diff --git a/refpolicy/Makefile b/refpolicy/Makefile index 66cd7df..09661b4 100644 --- a/refpolicy/Makefile +++ b/refpolicy/Makefile @@ -274,7 +274,6 @@ $(MODDIR)/kernel/corenetwork.if: $(MODDIR)/kernel/corenetwork.if.m4 $(MODDIR)/ke $(QUIET) egrep "^[[:blank:]]*network_(interface|node|port)\(.*\)" $(@:.if=.te).in \ | m4 $(M4PARAM) $(M4SUPPORT) $(MODDIR)/kernel/corenetwork.if.m4 - \ | sed -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@ - $(QUIET) echo "## " >> $@ $(MODDIR)/kernel/corenetwork.te: $(MODDIR)/kernel/corenetwork.te.m4 $(MODDIR)/kernel/corenetwork.te.in @echo "#" > $@ diff --git a/refpolicy/policy/modules/admin/dmesg.if b/refpolicy/policy/modules/admin/dmesg.if index 711d376..eebda7b 100644 --- a/refpolicy/policy/modules/admin/dmesg.if +++ b/refpolicy/policy/modules/admin/dmesg.if @@ -1,15 +1,12 @@ -## ## Policy for dmesg. ######################################## -## -## -## Execute dmesg in the dmesg domain. -## -## -## The type of the process performing this action. -## -## +## +## Execute dmesg in the dmesg domain. +## +## +## The type of the process performing this action. +## # interface(`dmesg_domtrans',` gen_require(` @@ -29,14 +26,12 @@ interface(`dmesg_domtrans',` ') ######################################## -## -## -## Execute dmesg in the caller domain. -## -## -## The type of the process performing this action. -## -## +## +## Execute dmesg in the caller domain. +## +## +## The type of the process performing this action. +## # interface(`dmesg_exec',` gen_require(` @@ -47,4 +42,3 @@ interface(`dmesg_exec',` can_exec($1,dmesg_exec_t) ') -## diff --git a/refpolicy/policy/modules/admin/metadata.xml b/refpolicy/policy/modules/admin/metadata.xml index 938c32d..e69de29 100644 --- a/refpolicy/policy/modules/admin/metadata.xml +++ b/refpolicy/policy/modules/admin/metadata.xml @@ -1 +0,0 @@ - diff --git a/refpolicy/policy/modules/admin/rpm.if b/refpolicy/policy/modules/admin/rpm.if index cf694fd..a6729a3 100644 --- a/refpolicy/policy/modules/admin/rpm.if +++ b/refpolicy/policy/modules/admin/rpm.if @@ -1,15 +1,12 @@ -## ## Policy for the RPM package manager. ######################################## -## -## -## Execute rpm programs in the rpm domain. -## -## -## The type of the process performing this action. -## -## +## +## Execute rpm programs in the rpm domain. +## +## +## The type of the process performing this action. +## # interface(`rpm_domtrans',` gen_require(` @@ -30,20 +27,18 @@ interface(`rpm_domtrans',` ') ######################################## -## -## -## Execute RPM programs in the RPM domain. -## -## -## The type of the process performing this action. -## -## -## The role to allow the RPM domain. -## -## -## The type of the terminal allow the RPM domain to use. -## -## +## +## Execute RPM programs in the RPM domain. +## +## +## The type of the process performing this action. +## +## +## The role to allow the RPM domain. +## +## +## The type of the terminal allow the RPM domain to use. +## # interface(`rpm_run',` gen_require(` @@ -58,14 +53,12 @@ interface(`rpm_run',` ') ######################################## -## -## -## Inherit and use file descriptors from RPM. -## -## -## The type of the process performing this action. -## -## +## +## Inherit and use file descriptors from RPM. +## +## +## The type of the process performing this action. +## # interface(`rpm_use_fd',` gen_require(` @@ -77,14 +70,12 @@ interface(`rpm_use_fd',` ') ######################################## -## -## -## Read from a RPM pipe. -## -## -## The type of the process performing this action. -## -## +## +## Read from a RPM pipe. +## +## +## The type of the process performing this action. +## # interface(`rpm_read_pipe',` gen_require(` @@ -96,14 +87,12 @@ interface(`rpm_read_pipe',` ') ######################################## -## -## -## Read RPM package database. -## -## -## The type of the process performing this action. -## -## +## +## Read RPM package database. +## +## +## The type of the process performing this action. +## # interface(`rpm_read_db',` gen_require(` @@ -135,4 +124,3 @@ interface(`rpm_manage_db',` allow $1 rpm_var_lib_t:lnk_file { getattr read write unlink }; ') -## diff --git a/refpolicy/policy/modules/admin/usermanage.if b/refpolicy/policy/modules/admin/usermanage.if index 7156052..ee03894 100644 --- a/refpolicy/policy/modules/admin/usermanage.if +++ b/refpolicy/policy/modules/admin/usermanage.if @@ -1,15 +1,12 @@ -## ## Policy for managing user accounts. ######################################## -## -## -## Execute chfn in the chfn domain. -## -## -## The type of the process performing this action. -## -## +## +## Execute chfn in the chfn domain. +## +## +## The type of the process performing this action. +## # interface(`usermanage_domtrans_chfn',` gen_require(` @@ -30,21 +27,19 @@ interface(`usermanage_domtrans_chfn',` ') ######################################## -## -## -## Execute chfn in the chfn domain, and -## allow the specified role the chfn domain. -## -## -## The type of the process performing this action. -## -## -## The role to be allowed the chfn domain. -## -## -## The type of the terminal allow the chfn domain to use. -## -## +## +## Execute chfn in the chfn domain, and +## allow the specified role the chfn domain. +## +## +## The type of the process performing this action. +## +## +## The role to be allowed the chfn domain. +## +## +## The type of the terminal allow the chfn domain to use. +## # interface(`usermanage_run_chfn',` gen_require(` @@ -58,14 +53,12 @@ interface(`usermanage_run_chfn',` ') ######################################## -## -## -## Execute groupadd in the groupadd domain. -## -## -## The type of the process performing this action. -## -## +## +## Execute groupadd in the groupadd domain. +## +## +## The type of the process performing this action. +## # interface(`usermanage_domtrans_groupadd',` gen_require(` @@ -86,21 +79,19 @@ interface(`usermanage_domtrans_groupadd',` ') ######################################## -## -## -## Execute groupadd in the groupadd domain, and -## allow the specified role the groupadd domain. -## -## -## The type of the process performing this action. -## -## -## The role to be allowed the groupadd domain. -## -## -## The type of the terminal allow the groupadd domain to use. -## -## +## +## Execute groupadd in the groupadd domain, and +## allow the specified role the groupadd domain. +## +## +## The type of the process performing this action. +## +## +## The role to be allowed the groupadd domain. +## +## +## The type of the terminal allow the groupadd domain to use. +## # interface(`usermanage_run_groupadd',` gen_require(` @@ -114,14 +105,12 @@ interface(`usermanage_run_groupadd',` ') ######################################## -## -## -## Execute passwd in the passwd domain. -## -## -## The type of the process performing this action. -## -## +## +## Execute passwd in the passwd domain. +## +## +## The type of the process performing this action. +## # interface(`usermanage_domtrans_passwd',` gen_require(` @@ -142,21 +131,19 @@ interface(`usermanage_domtrans_passwd',` ') ######################################## -## -## -## Execute passwd in the passwd domain, and -## allow the specified role the passwd domain. -## -## -## The type of the process performing this action. -## -## -## The role to be allowed the passwd domain. -## -## -## The type of the terminal allow the passwd domain to use. -## -## +## +## Execute passwd in the passwd domain, and +## allow the specified role the passwd domain. +## +## +## The type of the process performing this action. +## +## +## The role to be allowed the passwd domain. +## +## +## The type of the terminal allow the passwd domain to use. +## # interface(`usermanage_run_passwd',` gen_require(` @@ -170,14 +157,12 @@ interface(`usermanage_run_passwd',` ') ######################################## -## -## -## Execute useradd in the useradd domain. -## -## -## The type of the process performing this action. -## -## +## +## Execute useradd in the useradd domain. +## +## +## The type of the process performing this action. +## # interface(`usermanage_domtrans_useradd',` gen_require(` @@ -198,21 +183,19 @@ interface(`usermanage_domtrans_useradd',` ') ######################################## -## -## -## Execute useradd in the useradd domain, and -## allow the specified role the useradd domain. -## -## -## The type of the process performing this action. -## -## -## The role to be allowed the useradd domain. -## -## -## The type of the terminal allow the useradd domain to use. -## -## +## +## Execute useradd in the useradd domain, and +## allow the specified role the useradd domain. +## +## +## The type of the process performing this action. +## +## +## The role to be allowed the useradd domain. +## +## +## The type of the terminal allow the useradd domain to use. +## # interface(`usermanage_run_useradd',` gen_require(` @@ -225,4 +208,3 @@ interface(`usermanage_run_useradd',` allow useradd_t $3:chr_file rw_term_perms; ') -## diff --git a/refpolicy/policy/modules/apps/gpg.if b/refpolicy/policy/modules/apps/gpg.if index 04304ca..2f0ea69 100644 --- a/refpolicy/policy/modules/apps/gpg.if +++ b/refpolicy/policy/modules/apps/gpg.if @@ -1,28 +1,26 @@ -## ## Policy for GNU Privacy Guard and related programs. ####################################### -## -## diff --git a/refpolicy/policy/modules/apps/metadata.xml b/refpolicy/policy/modules/apps/metadata.xml index 21fbc10..e69de29 100644 --- a/refpolicy/policy/modules/apps/metadata.xml +++ b/refpolicy/policy/modules/apps/metadata.xml @@ -1 +0,0 @@ - diff --git a/refpolicy/policy/modules/kernel/bootloader.if b/refpolicy/policy/modules/kernel/bootloader.if index a531cf9..920b229 100644 --- a/refpolicy/policy/modules/kernel/bootloader.if +++ b/refpolicy/policy/modules/kernel/bootloader.if @@ -1,15 +1,12 @@ -## ## Policy for the kernel modules, kernel image, and bootloader. ######################################## -## -## -## Execute bootloader in the bootloader domain. -## -## -## The type of the process performing this action. -## -## +## +## Execute bootloader in the bootloader domain. +## +## +## The type of the process performing this action. +## # interface(`bootloader_domtrans',` gen_require(` @@ -28,21 +25,19 @@ interface(`bootloader_domtrans',` ') ######################################## -## -## -## Execute bootloader interactively and do -## a domain transition to the bootloader domain. -## -## -## The type of the process performing this action. -## -## -## The role to be allowed the bootloader domain. -## -## -## The type of the terminal allow the bootloader domain to use. -## -## +## +## Execute bootloader interactively and do +## a domain transition to the bootloader domain. +## +## +## The type of the process performing this action. +## +## +## The role to be allowed the bootloader domain. +## +## +## The type of the terminal allow the bootloader domain to use. +## # interface(`bootloader_run',` gen_require(` @@ -57,14 +52,12 @@ interface(`bootloader_run',` ') ######################################## -## -## -## Search the /boot directory. -## -## -## The