` ') ######################################## -# -# kernel_set_selinux_enforcement_mode(domain) +## +## +## Allow caller to set the mode of policy enforcement +## (enforcing or permissive mode). +## +## +## Caller becomes able to disable enforcement of policy. +## +## +## The process type to allow to set the enforcement mode. +## +## +## # define(`kernel_set_selinux_enforcement_mode',` requires_block_template(`$0'_depend) @@ -198,8 +325,18 @@ define(`kernel_set_selinux_enforcement_mode_depend',` ') ######################################## -# -# kernel_load_selinux_policy(domain) +## +## +## Allow caller to load the policy into the kernel. +## +## +## Caller can replace the policy being enforced. +## +## +## The process type that will load the policy. +## +## +## # define(`kernel_load_selinux_policy',` requires_block_template(`$0'_depend) @@ -222,8 +359,23 @@ define(`kernel_load_selinux_policy_depend',` ') ######################################## -# -# kernel_set_selinux_boolean(domain,[booltype]) +## +## +## Allow caller to set the state of Booleans to +## enable or disable conditional portions of the policy. +## +## +## Caller can change which of the conditional portions of +## the policy are being enforced. +## +## +## The process type allowed to set the Boolean. +## +## +## The type of Booleans the caller is allowed to set. +## +## +## # define(`kernel_set_selinux_boolean',` requires_block_template(`$0'_depend) @@ -250,8 +402,18 @@ define(`kernel_set_selinux_boolean_depend',` ') ######################################## -# -# kernel_set_selinux_security_parameters(domain) +## +## +## Allow caller to set selinux security parameters. +## +## +## Caller can change security parameters. +## +## +## The process type to allow to set security parameters. +## +## +## # define(`kernel_set_selinux_security_parameters',` requires_block_template(`$0'_depend) @@ -274,8 +436,18 @@ define(`kernel_set_selinux_security_parameters_depend',` ') ######################################## -# -# kernel_validate_selinux_context(domain) +## +## +## Allows caller to validate security contexts. +## +## +## +## +## +## The process type permitted to validate contexts. +## +## +## # define(`kernel_validate_selinux_context',` requires_block_template(`$0'_depend) @@ -294,8 +466,18 @@ define(`kernel_validate_selinux_context_depend',` ') ######################################## -# -# kernel_compute_selinux_access_vector(domain) +## +## +## Allows caller to compute an access vector. +## +## +## +## +## +## The process type allowed to compute an access vector. +## +## +## # define(`kernel_compute_selinux_access_vector',` requires_block_template(`$0'_depend) @@ -314,8 +496,18 @@ define(`kernel_compute_selinux_access_vector_depend',` ') ######################################## -# -# kernel_compute_selinux_create_context(domain) +## +## +## +## +## +## +## +## +## +## +## +## # define(`kernel_compute_selinux_create_context',` requires_block_template(`$0'_depend) @@ -334,8 +526,18 @@ define(`kernel_compute_selinux_create_context_depend',` ') ######################################## -# -# kernel_compute_selinux_relabel_context(domain) +## +## +## +## +## +## +## +## +## The process type to +## +## +## # define(`kernel_compute_selinux_relabel_context',` requires_block_template(`$0'_depend) @@ -354,8 +556,18 @@ define(`kernel_compute_selinux_relabel_context_depend',` ') ######################################## -# -# kernel_compute_selinux_reachable_user_contexts(domain) +## +## +## Allows caller to compute possible contexts for a user. +## +## +## +## +## +## The process type allowed to compute user contexts. +## +## +## # define(`kernel_compute_selinux_reachable_user_contexts',` requires_block_template(`$0'_depend) @@ -374,8 +586,18 @@ define(`kernel_compute_selinux_reachable_user_contexts_depend',` ') ######################################## -# -# kernel_read_ring_buffer(domain) +## +## +## Allows caller to read the ring buffer. +## +## +## Buffer read could have sensitive information from multiple doamins. +## +## +## The process type allowed