type of the process performing this action. -## -## +## +## Search the /boot directory. +## +## +## The type of the process performing this action. +## # interface(`bootloader_search_boot_dir',` gen_require(` @@ -76,14 +69,12 @@ interface(`bootloader_search_boot_dir',` ') ######################################## -## -## -## Do not audit attempts to search the /boot directory. -## -## -## The type of the process performing this action. -## -## +## +## Do not audit attempts to search the /boot directory. +## +## +## The type of the process performing this action. +## # interface(`bootloader_dontaudit_search_boot',` gen_require(` @@ -95,15 +86,13 @@ interface(`bootloader_dontaudit_search_boot',` ') ######################################## -## -## -## Read and write symbolic links -## in the /boot directory. -## -## -## The type of the process performing this action. -## -## +## +## Read and write symbolic links +## in the /boot directory. +## +## +## The type of the process performing this action. +## # interface(`bootloader_rw_boot_symlinks',` gen_require(` @@ -117,14 +106,12 @@ interface(`bootloader_rw_boot_symlinks',` ') ######################################## -## -## -## Install a kernel into the /boot directory. -## -## -## The type of the process performing this action. -## -## +## +## Install a kernel into the /boot directory. +## +## +## The type of the process performing this action. +## # interface(`bootloader_create_kernel',` gen_require(` @@ -140,14 +127,12 @@ interface(`bootloader_create_kernel',` ') ######################################## -## -## -## Install a system.map into the /boot directory. -## -## -## The type of the process performing this action. -## -## +## +## Install a system.map into the /boot directory. +## +## +## The type of the process performing this action. +## # interface(`bootloader_create_kernel_symbol_table',` gen_require(` @@ -161,14 +146,12 @@ interface(`bootloader_create_kernel_symbol_table',` ') ######################################## -## -## -## Read system.map in the /boot directory. -## -## -## The type of the process performing this action. -## -## +## +## Read system.map in the /boot directory. +## +## +## The type of the process performing this action. +## # interface(`bootloader_read_kernel_symbol_table',` gen_require(` @@ -182,14 +165,12 @@ interface(`bootloader_read_kernel_symbol_table',` ') ######################################## -## -## -## Delete a kernel from /boot. -## -## -## The type of the process performing this action. -## -## +## +## Delete a kernel from /boot. +## +## +## The type of the process performing this action. +## # interface(`bootloader_delete_kernel',` gen_require(` @@ -203,14 +184,12 @@ interface(`bootloader_delete_kernel',` ') ######################################## -## -## -## Delete a system.map in the /boot directory. -## -## -## The type of the process performing this action. -## -## +## +## Delete a system.map in the /boot directory. +## +## +## The type of the process performing this action. +## # interface(`bootloader_delete_kernel_symbol_table',` gen_require(` @@ -224,14 +203,12 @@ interface(`bootloader_delete_kernel_symbol_table',` ') ######################################## -## -## -## Read the bootloader configuration file. -## -## -## The type of the process performing this action. -## -## +## +## Read the bootloader configuration file. +## +## +## The type of the process performing this action. +## # interface(`bootloader_read_config',` gen_require(` @@ -243,15 +220,13 @@ interface(`bootloader_read_config',` ') ######################################## -## -## -## Read and write the bootloader -## configuration file. -## -## -## The type of the process performing this action. -## -## +## +## Read and write the bootloader +## configuration file. +## +## +## The type of the process performing this action. +## # interface(`bootloader_rw_config',` gen_require(` @@ -263,15 +238,13 @@ interface(`bootloader_rw_config',` ') ######################################## -## -## -## Read and write the bootloader -## temporary data in /tmp. -## -## -## The type of the process performing this action. -## -## +## +## Read and write the bootloader +## temporary data in /tmp. +## +## +## The type of the process performing this action. +## # interface(`bootloader_rw_tmp_file',` gen_require(` @@ -284,15 +257,13 @@ interface(`bootloader_rw_tmp_file',` ') ######################################## -## -## -## Read and write the bootloader -## temporary data in /tmp. -## -## -## The type of the process performing this action. -## -## +## +## Read and write the bootloader +## temporary data in /tmp. +## +## +## The type of the process performing this action. +## # interface(`bootloader_create_runtime_file',` gen_require(` @@ -307,14 +278,12 @@ interface(`bootloader_create_runtime_file',` ') ######################################## -## -## -## List the contents of the kernel module directories. -## -## -## The type of the process performing this action. -## -## +## +## List the contents of the kernel module directories. +## +## +## The type of the process performing this action. +## # interface(`bootloader_list_kernel_modules',` gen_require(` @@ -326,14 +295,12 @@ interface(`bootloader_list_kernel_modules',` ') ######################################## -## -## -## Read kernel module files. -## -## -## The type of the process performing this action. -## -## +## +## Read kernel module files. +## +## +## The type of the process performing this action. +## # interface(`bootloader_read_kernel_modules',` gen_require(` @@ -349,14 +316,12 @@ interface(`bootloader_read_kernel_modules',` ') ######################################## -## -## -## Write kernel module files. -## -## -## The type of the process performing this action. -## -## +## +## Write kernel module files. +## +## +## The type of the process performing this action. +## # interface(`bootloader_write_kernel_modules',` gen_require(` @@ -373,15 +338,13 @@ interface(`bootloader_write_kernel_modules',` ') ######################################## -## -## -## Create, read, write, and delete -## kernel module files. -## -## -## The type of the process performing this action. -## -## +## +## Create, read, write, and delete +## kernel module files. +## +## +## The type of the process performing this action. +## # interface(`bootloader_manage_kernel_modules',` gen_require(` @@ -417,4 +380,3 @@ interface(`bootloader_create_private_module_dir_entry',` ') ') -## diff --git a/refpolicy/policy/modules/kernel/corenetwork.if.in b/refpolicy/policy/modules/kernel/corenetwork.if.in index 3095b84..7b58812 100644 --- a/refpolicy/policy/modules/kernel/corenetwork.if.in +++ b/refpolicy/policy/modules/kernel/corenetwork.if.in @@ -1,16 +1,13 @@ -## ## Policy controlling access to network objects ######################################## -## -## -## Send and receive TCP network traffic on the general interfaces. -## -## -## The type of the process performing this action. -## -## -## +## +## Send and receive TCP network traffic on the general interfaces. +## +## +## The type of the process performing this action. +## +## # interface(`corenet_tcp_sendrecv_generic_if',` gen_require(` diff --git a/refpolicy/policy/modules/kernel/corenetwork.if.m4 b/refpolicy/policy/modules/kernel/corenetwork.if.m4 index 9d6d84d..9771003 100644 --- a/refpolicy/policy/modules/kernel/corenetwork.if.m4 +++ b/refpolicy/policy/modules/kernel/corenetwork.if.m4 @@ -6,15 +6,13 @@ define(`create_netif_interfaces',`` ######################################## -## -## -## Send and receive TCP network traffic on the $1 interface. -## -## -## The type of the process performing this action. -## -## -## +## +## Send and receive TCP network traffic on the $1 interface. +## +## +## The type of the process performing this action. +## +## # interface(`corenet_tcp_sendrecv_$1',` gen_require(` @@ -26,15 +24,13 @@ interface(`corenet_tcp_sendrecv_$1',` ') ######################################## -## -## -## Send UDP network traffic on the $1 interface. -## -## -## The type of the process performing this action. -## -## -## +## +## Send UDP network traffic on the $1 interface. +## +## +## The type of the process performing this action. +## +## # interface(`corenet_udp_send_$1',` gen_require(` @@ -46,15 +42,13 @@ interface(`corenet_udp_send_$1',` ') ######################################## -## -## -## Receive UDP network traffic on the $1 interface. -## -## -## The type of the process performing this action. -## -## -## +## +## Receive UDP network traffic on the $1 interface. +## +## +## The type of the process performing this action. +## +## # interface(`corenet_udp_receive_$1',` gen_require(` @@ -66,15 +60,13 @@ interface(`corenet_udp_receive_$1',` ') ######################################## -## -## -## Send and receive UDP network traffic on the $1 interface. -## -## -## The type of the process performing this action. -## -## -## +## +## Send and receive UDP network traffic on the $1 interface. +## +## +## The type of the process performing this action. +## +## # interface(`corenet_udp_sendrecv_$1',` corenet_udp_send_$1(dollarsone) @@ -82,15 +74,13 @@ interface(`corenet_udp_sendrecv_$1',` ') ######################################## -## -## -## Send raw IP packets on the $1 interface. -## -## -## The type of the process performing this action. -## -## -## +## +## Send raw IP packets on the $1 interface. +## +## +## The type of the process performing this action. +## +## # interface(`corenet_raw_send_$1',` gen_require(` @@ -104,15 +94,13 @@ interface(`corenet_raw_send_$1',` ') ######################################## -## -## -## Receive raw IP packets on the $1 interface. -## -## -## The type of the process performing this action. -## -## -## +## +## Receive raw IP packets on the $1 interface. +## +## +## The type of the process performing this action. +## +## # interface(`corenet_raw_receive_$1',` gen_require(` @@ -124,15 +112,13 @@ interface(`corenet_raw_receive_$1',` ') ######################################## -## -## -## Send and receive raw IP packets on the $1 interface. -## -## -## The type of the process performing this action. -## -## -## +## +## Send and receive raw IP packets on the $1 interface. +## +## +## The type of the process performing this action. +## +## # interface(`corenet_raw_sendrecv_$1',` corenet_raw_send_$1(dollarsone) @@ -148,15 +134,13 @@ interface(`corenet_raw_sendrecv_$1',` define(`create_node_interfaces',`` ######################################## -## -## -## Send and receive TCP traffic on the $1 node. -## -## -## The type of the process performing this action. -## -## -## +## +## Send and receive TCP traffic on the $1 node. +## +## +## The type of the process performing this action. +## +## # interface(`corenet_tcp_sendrecv_$1_node',` gen_require(` @@ -168,15 +152,13 @@ interface(`corenet_tcp_sendrecv_$1_node',` ') ######################################## -## -## -## Send UDP traffic on the $1 node. -## -## -## The type of the process performing this action. -## -## -## +## +## Send UDP traffic on the $1 node. +## +## +## The type of the process performing this action. +## +## # interface(`corenet_udp_send_$1_node',` gen_require(` @@ -188,15 +170,13 @@ interface(`corenet_udp_send_$1_node',` ') ######################################## -## -## -## Receive UDP traffic on the $1 node. -## -## -## The type of the process performing this action. -## -## -## +## +## Receive UDP traffic on the $1 node. +## +## +## The type of the process performing this action. +## +## # interface(`corenet_udp_receive_$1_node',` gen_require(` @@ -208,15 +188,13 @@ interface(`corenet_udp_receive_$1_node',` ') ######################################## -## -## -## Send and receive UDP traffic on the $1 node. -## -## -## The type of the process performing this action. -## -## -## +## +## Send and receive UDP traffic on the $1 node. +## +## +## The type of the process performing this action. +## +## # interface(`corenet_udp_sendrecv_$1_node',` corenet_udp_send_$1_node(dollarsone) @@ -224,15 +202,13 @@ interface(`corenet_udp_sendrecv_$1_node',` ') ######################################## -## -## -## Send raw IP packets on the $1 node. -## -## -## The type of the process performing this action. -## -## -## +## +## Send raw IP packets on the $1 node. +## +## +## The type of the process performing this action. +## +## # interface(`corenet_raw_send_$1_node',` gen_require(` @@ -244,15 +220,13 @@ interface(`corenet_raw_send_$1_node',` ') ######################################## -## -## -## Receive raw IP packets on the $1 node. -## -## -## The type of the process performing this action. -## -## -## +## +## Receive raw IP packets on the $1 node. +## +## +## The type of the process performing this action. +## +## # interface(`corenet_raw_receive_$1_node',` gen_require(` @@ -264,15 +238,13 @@ interface(`corenet_raw_receive_$1_node',` ') ######################################## -## -## -## Send and receive raw IP packets on the $1 node. -## -## -## The type of the process performing this action. -## -## -## +## +## Send and receive raw IP packets on the $1 node. +## +## +## The type of the process performing this action. +## +## # interface(`corenet_raw_sendrecv_$1_node',` corenet_raw_send_$1_node(dollarsone) @@ -280,15 +252,13 @@ interface(`corenet_raw_sendrecv_$1_node',` ') ######################################## -## -## -## Bind TCP sockets to node $1. -## -## -## The type of the process performing this action. -## -## -## +## +## Bind TCP sockets to node $1. +## +## +## The type of the process performing this action. +## +## # interface(`corenet_tcp_bind_$1_node',` gen_require(` @@ -300,15 +270,13 @@ interface(`corenet_tcp_bind_$1_node',` ') ######################################## -## -## -## Bind UDP sockets to the $1 node. -## -## -## The type of the process performing this action. -## -## -## +## +## Bind UDP sockets to the $1 node. +## +## +## The type of the process performing this action. +## +## # interface(`corenet_udp_bind_$1_node',` gen_require(` @@ -328,15 +296,13 @@ interface(`corenet_udp_bind_$1_node',` define(`create_port_interfaces',`` ######################################## -## -## -## Send and receive TCP traffic on the $1 port. -## -## -## The type of the process performing this action. -## -## -## +## +## Send and receive TCP traffic on the $1 port. +## +## +## The type of the process performing this action. +## +## # interface(`corenet_tcp_sendrecv_$1_port',` gen_require(` @@ -348,15 +314,13 @@ interface(`corenet_tcp_sendrecv_$1_port',` ') ######################################## -## -## -## Send UDP traffic on the $1 port. -## -## -## The type of the process performing this action. -## -## -## +## +## Send UDP traffic on the $1 port. +## +## +## The type of the process performing this action. +## +## # interface(`corenet_udp_send_$1_port',` gen_require(` @@ -368,15 +332,13 @@ interface(`corenet_udp_send_$1_port',` ') ######################################## -## -## -## Receive UDP traffic on the $1 port. -## -## -## The type of the process performing this action. -## -## -## +## +## Receive UDP traffic on the $1 port. +## +## +## The type of the process performing this action. +## +## # interface(`corenet_udp_receive_$1_port',` gen_require(` @@ -388,15 +350,13 @@ interface(`corenet_udp_receive_$1_port',` ') ######################################## -## -## -## Send and receive UDP traffic on the $1 port. -## -## -## The type of the process performing this action. -## -## -## +## +## Send and receive UDP traffic on the $1 port. +## +## +## The type of the process performing this action. +## +## # interface(`corenet_udp_sendrecv_$1_port',` corenet_udp_send_$1_port(dollarsone) @@ -404,15 +364,13 @@ interface(`corenet_udp_sendrecv_$1_port',` ') ######################################## -## -## -## Bind TCP sockets to the $1 port. -## -## -## The type of the process performing this action. -## -## -## +## +## Bind TCP sockets to the $1 port. +## +## +## The type of the process performing this action. +## +## # interface(`corenet_tcp_bind_$1_port',` gen_require(` @@ -425,15 +383,13 @@ interface(`corenet_tcp_bind_$1_port',` ') ######################################## -## -## -## Bind UDP sockets to the $1 port. -## -## -## The type of the process performing this action. -## -## -## +## +## Bind UDP sockets to the $1 port. +## +## +## The type of the process performing this action. +## +## # interface(`corenet_udp_bind_$1_port',` gen_require(` diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if index f2bdd40..516dfd3 100644 --- a/refpolicy/policy/modules/kernel/devices.if +++ b/refpolicy/policy/modules/kernel/devices.if @@ -1,40 +1,37 @@ -## ## -## Device nodes and interfaces for many basic system devices. +## Device nodes and interfaces for many basic system devices. ## ## -##

-## This module creates the device node concept and provides -## the policy for many of the device files. Notable exceptions are -## the mass storage and terminal devices that are covered by other -## modules. -##

-##

-## This module creates the concept of a device node. That is a -## char or block device file, usually in /dev. All types that -## are used to label device nodes should use the dev_node macro. -##

-##

-## Additionally, this module controls access to three things: -##

    -##
  • the device directories containing device nodes
    • -##
  • device nodes as a group
    • -##
  • individual access to specific device nodes covered by -## this module.
    • -##
-##

+##

+## This module creates the device node concept and provides +## the policy for many of the device files. Notable exceptions are +## the mass storage and terminal devices that are covered by other +## modules. +##

+##

+## This module creates the concept of a device node. That is a +## char or block device file, usually in /dev. All types that +## are used to label device nodes should use the dev_node macro. +##

+##

+## Additionally, this module controls access to three things: +##

    +##
  • the device directories containing device nodes
    • +##
  • device nodes as a group
    • +##
  • individual access to specific device nodes covered by +## this module.
    • +##
+##

## ######################################## -## -## -## Make the passed in type a type appropriate for -## use on device nodes (usually files in /dev). -## -## -## The object type that will be used on device nodes. -## -## +## +## Make the passed in type a type appropriate for +## use on device nodes (usually files in /dev). +## +## +## The object type that will be used on device nodes. +## # interface(`dev_node',` gen_require(` @@ -51,14 +48,12 @@ interface(`dev_node',` ') ######################################## -## -## -## Allow full relabeling (to and from) of all device nodes. -## -## -## Domain allowed to relabel. -## -## +## +## Allow full relabeling (to and from) of all device nodes. +## +## +## Domain allowed to relabel. +## # interface(`dev_relabel_all_dev_nodes',` gen_require(` @@ -83,14 +78,12 @@ interface(`dev_relabel_all_dev_nodes',` ') ######################################## -## -## -## List all of the device nodes in a device directory. -## -## -## Domain allowed to list device nodes. -## -## +## +## List all of the device nodes in a device directory. +## +## +## Domain allowed to list device nodes. +## # interface(`dev_list_all_dev_nodes',` gen_require(` @@ -104,14 +97,12 @@ interface(`dev_list_all_dev_nodes',` ') ######################################## -## -## -## Dontaudit attempts to list all device nodes. -## -## -## Domain to dontaudit listing of device nodes. -## -## +## +## Dontaudit attempts to list all device nodes. +## +## +## Domain to dontaudit listing of device nodes. +## # interface(`dev_dontaudit_list_all_dev_nodes',` gen_require(` @@ -123,14 +114,12 @@ interface(`dev_dontaudit_list_all_dev_nodes',` ') ######################################## -## -## -## Create a directory in the device directory. -## -## -## Domain allowed to create the directory. -## -## +## +## Create a directory in the device directory. +## +## +## Domain allowed to create the directory. +## # interface(`dev_create_dir',` gen_require(` @@ -142,14 +131,12 @@ interface(`dev_create_dir',` ') ######################################## -## -## -## Allow full relabeling (to and from) of directories in /dev. -## -## -## Domain allowed to relabel. -## -## +## +## Allow full relabeling (to and from) of directories in /dev. +## +## +## Domain allowed to relabel. +## # interface(`dev_relabel_dev_dirs',` gen_require(` @@ -161,14 +148,12 @@ interface(`dev_relabel_dev_dirs',` ') ######################################## -## -## -## Dontaudit getattr on generic pipes. -## -## -## Domain to dontaudit. -## -## +## +## Dontaudit getattr on generic pipes. +## +## +## Domain to dontaudit. +## # interface(`dev_dontaudit_getattr_generic_pipe',` gen_require(` @@ -180,14 +165,12 @@ interface(`dev_dontaudit_getattr_generic_pipe',` ') ######################################## -## -## -## Allow getattr on generic block devices. -## -## -## Domain allowed access. -## -## +## +## Allow getattr on generic block devices. +## +## +## Domain allowed access. +## # interface(`dev_getattr_generic_blk_file',` gen_require(` @@ -201,14 +184,12 @@ interface(`dev_getattr_generic_blk_file',` ') ######################################## -## -## -## Dontaudit getattr on generic block devices. -## -## -## Domain to dontaudit access. -## -## +## +## Dontaudit getattr on generic block devices. +## +## +## Domain to dontaudit access. +## # interface(`dev_dontaudit_getattr_generic_blk_file',` gen_require(` @@ -220,14 +201,12 @@ interface(`dev_dontaudit_getattr_generic_blk_file',` ') ######################################## -## -## -## Dontaudit setattr on generic block devices. -## -## -## Domain to dontaudit access. -## -## +## +## Dontaudit setattr on generic block devices. +## +## +## Domain to dontaudit access. +## # interface(`dev_dontaudit_setattr_generic_blk_file',` gen_require(` @@ -239,15 +218,13 @@ interface(`dev_dontaudit_setattr_generic_blk_file',` ') ######################################## -## -## -## Allow read, write, create, and delete for generic -## block