to read the ring buffer. +## +## +## # define(`kernel_read_ring_buffer',` requires_block_template(`$0'_depend) @@ -390,8 +612,19 @@ define(`kernel_read_ring_buffer_depend',` ') ######################################## -# -# kernel_ignore_read_ring_buffer(domain) +## +## +## Ignore attempts by caller to read the ring buffer. +## +## +## Causes attepts to read potentially sensitive information +## from being audited. +## +## +## The domain to not audit. +## +## +## # define(`kernel_ignore_read_ring_buffer',` requires_block_template(`$0'_depend) @@ -406,8 +639,18 @@ define(`kernel_ignore_read_ring_buffer_depend',` ') ######################################## -# -# kernel_change_ring_buffer_level(domain) +## +## +## +## +## +## +## +## +## +## +## +## # define(`kernel_change_ring_buffer_level',` requires_block_template(`$0'_depend) @@ -422,8 +665,18 @@ define(`kernel_change_ring_buffer_level_depend',` ') ######################################## -# -# kernel_clear_ring_buffer(domain) +## +## +## Allows the caller to clear the ring buffer. +## +## +## +## +## +## The process type clearing the buffer. +## +## +## # define(`kernel_clear_ring_buffer',` requires_block_template(`$0'_depend) @@ -438,8 +691,18 @@ define(`kernel_clear_ring_buffer_depend',` ') ######################################## -# -# kernel_get_sysvipc_info(domain) +## +## +## Allow caller to get information about an ipc socket. +## +## +## +## +## +## +## +## +## # define(`kernel_get_sysvipc_info',` requires_block_template(`$0'_depend) @@ -454,8 +717,18 @@ define(`kernel_get_sysvipc_info_depend',` ') ######################################## -# -# kernel_get_selinuxfs_mount_point(domain) +## +## +## Gets the caller the mountpoint of the selinuxfs filesystem. +## +## +## +## +## +## The process type requesting the selinuxfs mountpoint. +## +## +## # define(`kernel_get_selinuxfs_mount_point',` requires_block_template(`$0'_depend) @@ -475,8 +748,18 @@ define(`kernel_get_selinuxfs_mount_point_depend',` ') ######################################## -# -# kernel_read_system_state(domain) +## +## +## Allows caller to read system state information. +## +## +## State data contains information about multiple domains and may be privlaged. +## +## +## The process type reading the system state information. +## +## +## # define(`kernel_read_system_state',` requires_block_template(`$0'_depend) @@ -495,8 +778,19 @@ define(`kernel_read_system_state_depend',` ') ######################################## -# -# kernel_ignore_read_system_state(domain) +## +## +## Do not audit attempts by caller to +## read system state information. +## +## +## Causes attempts to read system state data not to be auditted. +## +## +## The process type not to audit. +## +## +## # define(`kernel_ignore_read_system_state',` requires_block_template(`$0'_depend) @@ -511,8 +805,18 @@ define(`kernel_ignore_read_system_state_depend',` ') ####################################### -# -# kernel_read_software_raid_state(domain) +## +## +## Allow caller to read the state information for software raid. +## +## +## +## +## +## The process type reading software raid state. +## +## +## # define(`kernel_read_software_raid_state',` requires_block_template(`$0'_depend) @@ -529,8 +833,18 @@ define(`kernel_read_software_raid_state_depend',` ') ######################################## -# -# kernel_get_core_interface_attributes(domain) +## +## +## Allows caller to get attribues of core kernel interfaces. +## +## +## +## +## +## The process type getting the attibutes. +## +## +## # define(`kernel_get_core_interface_attributes',` requires_block_template(`$0'_depend) @@ -547,8 +861,20 @@ define(`kernel_get_core_interface_attributes_depend',` ') ######################################## -# -# kernel_ignore_get_core_interface_attributes(domain) +## +## +## Do not audit attempts to get the attributes of +## core kernel interfaces. +## +## +## Causes attempts to get attributes of kernel interfaces to +## not be auditted. +## +## +## The process type to not audit. +## +## +## # define(`kernel_ignore_get_core_interface_attributes',` requires_block_template(`$0'_depend) @@ -563,8 +889,18 @@ define(`kernel_ignore_get_core_interface_attributes_depend',` ') ######################################## -# -# kernel_read_messages(domain) +## +## +## Allow caller to receive and read kernel messages. +## +## +## +## +## +## The process type reading the messages. +## +## +## # define(`kernel_read_messages',` requires_block_template(`$0'_depend) @@ -584,8 +920,19 @@ define(`kernel_read_messages_depend',` ') ######################################## -# -# kernel_get_message_interface_attributes(domain) +## +## +## Allow caller to get the attributes of kernel message +## interfaces. +## +## +## +## +## +## The process type getting the attributes. +## +## +## # define(`kernel_get_message_interface_attributes',` requires_block_template(`$0'_depend) @@ -602,8 +949,20 @@ define(`kernel_get_message_interface_attributes_depend',` ') ######################################## -# -# kernel_ignore_get_message_interface_attributes(domain) +## +## +## Do not audit attempts by caller to get the attributes of kernel +## message interfaces. +## +## +## Causes attempts by caller to get the attributes of kernel +## message interfaces not to be auditted. +## +## +## The process type not to audit. +## +## +## # define(`kernel_ignore_get_message_interface_attributes',` requires_block_template(`$0'_depend) @@ -618,8 +977,19 @@ define(`kernel_ignore_get_message_interface_attributes_depend',` ') ######################################## -# -# kernel_read_network_state(domain) +## +## +## Allow caller to read the network state information. +## +## +## +## +## +## The process type reading the state. +## +## +## +## # define(`kernel_read_network_state',` requires_block_template(`$0'_depend) @@ -637,8 +1007,19 @@ define(`kernel_read_network_state_depend',` ') ######################################## -# -# kernel_ignore_search_sysctl_dir(domain) +## +## +## Do not audit attempts by caller to search the sysctl directory. +## +## +## Causes attempts by caller to search the sysctl directy not to be auditted. +## +## +## The process type not to audit. +## +## +## +## # define(`kernel_ignore_search_sysctl_dir',` requires_block_template(`$0'_depend) @@ -653,8 +1034,18 @@ define(`kernel_ignore_search_sysctl_dir_depend',` ') ######################################## -# -# kernel_read_device_sysctl(domain) +## +## +## Allow caller to read the sysctl device. +## +## +## +## +## +## The process type to allow to read the sysctl device. +## +## +## # define(`kernel_read_device_sysctl',` requires_block_template(`$0'_depend) @@ -673,8 +1064,18 @@ define(`kernel_read_device_sysctl_depend',` ') ######################################## -# -# kernel_modify_device_sysctl(domain) +## +## +## Allows the caller to modify the sysctl device file. +## +## +## +## +## +## The process type modifying the sysctl device. +## +## +## # define(`kernel_modify_device_sysctl',` requires_block_template(`$0'_depend) @@ -692,8 +1093,19 @@ define(`kernel_modify_device_sysctl_depend',` ') ######################################## -# -# kernel_read_virtual_memory_sysctl(domain) +## +## +## Allow caller to read sysctl virtual memory. +## +## +## +## +## +## +## +## +## +## # define(`kernel_read_virtual_memory_sysctl',` requires_block_template(`$0'_depend) @@ -711,8 +1123,18 @@ define(`kernel_read_virtual_memory_sysctl_depend',` ') ######################################## -# -# kernel_modify_virtual_memory_sysctl(domain) +## +## +## Allow caller to modify contents of sysctl virtual memory. +## +## +## Allows caller to modify sysctl virtual memory. +## +## +## The process type modifying sysctl virtual memory. +## +## +## # define(`kernel_modify_virtual_memory_sysctl',` requires_block_template(`$0'_depend) @@ -730,8 +1152,19 @@ define(`kernel_modify_virtual_memory_sysctl_depend',` ') ######################################## -# -# kernel_ignore_search_network_sysctl_dir(domain) +## +## +## Do not audit attempts by caller to search sysctl network directories. +## +## +## Causes attempts by the caller to search the sysctl