files. -## -## -## Domain allowed access. -## -## +## +## Allow read, write, create, and delete for generic +## block files. +## +## +## Domain allowed access. +## # interface(`dev_manage_generic_blk_file',` gen_require(` @@ -260,14 +237,12 @@ interface(`dev_manage_generic_blk_file',` ') ######################################## -## -## -## Allow read, write, and create for generic character device files. -## -## -## Domain allowed access. -## -## +## +## Allow read, write, and create for generic character device files. +## +## +## Domain allowed access. +## # interface(`dev_create_generic_chr_file',` gen_require(` @@ -284,14 +259,12 @@ interface(`dev_create_generic_chr_file',` ') ######################################## -## -## -## Allow getattr for generic character device files. -## -## -## Domain allowed access. -## -## +## +## Allow getattr for generic character device files. +## +## +## Domain allowed access. +## # interface(`dev_getattr_generic_chr_file',` gen_require(` @@ -305,14 +278,12 @@ interface(`dev_getattr_generic_chr_file',` ') ######################################## -## -## -## Dontaudit getattr for generic character device files. -## -## -## Domain to dontaudit access. -## -## +## +## Dontaudit getattr for generic character device files. +## +## +## Domain to dontaudit access. +## # interface(`dev_dontaudit_getattr_generic_chr_file',` gen_require(` @@ -324,14 +295,12 @@ interface(`dev_dontaudit_getattr_generic_chr_file',` ') ######################################## -## -## -## Dontaudit setattr for generic character device files. -## -## -## Domain to dontaudit access. -## -## +## +## Dontaudit setattr for generic character device files. +## +## +## Domain to dontaudit access. +## # interface(`dev_dontaudit_setattr_generic_chr_file',` gen_require(` @@ -343,14 +312,12 @@ interface(`dev_dontaudit_setattr_generic_chr_file',` ') ######################################## -## -## -## Delete symbolic links in device directories. -## -## -## Domain allowed access. -## -## +## +## Delete symbolic links in device directories. +## +## +## Domain allowed access. +## # interface(`dev_del_generic_symlinks',` gen_require(` @@ -364,14 +331,12 @@ interface(`dev_del_generic_symlinks',` ') ######################################## -## -## -## Create, delete, read, and write symbolic links in device directories. -## -## -## Domain allowed access. -## -## +## +## Create, delete, read, and write symbolic links in device directories. +## +## +## Domain allowed access. +## # interface(`dev_manage_generic_symlinks',` gen_require(` @@ -385,14 +350,12 @@ interface(`dev_manage_generic_symlinks',` ') ######################################## -## -## -## Create, delete, read, and write device nodes in device directories. -## -## -## Domain allowed access. -## -## +## +## Create, delete, read, and write device nodes in device directories. +## +## +## Domain allowed access. +## # interface(`dev_manage_dev_nodes',` gen_require(` @@ -423,14 +386,12 @@ interface(`dev_manage_dev_nodes',` ') ######################################## -## -## -## Dontaudit getattr for generic device files. -## -## -## Domain to dontaudit access. -## -## +## +## Dontaudit getattr for generic device files. +## +## +## Domain to dontaudit access. +## # interface(`dev_dontaudit_rw_generic_dev_nodes',` gen_require(` @@ -443,14 +404,12 @@ interface(`dev_dontaudit_rw_generic_dev_nodes',` ') ######################################## -## -## -## Create, delete, read, and write block device files. -## -## -## Domain allowed access. -## -## +## +## Create, delete, read, and write block device files. +## +## +## Domain allowed access. +## # interface(`dev_manage_generic_blk_file',` gen_require(` @@ -464,14 +423,12 @@ interface(`dev_manage_generic_blk_file',` ') ######################################## -## -## -## Create, delete, read, and write character device files. -## -## -## Domain allowed access. -## -## +## +## Create, delete, read, and write character device files. +## +## +## Domain allowed access. +## # interface(`dev_manage_generic_chr_file',` gen_require(` @@ -485,22 +442,20 @@ interface(`dev_manage_generic_chr_file',` ') ######################################## -## -## -## Create, read, and write device nodes. The node -## will be transitioned to the type provided. -## -## -## Domain allowed access. -## -## -## Type to which the created node will be transitioned. -## -## -## Object class(es) (single or set including {}) for which this -## the transition will occur. -## -## +## +## Create, read, and write device nodes. The node +## will be transitioned to the type provided. +## +## +## Domain allowed access. +## +## +## Type to which the created node will be transitioned. +## +## +## Object class(es) (single or set including {}) for which this +## the transition will occur. +## # interface(`dev_create_dev_node',` gen_require(` @@ -517,14 +472,12 @@ interface(`dev_create_dev_node',` ') ######################################## -## -## -## Getattr on all block file device nodes. -## -## -## Domain allowed access. -## -## +## +## Getattr on all block file device nodes. +## +## +## Domain allowed access. +## # interface(`dev_getattr_all_blk_files',` gen_require(` @@ -538,14 +491,12 @@ interface(`dev_getattr_all_blk_files',` ') ######################################## -## -## -## Dontaudit getattr on all block file device nodes. -## -## -## Domain to dontaudit access. -## -## +## +## Dontaudit getattr on all block file device nodes. +## +## +## Domain to dontaudit access. +## # interface(`dev_dontaudit_getattr_all_blk_files',` gen_require(` @@ -557,14 +508,12 @@ interface(`dev_dontaudit_getattr_all_blk_files',` ') ######################################## -## -## -## Getattr on all character file device nodes. -## -## -## Domain allowed access. -## -## +## +## Getattr on all character file device nodes. +## +## +## Domain allowed access. +## # interface(`dev_getattr_all_chr_files',` gen_require(` @@ -578,14 +527,12 @@ interface(`dev_getattr_all_chr_files',` ') ######################################## -## -## -## Dontaudit getattr on all character file device nodes. -## -## -## Domain to dontaudit access. -## -## +## +## Dontaudit getattr on all character file device nodes. +## +## +## Domain to dontaudit access. +## # interface(`dev_dontaudit_getattr_all_chr_files',` gen_require(` @@ -597,14 +544,12 @@ interface(`dev_dontaudit_getattr_all_chr_files',` ') ######################################## -## -## -## Setattr on all block file device nodes. -## -## -## Domain allowed access. -## -## +## +## Setattr on all block file device nodes. +## +## +## Domain allowed access. +## # interface(`dev_setattr_all_blk_files',` gen_require(` @@ -618,14 +563,12 @@ interface(`dev_setattr_all_blk_files',` ') ######################################## -## -## -## Setattr on all character file device nodes. -## -## -## Domain allowed access. -## -## +## +## Setattr on all character file device nodes. +## +## +## Domain allowed access. +## # interface(`dev_setattr_all_chr_files',` gen_require(` @@ -639,14 +582,12 @@ interface(`dev_setattr_all_chr_files',` ') ######################################## -## -## -## Read, write, create, and delete all block device files. -## -## -## Domain allowed access. -## -## +## +## Read, write, create, and delete all block device files. +## +## +## Domain allowed access. +## # interface(`dev_manage_all_blk_files',` gen_require(` @@ -666,14 +607,12 @@ interface(`dev_manage_all_blk_files',` ') ######################################## -## -## -## Read, write, create, and delete all character device files. -## -## -## Domain allowed access. -## -## +## +## Read, write, create, and delete all character device files. +## +## +## Domain allowed access. +## # interface(`dev_manage_all_chr_files',` gen_require(` @@ -689,14 +628,12 @@ interface(`dev_manage_all_chr_files',` ') ######################################## -## -## -## Read raw memory devices (e.g. /dev/mem). -## -## -## Domain allowed access. -## -## +## +## Read raw memory devices (e.g. /dev/mem). +## +## +## Domain allowed access. +## # interface(`dev_read_raw_memory',` gen_require(` @@ -715,14 +652,12 @@ interface(`dev_read_raw_memory',` ') ######################################## -## -## -## Write raw memory devices (e.g. /dev/mem). -## -## -## Domain allowed access. -## -## +## +## Write raw memory devices (e.g. /dev/mem). +## +## +## Domain allowed access. +## # interface(`dev_write_raw_memory',` gen_require(` @@ -741,14 +676,12 @@ interface(`dev_write_raw_memory',` ') ######################################## -## -## -## Read and execute raw memory devices (e.g. /dev/mem). -## -## -## Domain allowed access. -## -## +## +## Read and execute raw memory devices (e.g. /dev/mem). +## +## +## Domain allowed access. +## # interface(`dev_rx_raw_memory',` gen_require(` @@ -761,14 +694,12 @@ interface(`dev_rx_raw_memory',` ') ######################################## -## -## -## Write and execute raw memory devices (e.g. /dev/mem). -## -## -## Domain allowed access. -## -## +## +## Write and execute raw memory devices (e.g. /dev/mem). +## +## +## Domain allowed access. +## # interface(`dev_wx_raw_memory',` gen_require(` @@ -781,14 +712,12 @@ interface(`dev_wx_raw_memory',` ') ######################################## -## -## -## Read from random devices (e.g., /dev/random) -## -## -## Domain allowed access. -## -## +## +## Read from random devices (e.g., /dev/random) +## +## +## Domain allowed access. +## # interface(`dev_read_rand',` gen_require(` @@ -802,14 +731,12 @@ interface(`dev_read_rand',` ') ######################################## -## -## -## Read from pseudo random devices (e.g., /dev/urandom) -## -## -## Domain allowed access. -## -## +## +## Read from pseudo random devices (e.g., /dev/urandom) +## +## +## Domain allowed access. +## # interface(`dev_read_urand',` gen_require(` @@ -823,16 +750,14 @@ interface(`dev_read_urand',` ') ######################################## -## -## -## Write to the random device (e.g., /dev/random). This adds -## entropy used to generate the random data read from the -## random device. -## -## -## Domain allowed access. -## -## +## +## Write to the random device (e.g., /dev/random). This adds +## entropy used to generate the random data read from the +## random device. +## +## +## Domain allowed access. +## # interface(`dev_write_rand',` gen_require(` @@ -846,15 +771,13 @@ interface(`dev_write_rand',` ') ######################################## -## -## -## Write to the pseudo random device (e.g., /dev/urandom). This -## sets the random number generator seed. -## -## -## Domain allowed access. -## -## +## +## Write to the pseudo random device (e.g., /dev/urandom). This +## sets the random number generator seed. +## +## +## Domain allowed access. +## # interface(`dev_write_urand',` gen_require(` @@ -868,14 +791,12 @@ interface(`dev_write_urand',` ') ######################################## -## -## -## Read and write to the null device (/dev/null). -## -## -## Domain allowed access. -## -## +## +## Read and write to the null device (/dev/null). +## +## +## Domain allowed