network +## directories not to be audited. +## +## +## The process type not to audit. +## +## +## # define(`kernel_ignore_search_network_sysctl_dir',` requires_block_template(`$0'_depend) @@ -746,8 +1179,19 @@ define(`kernel_ignore_search_network_sysctl_dir_depend',` ') ######################################## -# -# kernel_read_network_sysctl(domain) +## +## +## Allow caller to read sysctl network files. +## +## +## +## +## +## The process type reading sysctl network files. +## +## +## +## # define(`kernel_read_network_sysctl',` requires_block_template(`$0'_depend) @@ -766,8 +1210,19 @@ define(`kernel_read_network_sysctl_depend',` ') ######################################## -# -# kernel_modify_network_sysctl(domain) + +## +## +## Allow caller to modiry contents of sysctl network files. +## +## +## +## +## +## The process type modifying sysctl network files. +## +## +## # define(`kernel_modify_network_sysctl',` requires_block_template(`$0'_depend) @@ -786,8 +1241,18 @@ define(`kernel_modify_network_sysctl_depend',` ') ######################################## -# -# kernel_read_unix_sysctl(domain) +## +## +## Allow caller to read unix sysctl files. +## +## +## +## +## +## The process type reading unix sysctl files. +## +## +## # define(`kernel_read_unix_sysctl',` requires_block_template(`$0'_depend) @@ -806,8 +1271,18 @@ define(`kernel_read_net_sysctl_depend',` ') ######################################## -# -# kernel_modify_unix_sysctl(domain) +## +## +## Allow caller to modify contents of unix sysctl files. +## +## +## +## +## +## The process type modifying contents of unix sysctl files. +## +## +## # define(`kernel_modify_unix_sysctl',` requires_block_template(`$0'_depend) @@ -826,8 +1301,18 @@ define(`kernel_modify_net_sysctl_depend',` ') ######################################## -# -# kernel_read_hotplug_sysctl(domain) +## +## +## Allow caller to read data from hotplug. +## +## +## +## +## +## The process type reading hotplug data. +## +## +## # define(`kernel_read_hotplug_sysctl',` requires_block_template(`$0'_depend) @@ -846,8 +1331,18 @@ define(`kernel_read_hotplug_sysctl_depend',` ') ######################################## -# -# kernel_modify_hotplug_sysctl(domain) +## +## +## Allow caller to modify hotplug sysctl data. +## +## +## +## +## +## The process type modifying hotplug sysctl data. +## +## +## # define(`kernel_modify_hotplug_sysctl',` requires_block_template(`$0'_depend) @@ -866,8 +1361,18 @@ define(`kernel_modify_hotplug_sysctl_depend',` ') ######################################## -# -# kernel_read_modprobe_sysctl(domain) +## +## +## Allow caller to read files containing modprobe information. +## +## +## +## +## +## The process domian reading modprobe information files. +## +## +## # define(`kernel_read_modprobe_sysctl',` requires_block_template(`$0'_depend) @@ -886,8 +1391,18 @@ define(`kernel_read_modprobe_sysctl_depend',` ') ######################################## -# -# kernel_modify_modprobe_sysctl(domain) +## +## +## Allow caller to modify files containing modprobe information. +## +## +## +## +## +## The process domian modifying modprobe information files. +## +## +## # define(`kernel_modify_modprobe_sysctl',` requires_block_template(`$0'_depend) @@ -906,8 +1421,18 @@ define(`kernel_modify_modprobe_sysctl_depend',` ') ######################################## -# -# kernel_read_kernel_sysctl(domain) +## +## +## Allow caller to read kernel sysctl files. +## +## +## +## +## +## The process type reading kernel sysctl files. +## +## +## # define(`kernel_read_kernel_sysctl',` requires_block_template(`$0'_depend) @@ -926,8 +1451,18 @@ define(`kernel_read_kernel_sysctl_depend',` ') ######################################## -# -# kernel_modify_kernel_sysctl(domain) +## +## +## Allow caller to modify kernel sysctl files. +## +## +## +## +## +## The process type modifying kernel sysctl files. +## +## +## # define(`kernel_modify_kernel_sysctl',` requires_block_template(`$0'_depend) @@ -946,8 +1481,18 @@ define(`kernel_modify_kernel_sysctl_depend',` ') ######################################## -# -# kernel_read_filesystem_sysctl(domain) +## +## +## Allow caller to read filesystem information. +## +## +## +## +## +## The process type reading filesystem information. +## +## +## # define(`kernel_read_filesystem_sysctl',` requires_block_template(`$0'_depend) @@ -968,6 +1513,18 @@ define(`kernel_read_filesystem_sysctl_depend',` ######################################## # # kernel_modify_filesystem_sysctl(domain) +## +## +## Allow caller to modify filesystem information. +## +## +## +## +## +## The process type modifying filesystem information. +## +## +## # define(`kernel_modify_filesystem_sysctl',` requires_block_template(`$0'_depend) @@ -986,8 +1543,18 @@ define(`kernel_modify_filesystem_sysctl_depend',` ') ######################################## -# -# kernel_read_irq_sysctl(domain) +## +## +## Allows caller to read interrupt request information. +## +## +## +## +## +## The process type reading interrupt request information. +## +## +## # define(`kernel_read_irq_sysctl',` requires_block_template(`$0'_depend) @@ -1005,8 +1572,19 @@ define(`kernel_read_irq_sysctl_depend',` ') ######################################## -# -# kernel_modify_irq_sysctl(domain) +## +## +## Allows caller to modify interrupt request information. +## +## +## +## +## +## The process type modifying interrupt request information. +## +## +## +## # define(`kernel_modify_irq_sysctl',` requires_block_template(`$0'_depend) @@ -1064,8 +1642,18 @@ define(`kernel_modify_rpc_sysctl_depend',` ') ######################################## -# -# kernel_read_all_sysctl(domain) +## +## +## Allow caller to read all sysctl information. +## +## +## +## +## +## The process type reading the information. +## +## +## # define(`kernel_read_all_sysctl',` kernel_read_device_sysctl($1) @@ -1081,8 +1669,18 @@ define(`kernel_read_all_sysctl',` ') ######################################## -# -# kernel_modify_all_sysctl(domain) +## +## +## Allow caller to modify all sysctl information. +## +## +## +## +## +## The process type modifying the information. +## +## +## # define(`kernel_modify_all_sysctl',` kernel_modify_device_sysctl($1) @@ -1121,8 +1719,18 @@ define(`kernel_search_hardware_state_dir_depend',` ') ######################################## -# -# kernel_read_hardware_state(domain) +## +## +## Allow caller to read hardware state information. +## +## +## +## +## +## The process type reading hardware state information. +## +## +## # define(`kernel_read_hardware_state',` requires_block_template(`$0'_depend) @@ -1140,8 +1748,18 @@ define(`kernel_read_hardware_state_depend',` ') ######################################## -# -# kernel_modify_hardware_config_option(domain) +## +## +## Allow caller to modify hardware state information. +## +## +## +## +## +## The process type modifying hardware state information. +## +## +## # define(`kernel_modify_hardware_config_option',` requires_block_template(`$0'_depend) @@ -1275,8 +1893,20 @@ define(`kernel_sigchld_unlabeled_process_depend',` ') ######################################## -# -# kernel_ignore_get_unlabeled_block_device_attributes(domain) +## +## +## Do not audit attempts by caller to get attributes for +## unlabeled block devices. +## +## +## Causes attempts by caller to get attributes on unlabeled +## block devices to not be auditted. +## +## +## The process type not to audit. +## +## +## # define(`kernel_ignore_get_unlabeled_block_device_attributes',` requires_block_template(`$0'_depend) @@ -1291,8 +1921,18 @@ define(`kernel_ignore_get_unlabeled_block_device_attributes_depend',` ') ######################################## -# -# kernel_relabel_unlabeled_object(domain) +## +## +## Allow caller to relabel unlabeled objects. +## +## +## +## +## +## The process type relabeling the objects. +## +## +## # define(`kernel_relabel_unlabeled_object',` requires_block_template(`$0'_depend) @@ -1336,8 +1976,18 @@ define(`kernel_search_usb_hardware_state_dir_depend',` ') ######################################## -# -# kernel_list_usb_hardware(domain) +## +## +## Allow caller to get a list of usb hardware. +## +## +## +## +## +## The