access. +## # interface(`dev_rw_null_dev',` gen_require(` @@ -889,14 +810,12 @@ interface(`dev_rw_null_dev',` ') ######################################## -## -## -## Read and write to the zero device (/dev/zero). -## -## -## Domain allowed access. -## -## +## +## Read and write to the zero device (/dev/zero). +## +## +## Domain allowed access. +## # interface(`dev_rw_zero_dev',` gen_require(` @@ -910,14 +829,12 @@ interface(`dev_rw_zero_dev',` ') ######################################## -## -## -## Read, write, and execute the zero device (/dev/zero). -## -## -## Domain allowed access. -## -## +## +## Read, write, and execute the zero device (/dev/zero). +## +## +## Domain allowed access. +## # interface(`dev_rwx_zero_dev',` gen_require(` @@ -930,14 +847,12 @@ interface(`dev_rwx_zero_dev',` ') ######################################## -## -## -## Read the realtime clock (/dev/rtc). -## -## -## Domain allowed access. -## -## +## +## Read the realtime clock (/dev/rtc). +## +## +## Domain allowed access. +## # interface(`dev_read_realtime_clock',` gen_require(` @@ -951,14 +866,12 @@ interface(`dev_read_realtime_clock',` ') ######################################## -## -## -## Read the realtime clock (/dev/rtc). -## -## -## Domain allowed access. -## -## +## +## Read the realtime clock (/dev/rtc). +## +## +## Domain allowed access. +## # interface(`dev_write_realtime_clock',` gen_require(` @@ -972,14 +885,12 @@ interface(`dev_write_realtime_clock',` ') ######################################## -## -## -## Read the realtime clock (/dev/rtc). -## -## -## Domain allowed access. -## -## +## +## Read the realtime clock (/dev/rtc). +## +## +## Domain allowed access. +## # interface(`dev_rw_realtime_clock',` dev_read_realtime_clock($1) @@ -987,14 +898,12 @@ interface(`dev_rw_realtime_clock',` ') ######################################## -## -## -## Get the attributes of the sound devices. -## -## -## Domain allowed access. -## -## +## +## Get the attributes of the sound devices. +## +## +## Domain allowed access. +## # interface(`dev_getattr_snd_dev',` gen_require(` @@ -1008,14 +917,12 @@ interface(`dev_getattr_snd_dev',` ') ######################################## -## -## -## Set the attributes of the sound devices. -## -## -## Domain allowed access. -## -## +## +## Set the attributes of the sound devices. +## +## +## Domain allowed access. +## # interface(`dev_setattr_snd_dev',` gen_require(` @@ -1029,14 +936,12 @@ interface(`dev_setattr_snd_dev',` ') ######################################## -## -## -## Read the sound devices. -## -## -## Domain allowed access. -## -## +## +## Read the sound devices. +## +## +## Domain allowed access. +## # interface(`dev_read_snd_dev',` gen_require(` @@ -1050,14 +955,12 @@ interface(`dev_read_snd_dev',` ') ######################################## -## -## -## Write the sound devices. -## -## -## Domain allowed access. -## -## +## +## Write the sound devices. +## +## +## Domain allowed access. +## # interface(`dev_write_snd_dev',` gen_require(` @@ -1071,14 +974,12 @@ interface(`dev_write_snd_dev',` ') ######################################## -## -## -## Read the sound mixer devices. -## -## -## Domain allowed access. -## -## +## +## Read the sound mixer devices. +## +## +## Domain allowed access. +## # interface(`dev_read_snd_mixer_dev',` gen_require(` @@ -1092,14 +993,12 @@ interface(`dev_read_snd_mixer_dev',` ') ######################################## -## -## -## Write the sound mixer devices. -## -## -## Domain allowed access. -## -## +## +## Write the sound mixer devices. +## +## +## Domain allowed access. +## # interface(`dev_write_snd_mixer_dev',` gen_require(` @@ -1113,14 +1012,12 @@ interface(`dev_write_snd_mixer_dev',` ') ######################################## -## -## -## Read and write the agp devices. -## -## -## Domain allowed access. -## -## +## +## Read and write the agp devices. +## +## +## Domain allowed access. +## # interface(`dev_rw_agp_dev',` gen_require(` @@ -1134,14 +1031,12 @@ interface(`dev_rw_agp_dev',` ') ######################################## -## -## -## Getattr the agp devices. -## -## -## Domain allowed access. -## -## +## +## Getattr the agp devices. +## +## +## Domain allowed access. +## # interface(`dev_getattr_agp_dev',` gen_require(` @@ -1155,14 +1050,12 @@ interface(`dev_getattr_agp_dev',` ') ######################################## -## -## -## Read and write the dri devices. -## -## -## Domain allowed access. -## -## +## +## Read and write the dri devices. +## +## +## Domain allowed access. +## # interface(`dev_rw_dri_dev',` gen_require(` @@ -1176,14 +1069,12 @@ interface(`dev_rw_dri_dev',` ') ######################################## -## -## -## Dontaudit read and write on the dri devices. -## -## -## Domain to dontaudit access. -## -## +## +## Dontaudit read and write on the dri devices. +## +## +## Domain to dontaudit access. +## # interface(`dev_dontaudit_rw_dri_dev',` gen_require(` @@ -1195,14 +1086,12 @@ interface(`dev_dontaudit_rw_dri_dev',` ') ######################################## -## -## -## Read the mtrr device. -## -## -## Domain allowed access. -## -## +## +## Read the mtrr device. +## +## +## Domain allowed access. +## # interface(`dev_read_mtrr',` gen_require(` @@ -1216,14 +1105,12 @@ interface(`dev_read_mtrr',` ') ######################################## -## -## -## Write the mtrr device. -## -## -## Domain allowed access. -## -## +## +## Write the mtrr device. +## +## +## Domain allowed access. +## # interface(`dev_write_mtrr',` gen_require(` @@ -1237,14 +1124,12 @@ interface(`dev_write_mtrr',` ') ######################################## -## -## -## Get the attributes of the framebuffer device. -## -## -## Domain allowed access. -## -## +## +## Get the attributes of the framebuffer device. +## +## +## Domain allowed access. +## # interface(`dev_getattr_framebuffer',` gen_require(` @@ -1258,14 +1143,12 @@ interface(`dev_getattr_framebuffer',` ') ######################################## -## -## -## Set the attributes of the framebuffer device. -## -## -## Domain allowed access. -## -## +## +## Set the attributes of the framebuffer device. +## +## +## Domain allowed access. +## # interface(`dev_setattr_framebuffer',` gen_require(` @@ -1279,14 +1162,12 @@ interface(`dev_setattr_framebuffer',` ') ######################################## -## -## -## Read the framebuffer device. -## -## -## Domain allowed access. -## -## +## +## Read the framebuffer device. +## +## +## Domain allowed access. +## # interface(`dev_read_framebuffer',` gen_require(` @@ -1300,14 +1181,12 @@ interface(`dev_read_framebuffer',` ') ######################################## -## -## -## Write the framebuffer device. -## -## -## Domain allowed access. -## -## +## +## Write the framebuffer device. +## +## +## Domain allowed access. +## # interface(`dev_write_framebuffer',` gen_require(` @@ -1321,14 +1200,12 @@ interface(`dev_write_framebuffer',` ') ######################################## -## -## -## Read the lvm comtrol device. -## -## -## Domain allowed access. -## -## +## +## Read the lvm comtrol device. +## +## +## Domain allowed access. +## # interface(`dev_read_lvm_control',` gen_require(` @@ -1342,14 +1219,12 @@ interface(`dev_read_lvm_control',` ') ######################################## -## -## -## Read and write the lvm control device. -## -## -## Domain allowed access. -## -## +## +## Read and write the lvm control device. +## +## +## Domain allowed access. +## # interface(`dev_rw_lvm_control',` gen_require(` @@ -1363,14 +1238,12 @@ interface(`dev_rw_lvm_control',` ') ######################################## -## -## -## Delete the lvm control device. -## -## -## Domain allowed access. -## -## +## +## Delete the lvm control device. +## +## +## Domain allowed access. +## # interface(`dev_delete_lvm_control',` gen_require(` @@ -1384,14 +1257,12 @@ interface(`dev_delete_lvm_control',` ') ######################################## -## -## -## Get the attributes of miscellaneous devices. -## -## -## Domain allowed access. -## -## +## +## Get the attributes of miscellaneous devices. +## +## +## Domain allowed access. +## # interface(`dev_getattr_misc',` gen_require(` @@ -1405,15 +1276,13 @@ interface(`dev_getattr_misc',` ') ######################################## -## -## -## Do not audit attempts to get the attributes -## of miscellaneous devices. -## -## -## Domain allowed access. -## -## +## +## Do not audit attempts to get the attributes +## of miscellaneous devices. +## +## +## Domain allowed access. +## # interface(`dev_dontaudit_getattr_misc',` gen_require(` @@ -1425,14 +1294,12 @@ interface(`dev_dontaudit_getattr_misc',` ') ######################################## -## -## -## Set the attributes of miscellaneous devices. -## -## -## Domain allowed access. -## -## +## +## Set the attributes of miscellaneous devices. +## +## +## Domain allowed access. +## # interface(`dev_setattr_misc',` gen_require(` @@ -1446,15 +1313,13 @@ interface(`dev_setattr_misc',` ') ######################################## -## -## -## Do not audit attempts to set the attributes -## of miscellaneous devices. -## -## -## Domain allowed access. -## -## +## +## Do not audit attempts to set the attributes +## of miscellaneous devices. +## +## +## Domain allowed access. +## # interface(`dev_dontaudit_setattr_misc',` gen_require(` @@ -1466,14 +1331,12 @@ interface(`dev_dontaudit_setattr_misc',` ') ######################################## -## -## -## Read miscellaneous devices. -## -## -## Domain allowed access. -## -## +## +## Read miscellaneous devices. +## +## +## Domain allowed access. +## # interface(`dev_read_misc',` gen_require(` @@ -1487,14 +1350,12 @@ interface(`dev_read_misc',` ') ######################################## -## -## -## Write miscellaneous devices. -## -## -## Domain allowed access. -## -## +## +## Write miscellaneous devices. +## +## +## Domain allowed access. +## # interface(`dev_write_misc',` gen_require(` @@ -1508,14 +1369,12 @@ interface(`dev_write_misc',` ') ######################################## -## -## -## Get the attributes of the mouse devices. -## -## -## Domain allowed access. -## -## +## +## Get the attributes of the mouse devices. +## +## +## Domain allowed access. +## # interface(`dev_getattr_mouse',` gen_require(` @@ -1529,14 +1388,12 @@ interface(`dev_getattr_mouse',` ') ######################################## -## -## -## Set the attributes of the mouse devices. -## -## -## Domain allowed access. -## -## +## +## Set the attributes of the mouse devices. +## +## +## Domain allowed access. +## # interface(`dev_setattr_mouse',` gen_require(` @@ -1550,14 +1407,12 @@ interface(`dev_setattr_mouse',` ') ######################################## -## -## -## Read the mouse devices. -## -## -## Domain allowed access. -## -## +## +## Read the mouse devices. +## +## +## Domain allowed access. +## # interface(`dev_read_mouse',` gen_require(` @@ -1571,14 +1426,12 @@ interface(`dev_read_mouse',` ') ######################################## -## -## -## Read the multiplexed input device (/dev/input). -## -## -## Domain allowed access. -## -## +## +## Read the multiplexed