process type getting the list. +## +## +## # define(`kernel_list_usb_hardware',` requires_block_template(`$0'_depend) @@ -1383,8 +2033,18 @@ define(`kernel_read_usb_hardware_state_depend',` ') ######################################## -# -# kernel_modify_usb_hardware_config_option(domain) +## +## +## Allow caller to modify usb hardware configuration files. +## +## +## +## +## +## The process type modifying the options. +## +## +## # define(`kernel_modify_usb_hardware_config_option',` requires_block_template(`$0'_depend) @@ -1412,8 +2072,18 @@ define(`kernel_modify_usb_hardware_config_option_depend',` ################################################################### ######################################## -# -# kernel_sigchld_from(domain) +## +## +## Receive sigchild from kernel. +## +## +## +## +## +## The process type receiving the signal. +## +## +## # define(`kernel_sigchld_from',` requires_block_template(`$0'_depend) @@ -1428,8 +2098,18 @@ define(`kernel_sigchld_from_depend',` ') ######################################## -# -# kernel_unlabeled_sigchld_from(domain) +## +## +## Receive sigchld from unlabeled processes. +## +## +## +## +## +## The process type receiving the signal. +## +## +## # define(`kernel_unlabeled_sigchld_from',` requires_block_template(`$0'_depend) @@ -1444,8 +2124,18 @@ define(`kernel_unlabeled_sigchld_from_depend',` ') ######################################## -# -# kernel_read_directory_from(domain) +## +## +## XXX FIXME +## +## +## +## +## +## +## +## +## # define(`kernel_read_directory_from',` requires_block_template(`$0'_depend) diff --git a/refpolicy/policy/modules/system/clock.if b/refpolicy/policy/modules/system/clock.if index 078b1e0..fa75c75 100644 --- a/refpolicy/policy/modules/system/clock.if +++ b/refpolicy/policy/modules/system/clock.if @@ -1,4 +1,4 @@ -## +## ## Policy for reading and setting the hardware clock. ######################################## @@ -67,9 +67,16 @@ define(`clock_transition_add_role_use_terminal_depend',` class chr_file { getattr read write ioctl }; ') -####################################### -# -# clock_execute(domain) +######################################## +## +## +## Execute hwclock +## +## +## The type of the process performing this action. +## +## +## # define(`clock_execute',` requires_block_template(`$0'_depend) @@ -83,9 +90,16 @@ define(`clock_execute_depend',` class file { getattr read execute execute_no_trans }; ') -####################################### -# -# clock_modify_drift_records(domain) +######################################## +## +## +## Allow executing domain to modify clock drift +## +## +## The type of the process performing this action. +## +## +## # define(`clock_modify_drift_records',` requires_block_template(`$0'_depend) diff --git a/refpolicy/policy/modules/system/getty.if b/refpolicy/policy/modules/system/getty.if index ce27732..d7a84f6 100644 --- a/refpolicy/policy/modules/system/getty.if +++ b/refpolicy/policy/modules/system/getty.if @@ -1,7 +1,16 @@ - -####################################### -# -# getty_transition(domain) +## +## Policy for getty. + +######################################## +## +## +## Execute gettys in the getty domain. +## +## +## The type of the process performing this action. +## +## +## # define(`getty_transition',` requires_block_template(`$0'_depend) @@ -26,9 +35,16 @@ define(`getty_transition_depend',` class fifo_file rw_file_perms; ') -####################################### -# -# getty_read_log_file(domain) +######################################## +## +## +## Allow process to read getty log file. +## +## +## The type of the process performing this action. +## +## +## # define(`getty_read_log_file',` requires_block_template(`$0'_depend) @@ -42,9 +58,16 @@ define(`getty_read_log_file_depend',` class file { getattr read }; ') -####################################### -# -# getty_read_config_file(domain) +######################################## +## +## +## Allow process to read getty config file. +## +## +## The type of the process performing this action. +## +## +## # define(`getty_read_config_file',` requires_block_template(`$0'_depend) @@ -58,9 +81,16 @@ define(`getty_read_config_file_depend',` class file { getattr read }; ') -####################################### -# -# getty_modify_config_file(domain) +######################################## +## +## +## Allow process to edit getty config file. +## +## +## The type of the process performing this action. +## +## +## # define(`getty_modify_config_file',` requires_block_template(`$0'_depend) @@ -73,3 +103,5 @@ define(`getty_modify_config_file_depend',` class file { getattr read write }; ') + +## diff --git a/refpolicy/policy/modules/system/hostname.if b/refpolicy/policy/modules/system/hostname.if index a1144fd..4efe979 100644 --- a/refpolicy/policy/modules/system/hostname.if +++ b/refpolicy/policy/modules/system/hostname.if @@ -1,4 +1,4 @@ -## +## ## Policy for changing the system host name. ######################################## @@ -69,6 +69,18 @@ define(`hostname_transition_add_role_use_terminal_depend',` class chr_file { getattr read write ioctl }; ') +######################################## +## +## +## Execute hostname in the hostname domain, and +## Has a sigchld signal backchannel. +## +## +## The type of the process performing this action. +## +## +## +# ####################################### # # hostname_execute(domain) diff --git a/refpolicy/policy/modules/system/locallogin.if b/refpolicy/policy/modules/system/locallogin.if index 66ee967..688e183 100644 --- a/refpolicy/policy/modules/system/locallogin.if +++ b/refpolicy/policy/modules/system/locallogin.if @@ -1,7 +1,16 @@ +## +## Policy for local logins. -####################################### -# -# locallogin_transition(domain) +######################################## +## +## +## Execute local logins in the locallogin domain. +## +## +## The type of the process performing this action. +## +## +## # define(`locallogin_transition',` requires_block_template(`$0'_depend) @@ -14,6 +23,17 @@ define(`locallogin_transition_depend',` ') ######################################## +## +## +## Allow processes to inherit local login file descriptors +## +## +## The type of the process performing this action. +## +## +## +# +######################################## # # locallogin_use_file_descriptors(domain) # @@ -28,3 +48,5 @@ define(`locallogin_use_file_descriptors_depend',` class fd use; ') + +## diff --git a/refpolicy/policy/modules/system/miscfiles.if b/refpolicy/policy/modules/system/miscfiles.if index 63c6501..d55dbe6 100644 --- a/refpolicy/policy/modules/system/miscfiles.if +++ b/refpolicy/policy/modules/system/miscfiles.if @@ -1,7 +1,20 @@ +## +## Miscelaneous files. ######################################## -# -# miscfiles_manage_man_page_cache(domain) +## +## +## Allow process to create files and dirs in /var/cache/man +## and /var/catman/ +## +## +## ... +## +## +## Type type of the process performing this action. +## +## +## # define(`miscfiles_manage_man_page_cache',` requires_block_template(`$0'_depend) @@ -19,8 +32,18 @@ define(`miscfiles_manage_man_page_cache_depend',` ') ######################################## -# -# miscfiles_read_fonts(domain) +## +## +## Allow process to read fonts files +## +## +## ... +## +## +## Type type of the process performing this action. +## +## +## # define(`miscfiles_read_fonts',` requires_block_template(`$0'_depend) @@ -40,8 +63,18 @@ define(`miscfiles_read_fonts_depend',` ') ######################################## -# -# miscfiles_read_localization(domain) +## +## +## Allow process to read localization info +## +## +## ... +## +## +## Type type of the process performing this action. +## +## +## # define(`miscfiles_read_localization',` requires_block_template(`$0'_depend) @@ -65,8 +98,18 @@ define(`miscfiles_read_localization_depend',` ') ######################################## -# -# miscfiles_legacy_read_localization(domain) +## +## +## Allow process to read legacy time localization info +## +## +## ... +## +## +## Type type of the process performing this action. +## +## +## # define(`miscfiles_legacy_read_localization',` requires_block_template(`$0'_depend) @@ -82,8 +125,18 @@ define(`miscfiles_read_localization_depend',` ') ######################################## -# -# miscfiles_read_man_pages(domain) +## +## +## Allow process to read manpages +## +## +## ... +## +## +## Type type of the process performing this action. +## +## +## # define(`miscfiles_read_man_pages',` requires_block_template(`$0'_depend) @@ -101,3 +154,5 @@ define(`miscfiles_read_man_pages_depend',` class file { getattr read }; class lnk_file { getattr read }; ') + +## diff --git a/refpolicy/policy/modules/system/mount.if b/refpolicy/policy/modules/system/mount.if index 413bc8b..11bcc8f 100644 --- a/refpolicy/policy/modules/system/mount.if +++ b/refpolicy/policy/modules/system/mount.if @@ -68,9 +68,16 @@ define(`mount_transition_add_role_use_terminal_depend',` class chr_file { getattr read write ioctl }; ') -####################################### -# -# mount_use_file_descriptors(domain) +######################################## +## +## +## Use file descriptors for mount. +## +## +## The type of the process performing this action. +## +## +## # define(`mount_use_file_descriptors',` requires_block_template(`$0'_depend) @@ -84,9 +91,17 @@ define(`mount_use_file_descriptors_depend',` class fd use; ') -####################################### -# -# mount_send_nfs_client_request(domain) +######################################## +## +## +## Allow the mount domain to send nfs requests for mounting +## network drives +## +## +## The type of the process performing this action. +## +## +## # define(`mount_send_nfs_client_request',` requires_block_template(`$0'_depend) diff --git a/refpolicy/policy/modules/system/sysnetwork.if b/refpolicy/policy/modules/system/sysnetwork.if index ad35f94..3a2a61c 100644 --- a/refpolicy/policy/modules/system/sysnetwork.if +++ b/refpolicy/policy/modules/system/sysnetwork.if @@ -1,9 +1,16 @@ ## ## Policy for network configuration: ifconfig and dhcp client. -######################################## -# -# sysnetwork_dhcpc_transition(domain) +####################################### +## +## +## Execute dhcp client in dhcpc domain. +## +## +## The type of the process performing this action. +## +## +## # define(`sysnetwork_dhcpc_transition',` requires_block_template(`$0'_depend) @@ -95,9 +102,16 @@ define(`sysnetwork_ifconfig_transition_add_role_use_terminal_depend',` class chr_file { getattr read write ioctl }; ') -######################################## -# -# sysnetwork_read_network_config(domain) +####################################### +## +## +## Allow network init to read network config files. +## +## +## The type of the process performing this action. +## +## +## # define(`sysnetwork_read_network_config',` requires_block_template(`$0'_depend) diff --git a/refpolicy/policy/modules/system/udev.if b/refpolicy/policy/modules/system/udev.if index 2beaa00..87313f3 100644 --- a/refpolicy/policy/modules/system/udev.if +++ b/refpolicy/policy/modules/system/udev.if @@ -1,7 +1,16 @@ +## +## Policy for udev. -####################################### -# -# udev_transition(domain) +######################################## +## +## +## Execute udev in the udev domain. +## +## +## The type of the process performing this action. +## +## +## # define(`udev_transition',` requires_block_template(`$0'_depend) @@ -27,8 +36,15 @@ define(`udev_transition_depend',` ') ######################################## -# -# udev_read_database(domain) +## +## +## Allow process to read list of devices. +## +## +## The type of the process performing this action. +## +## +## # define(`udev_read_database',` requires_block_template(`$0'_depend) @@ -43,8 +59,15 @@ define(`udev_read_database_depend',` ') ######################################## -# -# udev_modify_database(domain) +## +## +## Allow process to modify list of devices. +## +## +## The type of the process performing this action. +## +## +## # define(`udev_modify_database',` requires_block_template(`$0'_depend) @@ -57,3 +80,5 @@ define(`udev_modify_database_depend',` class file { getattr read write append }; ') + +##