input device (/dev/input). +## +## +## Domain allowed access. +## # interface(`dev_read_input',` gen_require(` @@ -1592,14 +1445,12 @@ interface(`dev_read_input',` ') ######################################## -## -## -## Read the multiplexed input device (/dev/input). -## -## -## Domain allowed access. -## -## +## +## Read the multiplexed input device (/dev/input). +## +## +## Domain allowed access. +## # interface(`dev_read_cpuid',` gen_require(` @@ -1613,15 +1464,13 @@ interface(`dev_read_cpuid',` ') ######################################## -## -## -## Read and write the the cpu microcode device. This -## is required to load cpu microcode. -## -## -## Domain allowed access. -## -## +## +## Read and write the the cpu microcode device. This +## is required to load cpu microcode. +## +## +## Domain allowed access. +## # interface(`dev_rw_cpu_microcode',` gen_require(` @@ -1635,14 +1484,12 @@ interface(`dev_rw_cpu_microcode',` ') ######################################## -## -## -## Get the attributes of the scanner device. -## -## -## Domain allowed access. -## -## +## +## Get the attributes of the scanner device. +## +## +## Domain allowed access. +## # interface(`dev_getattr_scanner',` gen_require(` @@ -1656,15 +1503,13 @@ interface(`dev_getattr_scanner',` ') ######################################## -## -## -## Do not audit attempts to get the attributes of -## the scanner device. -## -## -## Domain to not audit. -## -## +## +## Do not audit attempts to get the attributes of +## the scanner device. +## +## +## Domain to not audit. +## # interface(`dev_dontaudit_getattr_scanner',` gen_require(` @@ -1676,14 +1521,12 @@ interface(`dev_dontaudit_getattr_scanner',` ') ######################################## -## -## -## Set the attributes of the scanner device. -## -## -## Domain allowed access. -## -## +## +## Set the attributes of the scanner device. +## +## +## Domain allowed access. +## # interface(`dev_setattr_scanner',` gen_require(` @@ -1697,15 +1540,13 @@ interface(`dev_setattr_scanner',` ') ######################################## -## -## -## Do not audit attempts to set the attributes of -## the scanner device. -## -## -## Domain to not audit. -## -## +## +## Do not audit attempts to set the attributes of +## the scanner device. +## +## +## Domain to not audit. +## # interface(`dev_dontaudit_setattr_scanner',` gen_require(` @@ -1717,14 +1558,12 @@ interface(`dev_dontaudit_setattr_scanner',` ') ######################################## -## -## -## Read and write the scanner device. -## -## -## Domain allowed access. -## -## +## +## Read and write the scanner device. +## +## +## Domain allowed access. +## # interface(`dev_rw_scanner',` gen_require(` @@ -1738,14 +1577,12 @@ interface(`dev_rw_scanner',` ') ######################################## -## -## -## Get the attributes of the the power management device. -## -## -## Domain allowed access. -## -## +## +## Get the attributes of the the power management device. +## +## +## Domain allowed access. +## # interface(`dev_getattr_power_management',` gen_require(` @@ -1759,14 +1596,12 @@ interface(`dev_getattr_power_management',` ') ######################################## -## -## -## Set the attributes of the the power management device. -## -## -## Domain allowed access. -## -## +## +## Set the attributes of the the power management device. +## +## +## Domain allowed access. +## # interface(`dev_setattr_power_management',` gen_require(` @@ -1780,14 +1615,12 @@ interface(`dev_setattr_power_management',` ') ######################################## -## -## -## Read and write the the power management device. -## -## -## Domain allowed access. -## -## +## +## Read and write the the power management device. +## +## +## Domain allowed access. +## # interface(`dev_rw_power_management',` gen_require(` @@ -1801,14 +1634,12 @@ interface(`dev_rw_power_management',` ') ######################################## -## -## -## Get the attributes of sysfs directories. -## -## -## The type of the process performing this action. -## -## +## +## Get the attributes of sysfs directories. +## +## +## The type of the process performing this action. +## # interface(`dev_getattr_sysfs_dir',` gen_require(` @@ -1820,14 +1651,12 @@ interface(`dev_getattr_sysfs_dir',` ') ######################################## -## -## -## Search the directory containing hardware information. -## -## -## The type of the process performing this action. -## -## +## +## Search the directory containing hardware information. +## +## +## The type of the process performing this action. +## # interface(`dev_search_sysfs',` gen_require(` @@ -1839,14 +1668,12 @@ interface(`dev_search_sysfs',` ') ######################################## -## -## -## Allow caller to read hardware state information. -## -## -## The process type reading hardware state information. -## -## +## +## Allow caller to read hardware state information. +## +## +## The process type reading hardware state information. +## # interface(`dev_read_sysfs',` gen_require(` @@ -1861,14 +1688,12 @@ interface(`dev_read_sysfs',` ') ######################################## -## -## -## Allow caller to modify hardware state information. -## -## -## The process type modifying hardware state information. -## -## +## +## Allow caller to modify hardware state information. +## +## +## The process type modifying hardware state information. +## # interface(`dev_rw_sysfs',` gen_require(` @@ -1884,14 +1709,12 @@ interface(`dev_rw_sysfs',` ') ######################################## -## -## -## Search the directory containing USB hardware information. -## -## -## The type of the process performing this action. -## -## +## +## Search the directory containing USB hardware information. +## +## +## The type of the process performing this action. +## # interface(`dev_search_usbfs',` gen_require(` @@ -1903,14 +1726,12 @@ interface(`dev_search_usbfs',` ') ######################################## -## -## -## Allow caller to get a list of usb hardware. -## -## -## The process type getting the list. -## -## +## +## Allow caller to get a list of usb hardware. +## +## +## The process type getting the list. +## # interface(`dev_list_usbfs',` gen_require(` @@ -1926,15 +1747,13 @@ interface(`dev_list_usbfs',` ') ######################################## -## -## -## Read USB hardware information using -## the usbfs filesystem interface. -## -## -## The type of the process performing this action. -## -## +## +## Read USB hardware information using +## the usbfs filesystem interface. +## +## +## The type of the process performing this action. +## # interface(`dev_read_usbfs',` gen_require(` @@ -1949,14 +1768,12 @@ interface(`dev_read_usbfs',` ') ######################################## -## -## -## Allow caller to modify usb hardware configuration files. -## -## -## The process type modifying the options. -## -## +## +## Allow caller to modify usb hardware configuration files. +## +## +## The process type modifying the options. +## # interface(`dev_rw_usbfs',` gen_require(` @@ -1972,14 +1789,12 @@ interface(`dev_rw_usbfs',` ') ######################################## -## -## -## Get the attributes of video4linux devices. -## -## -## The process type modifying the options. -## -## +## +## Get the attributes of video4linux devices. +## +## +## The process type modifying the options. +## # interface(`dev_getattr_video_dev',` gen_require(` @@ -1993,14 +1808,12 @@ interface(`dev_getattr_video_dev',` ') ######################################## -## -## -## Set the attributes of video4linux devices. -## -## -## The process type modifying the options. -## -## +## +## Set the attributes of video4linux devices. +## +## +## The process type modifying the options. +## # interface(`dev_setattr_video_dev',` gen_require(` @@ -2013,4 +1826,3 @@ interface(`dev_setattr_video_dev',` allow $1 v4l_device_t:chr_file setattr; ') -## diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if index 0261476..8e1e7d3 100644 --- a/refpolicy/policy/modules/kernel/filesystem.if +++ b/refpolicy/policy/modules/kernel/filesystem.if @@ -1,15 +1,12 @@ -## ## Policy for filesystems. ######################################## -## -## -## Transform specified type into a filesystem type. -## -## -## The type of the process performing this action. -## -## +## +## Transform specified type into a filesystem type. +## +## +## The type of the process performing this action. +## # interface(`fs_make_fs',` gen_require(` @@ -20,16 +17,14 @@ interface(`fs_make_fs',` ') ######################################## -## -## -## Transform specified type into a filesystem -## type which does not have extended attribute -## support. -## -## -## The type of the process performing this action. -## -## +## +## Transform specified type into a filesystem +## type which does not have extended attribute +## support. +## +## +## The type of the process performing this action. +## # interface(`fs_make_noxattr_fs',` gen_require(` @@ -42,17 +37,15 @@ interface(`fs_make_noxattr_fs',` ') ######################################## -## -## -## Associate the specified file type to persistent -## filesystems with extended attributes. This -## allows a file of this type to be created on -## a filesystem such as ext3, JFS, and XFS. -## -## -## The type of the to be associated. -## -## +## +## Associate the specified file type to persistent +## filesystems with extended attributes. This +## allows a file of this type to be created on +## a filesystem such as ext3, JFS, and XFS. +## +## +## The type of the to be associated. +## # interface(`fs_associate',` gen_require(` @@ -64,18 +57,16 @@ interface(`fs_associate',` ') ######################################## -## -## -## Associate the specified file type to -## filesystems which lack extended attributes -## support. This allows a file of this type -## to be created on a filesystem such as -## FAT32, and NFS. -## -## -## The type of the to be associated. -## -## +## +## Associate the specified file type to +## filesystems which lack extended attributes +## support. This allows a file of this type +## to be created on a filesystem such as +## FAT32, and NFS. +## +## +## The type of the to be associated. +## # interface(`fs_associate_noxattr',` gen_require(` @@ -87,16 +78,14 @@ interface(`fs_associate_noxattr',` ') ######################################## -## -## -## Mount a persistent filesystem which -## has extended attributes, such as -## ext3, JFS, or XFS. -## -## -## The type of the domain mounting the filesystem. -## -## +## +## Mount a persistent filesystem which +## has extended attributes, such as +## ext3, JFS, or XFS. +## +## +## The type of the domain mounting the filesystem. +## # interface(`fs_mount_xattr_fs',` gen_require(` @@ -108,17 +97,15 @@ interface(`fs_mount_xattr_fs',` ') ######################################## -## -## -## Remount a persistent filesystem which -## has extended attributes, such as -## ext3, JFS, or XFS. This allows -## some mount options to be changed. -## -## -## The type of the domain remounting the filesystem. -## -## +## +## Remount a persistent filesystem which +## has extended attributes, such as +## ext3, JFS, or XFS. This allows +## some mount options to be changed. +## +## +## The type of the domain remounting the filesystem. +## # interface(`fs_remount_xattr_fs',` gen_require(` @@ -130,16 +117,14 @@ interface(`fs_remount_xattr_fs',` ') ######################################## -## -## -## Unmount a persistent filesystem which -## has extended attributes, such as -## ext3, JFS, or XFS. -## -## -## The type of the domain unmounting the filesystem. -## -## +## +## Unmount a persistent filesystem which +## has extended attributes, such as +## ext3, JFS, or XFS. +## +## +## The type of the domain unmounting the filesystem. +## # interface(`fs_unmount_xattr_fs',` gen_require(` @@ -151,17 +136,15 @@ interface(`fs_unmount_xattr_fs',` ') ######################################## -## -## -## Get the attributes of a persistent -## filesystem which has extended -## attributes, such as ext3, JFS, or XFS. -## -## -## The type of the domain doing the -## getattr on the filesystem. -## -## +## +## Get the attributes of a persistent +## filesystem which has extended +## attributes, such as ext3, JFS, or XFS. +## +## +## The type of the domain doing the +## getattr on the filesystem. +## # interface(`fs_getattr_xattr_fs',` gen_require(` @@ -173,17 +156,15 @@ interface(`fs_getattr_xattr_fs',` ') ######################################## -## -## -## Do not audit attempts to -## get the attributes of a persistent -## filesystem which has extended -## attributes, such as ext3, JFS, or XFS. -## -## -## The type of the domain to not audit. -## -## +## +## Do not audit attempts to +## get the attributes of a persistent +## filesystem which has extended +## attributes, such as ext3, JFS, or XFS. +## +## +## The type of the domain to not audit. +## # interface(`fs_dontaudit_getattr_xattr_fs',` gen_require(` @@ -195,16 +176,14 @@ interface(`fs_dontaudit_getattr_xattr_fs',` ') ######################################## -## -## -## Allow changing of the label of a -## filesystem with extended attributes -## using the context= mount option. -## -## -## The type of the domain mounting the filesystem. -## -## +## +## Allow changing of the label of a +## filesystem with extended attributes +## using the context= mount option. +## +## +## The type of the domain mounting the filesystem. +## # interface(`fs_relabelfrom_xattr_fs',` gen_require(` @@ -216,14 +195,12 @@ interface(`fs_relabelfrom_xattr_fs',` ') ######################################## -## -## -## Mount an automount pseudo filesystem. -## -## -## The type of the domain mounting the filesystem. -## -## +## +## Mount an automount pseudo filesystem. +## +## +## The type of the domain mounting the filesystem. +## # interface(`fs_mount_autofs',` gen_require(` @@ -236,15 +213,13 @@ interface(`fs_mount_autofs',` ######################################## -## -## -## Remount an automount pseudo filesystem -## This allows some mount options to be changed. -## -## -## The type of the domain remounting the filesystem. -## -## +## +## Remount an automount pseudo filesystem +## This allows some mount options to be changed. +## +## +## The type of the domain remounting the filesystem. +## # interface(`fs_remount_autofs',` gen_require(` @@ -256,14 +231,12 @@ interface(`fs_remount_autofs',` ') ######################################## -## -## -## Unmount an automount pseudo filesystem. -## -## -## The type of the domain unmounting the filesystem. -## -## +## +## Unmount an automount pseudo filesystem. +## +## +## The type of the domain unmounting the filesystem. +## # interface(`fs_unmount_autofs',` gen_require(` @@ -275,16 +248,14 @@ interface(`fs_unmount_autofs',` ') ######################################## -## -## -## Get the attributes of an automount -## pseudo filesystem. -## -## -## The type of the domain doing the -## getattr on the filesystem. -## -## +## +## Get the attributes of an automount +## pseudo filesystem. +## +## +## The type of the domain doing the +## getattr on the filesystem. +## # interface(`fs_getattr_autofs',` gen_require(` @@ -296,21 +267,19 @@ interface(`fs_getattr_autofs',` ') ######################################## -## -## -## Register an interpreter for new binary -## file types, using the kernel binfmt_misc -## support. A common use for this is to -## register a JVM as an interpreter for -## Java byte code. Registered binaries -## can be directly executed on a command line -## without specifying the interpreter. -## -## -## The type of the domain registering -## the interpreter. -## -## +## +## Register an interpreter for new binary +## file types, using the kernel binfmt_misc +## support. A common use for this is to +## register a JVM as an interpreter for +## Java byte code. Registered binaries +## can be directly executed on a command line +## without specifying the interpreter. +## +## +## The type of the domain registering +## the interpreter. +## # interface(`fs_register_binary_executable_type',` gen_require(` @@ -324,14 +293,12 @@ interface(`fs_register_binary_executable_type',` ') ######################################## -## -## -## Mount a CIFS or SMB network filesystem. -## -## -## The type of the domain mounting the filesystem. -## -## +## +## Mount a CIFS or SMB network filesystem. +## +## +## The type of the domain mounting the filesystem. +## # interface(`fs_mount_cifs',` gen_require(` @@ -343,15 +310,13 @@ interface(`fs_mount_cifs',` ') ######################################## -## -## -## Remount a CIFS or SMB network filesystem. -## This allows some mount options to be changed. -## -## -## The type of the domain mounting the filesystem. -## -## +## +## Remount a CIFS or SMB network filesystem. +## This allows some mount options to be changed. +## +## +## The type of the domain mounting the filesystem. +## # interface(`fs_remount_cifs',` gen_require(` @@ -363,14 +328,12 @@ interface(`fs_remount_cifs',` ') ######################################## -## -## -## Unmount a CIFS or SMB network filesystem. -## -## -## The type of the domain mounting the filesystem. -## -## +## +## Unmount a CIFS or SMB network filesystem. +## +## +## The type of the domain mounting the filesystem. +## # interface(`fs_unmount_cifs',` gen_require(` @@ -382,16 +345,14 @@ interface(`fs_unmount_cifs',` ') ######################################## -## -## -## Get the attributes of a CIFS or -## SMB network filesystem. -## -## -## The type of the domain doing the -## getattr on the filesystem. -## -## +## +## Get the attributes of a CIFS or +## SMB network filesystem. +## +## +## The type of the domain doing the +## getattr on the filesystem. +## # interface(`fs_getattr_cifs',` gen_require(` @@ -403,14 +364,12 @@ interface(`fs_getattr_cifs',` ') ######################################## -## -## -## Read files on a CIFS or SMB filesystem. -## -## -## The type of the domain reading the files. -## -## +## +## Read files on a CIFS or SMB filesystem. +## +## +## The type of the domain reading the files. +## # interface(`fs_read_cifs_files',` gen_require(` @@ -424,15 +383,13 @@ interface(`fs_read_cifs_files',` ') ######################################## -## -## -## Do not audit attempts to read or -## write files on a CIFS or SMB filesystem. -## -## -## The type of the domain to not audit. -## -## +## +## Do not audit attempts to read or +## write files on a CIFS or SMB filesystem. +## +## +## The type of the domain to not audit. +## # interface(`fs_dontaudit_rw_cifs_files',` gen_require(` @@ -444,14 +401,12 @@ interface(`fs_dontaudit_rw_cifs_files',` ') ######################################## -## -## -## Read symbolic links on a CIFS or SMB filesystem. -## -## -## The type of the domain reading the symbolic links. -## -## +## +## Read symbolic links on a CIFS or SMB filesystem. +## +## +## The type of the domain reading the symbolic links. +## # interface(`fs_read_cifs_symlinks',` gen_require(` @@ -465,16 +420,14 @@ interface(`fs_read_cifs_symlinks',` ') ######################################## -## -## -## Execute files on a CIFS or SMB -## network filesystem, in the caller -## domain. -## -## -## The type of the domain executing the files. -## -## +## +## Execute files on a CIFS or SMB +## network filesystem, in the caller +## domain. +## +## +## The type of the domain executing the files. +## # interface(`fs_execute_cifs_files',` gen_require(` @@ -487,15 +440,13 @@ interface(`fs_execute_cifs_files',` ') ######################################## -## -## -## Do not audit attempts to read or -## write files on a CIFS or SMB filesystems. -## -## -## The type of the domain to not audit. -## -## +## +## Do not audit attempts to read or +## write files on a CIFS or SMB filesystems. +## +## +## The type of the domain to not audit. +## # interface(`fs_read_cifs_files',` gen_require(` @@ -507,15 +458,13 @@ interface(`fs_read_cifs_files',` ') ######################################## -## -## -## Create, read, write, and delete directories -## on a CIFS or SMB network filesystem. -## -## -## The type of the domain managing the directories. -## -## +## +## Create, read, write, and delete directories +## on a CIFS or SMB network filesystem. +## +## +## The type of the domain managing the directories. +## # interface(`fs_manage_cifs_dirs',` gen_require(` @@ -527,15 +476,13 @@ interface(`fs_manage_cifs_dirs',` ') ######################################## -## -## -## Create, read, write, and delete files -## on a CIFS or SMB network filesystem. -## -## -## The type of the domain managing the files. -## -## +## +## Create, read, write, and delete files +## on a CIFS or SMB network filesystem. +## +## +## The type of the domain managing the files. +## # interface(`fs_manage_cifs_files',` gen_require(` @@ -549,15 +496,13 @@ interface(`fs_manage_cifs_files',` ') ######################################## -## -## -## Create, read, write, and delete symbolic links -## on a CIFS or SMB network filesystem. -## -## -## The type of the domain managing the symbolic links. -## -## +## +## Create, read, write, and delete symbolic links +## on a CIFS or SMB network filesystem. +## +## +## The type of the domain managing the symbolic links. +## # interface(`fs_manage_cifs_symlinks',` gen_require(` @@ -571,15 +516,13 @@ interface(`fs_manage_cifs_symlinks',` ') ######################################## -## -## -## Create, read, write, and delete named pipes -## on a CIFS or SMB network filesystem. -## -## -## The type of the domain managing the pipes. -## -## +## +## Create, read, write, and delete named pipes +## on a CIFS or SMB network filesystem. +## +## +## The type of the domain managing the pipes. +## # interface(`fs_manage_cifs_named_pipes',` gen_require(` @@ -593,15 +536,13 @@ interface(`fs_manage_cifs_named_pipes',` ') ######################################## -## -## -## Create, read, write, and delete named sockets -## on a CIFS or SMB network filesystem. -## -## -## The type of the domain managing the sockets. -## -## +## +## Create, read, write, and delete named sockets +## on a CIFS or SMB network filesystem. +## +## +## The type of the domain managing the sockets. +## # interface(`fs_manage_cifs_named_sockets',` gen_require(` @@ -615,15 +556,13 @@ interface(`fs_manage_cifs_named_sockets',` ') ######################################## -## -## -## Mount a DOS filesystem, such as -## FAT32 or NTFS. -## -## -## The type of the domain mounting the filesystem. -## -## +## +## Mount a DOS filesystem, such as +## FAT32 or NTFS. +## +## +## The type of the domain mounting the filesystem. +## # interface(`fs_mount_dos_fs',` gen_require(` @@ -635,16 +574,14 @@ interface(`fs_mount_dos_fs',` ') ######################################## -## -## -## Remount a DOS filesystem, such as -## FAT32 or NTFS. This allows -## some mount options to be changed. -## -## -## The type of the domain remounting the filesystem. -## -## +## +## Remount a DOS filesystem, such as +## FAT32 or NTFS. This allows +## some mount options to be changed. +## +## +## The type of the domain remounting the filesystem. +## # interface(`fs_remount_dos_fs',` gen_require(` @@ -656,15 +593,13 @@ interface(`fs_remount_dos_fs',` ') ######################################## -## -## -## Unmount a DOS filesystem, such as -## FAT32 or NTFS. -## -## -## The type of the domain unmounting the filesystem. -## -## +## +## Unmount a DOS filesystem, such as +## FAT32 or NTFS. +## +## +## The type of the domain unmounting the filesystem. +## # interface(`fs_unmount_dos_fs',` gen_require(` @@ -676,16 +611,14 @@ interface(`fs_unmount_dos_fs',` ') ######################################## -## -## -## Get the attributes of a DOS -## filesystem, such as FAT32 or NTFS. -## -## -## The type of the domain doing the -## getattr on the filesystem. -## -## +## +## Get the attributes of a DOS +## filesystem, such as FAT32 or NTFS. +## +## +## The type of the domain doing the +## getattr on the filesystem. +## # interface(`fs_getattr_dos_fs',` gen_require(` @@ -697,15 +630,13 @@ interface(`fs_getattr_dos_fs',` ') ######################################## -## -## -## Allow changing of the label of a -## DOS filesystem using the context= mount option. -## -## -## The type of the domain mounting the filesystem. -## -## +## +## Allow changing of the label of a +## DOS filesystem using the context= mount option. +## +## +## The type of the domain mounting the filesystem. +## # interface(`fs_relabelfrom_dos_fs',` gen_require(` @@ -717,15 +648,13 @@ interface(`fs_relabelfrom_dos_fs',` ') ######################################## -## -## -## Mount an iso9660 filesystem, which -## is usually used on CDs. -## -## -## The type of the domain mounting the filesystem. -## -## +## +## Mount an iso9660 filesystem, which +## is usually used on CDs. +## +## +## The type of the domain mounting the filesystem. +## # interface(`fs_mount_iso9660_fs',` gen_require(` @@ -737,16 +666,14 @@ interface(`fs_mount_iso9660_fs',` ') ######################################## -## -## -## Remount an iso9660 filesystem, which -## is usually used on CDs. This allows -## some mount options to be changed. -## -## -## The type of the domain remounting the filesystem. -## -## +## +## Remount an iso9660 filesystem, which +## is usually used on CDs. This allows +## some mount options to be changed. +## +## +## The type of the domain remounting the filesystem. +## # interface(`fs_remount_iso9660_fs',` gen_require(` @@ -758,15 +685,13 @@ interface(`fs_remount_iso9660_fs',` ') ######################################## -## -## -## Unmount an iso9660 filesystem, which -## is usually used on CDs. -## -## -## The type of the domain unmounting the filesystem. -## -## +## +## Unmount an iso9660 filesystem, which +## is usually used on CDs. +## +## +## The type of the domain unmounting the filesystem. +## # interface(`fs_unmount_iso9660_fs',` gen_require(` @@ -778,16 +703,14 @@ interface(`fs_unmount_iso9660_fs',` ') ######################################## -## -## -## Get the attributes of an iso9660 -## filesystem, which is usually used on CDs. -## -## -## The type of the domain doing the -## getattr on the filesystem. -## -## +## +## Get the attributes of an iso9660 +## filesystem, which is usually used on CDs. +## +## +## The type of the domain doing the +## getattr on the filesystem. +## # interface(`fs_getattr_iso9660_fs',` gen_require(` @@ -799,14 +722,12 @@ interface(`fs_getattr_iso9660_fs',` ') ######################################## -## -## -## Mount a NFS filesystem. -## -## -## The type of the domain mounting the filesystem. -## -## +## +## Mount a NFS filesystem. +## +## +## The type of the domain mounting the filesystem. +## # interface(`fs_mount_nfs',` gen_require(` @@ -818,15 +739,13 @@ interface(`fs_mount_nfs',` ') ######################################## -## -## -## Remount a NFS filesystem. This allows -## some mount options to be changed. -## -## -## The type of the domain remounting the filesystem. -## -## +## +## Remount a NFS filesystem. This allows +## some mount options to be changed. +## +## +## The type of the domain remounting the filesystem. +## # interface(`fs_remount_nfs',` gen_require(` @@ -838,14 +757,12 @@ interface(`fs_remount_nfs',` ') ######################################## -## -## -## Unmount a NFS filesystem. -## -## -## The type of the domain unmounting the filesystem. -## -## +## +## Unmount a NFS filesystem. +## +## +## The type of the domain unmounting the filesystem. +## # interface(`fs_unmount_nfs',` gen_require(` @@ -857,15 +774,13 @@ interface(`fs_unmount_nfs',` ') ######################################## -## -## -## Get the attributes of a NFS filesystem. -## -## -## The type of the domain doing the -## getattr on the filesystem. -## -## +## +## Get the attributes of a NFS filesystem. +## +## +## The type of the domain doing the +## getattr on the filesystem. +## # interface(`fs_getattr_nfs',` gen_require(` @@ -877,14 +792,12 @@ interface(`fs_getattr_nfs',` ') ######################################## -## -## -## Read files on a NFS filesystem. -## -## -## The type of the domain reading the files. -## -## +## +## Read files on a NFS filesystem. +## +## +## The type of the domain reading the files. +## # interface(`fs_read_nfs_files',` gen_require(` @@ -898,14 +811,12 @@ interface(`fs_read_nfs_files',` ') ######################################## -## -## -## Execute files on a NFS filesystem. -## -## -## The type of the domain executing the files. -## -## +## +## Execute files on a NFS filesystem. +## +## +## The type of the domain executing the files. +## # interface(`fs_execute_nfs_files',` gen_require(` @@ -918,15 +829,13 @@ interface(`fs_execute_nfs_files',` ') ######################################## -## -## -## Do not audit attempts to read or -## write files on a NFS filesystem. -## -## -## The type of the domain to not audit. -## -## +## +## Do not audit attempts to read or +## write files on a NFS filesystem. +## +## +## The type of the domain to not audit. +## # interface(`fs_dontaudit_rw_nfs_files',` gen_require(` @@ -938,14 +847,12 @@ interface(`fs_dontaudit_rw_nfs_files',` ') ######################################## -## -## -## Read symbolic links on a NFS filesystem. -## -## -## The type of the domain reading the symbolic links. -## -## +## +## Read symbolic links on a NFS filesystem. +## +## +## The type of the domain reading the symbolic links. +## # interface(`fs_read_nfs_symlinks',` gen_require(` @@ -959,15 +866,13 @@ interface(`fs_read_nfs_symlinks',` ') ######################################## -## -## -## Create, read, write, and delete directories -## on a NFS filesystem. -## -## -## The type of the domain managing the directories. -## -## +## +## Create, read, write, and delete directories +## on a NFS filesystem. +## +## +## The type of the domain managing the directories. +## # interface(`fs_manage_nfs_dirs',` gen_require(` @@ -979,15 +884,13 @@ interface(`fs_manage_nfs_dirs',` ') ######################################## -## -## -## Create, read, write, and delete files -## on a NFS filesystem. -## -## -## The type of the domain managing the files. -## -## +## +## Create, read, write, and delete files +## on a NFS filesystem. +## +## +## The type of the domain managing the files. +## # interface(`fs_manage_nfs_files',` gen_require(` @@ -1001,15 +904,13 @@ interface(`fs_manage_nfs_files',` ') ######################################### -## -## -## Create, read, write, and delete symbolic links -## on a CIFS or SMB network filesystem. -## -## -## The type of the domain managing the symbolic links. -## -## +## +## Create, read, write, and delete symbolic links +## on a CIFS or SMB network filesystem. +## +## +## The type of the domain managing the symbolic links. +## # interface(`fs_manage_nfs_symlinks',` gen_require(` @@ -1023,15 +924,13 @@ interface(`fs_manage_nfs_symlinks',` ') ######################################### -## -## -## Create, read, write, and delete named pipes -## on a NFS filesystem. -## -## -## The type of the domain managing the pipes. -## -## +## +## Create, read, write, and delete named pipes +## on a NFS filesystem. +## +## +## The type of the domain managing the pipes. +## # interface(`fs_manage_nfs_named_pipes',` gen_require(` @@ -1045,15 +944,13 @@ interface(`fs_manage_nfs_named_pipes',` ') ######################################### -## -## -## Create, read, write, and delete named sockets -## on a NFS filesystem. -## -## -## The type of the domain managing the sockets. -## -## +## +## Create, read, write, and delete named sockets +## on a NFS filesystem. +## +## +## The type of the domain managing the sockets. +## # interface(`fs_manage_nfs_named_sockets',` gen_require(` @@ -1067,14 +964,12 @@ interface(`fs_manage_nfs_named_sockets',` ') ######################################## -## -## -## Mount a NFS server pseudo filesystem. -## -## -## The type of the domain mounting the filesystem. -## -## +## +## Mount a NFS server pseudo filesystem. +## +## +## The type of the domain mounting the filesystem. +## # interface(`fs_mount_nfsd_fs',` gen_require(` @@ -1086,15 +981,13 @@ interface(`fs_mount_nfsd_fs',` ') ######################################## -## -## -## Mount a NFS server pseudo filesystem. -## This allows some mount options to be changed. -## -## -## The type of the domain remounting the filesystem. -## -## +## +## Mount a NFS server pseudo filesystem. +## This allows some mount options to be changed. +## +## +## The type of the domain remounting the filesystem. +## # interface(`fs_remount_nfsd_fs',` gen_require(` @@ -1106,14 +999,12 @@ interface(`fs_remount_nfsd_fs',` ') ######################################## -## -## -## Unmount a NFS server pseudo filesystem. -## -## -## The type of the domain unmounting the filesystem. -## -## +## +## Unmount a NFS server pseudo filesystem. +## +## +## The type of the domain unmounting the filesystem. +## # interface(`fs_unmount_nfsd_fs',` gen_require(` @@ -1125,16 +1016,14 @@ interface(`fs_unmount_nfsd_fs',` ') ######################################## -## -## -## Get the attributes of a NFS server -## pseudo filesystem. -## -## -## The type of the domain doing the -## getattr on the filesystem. -## -## +## +## Get the attributes of a NFS server +## pseudo filesystem. +## +## +## The type of the domain doing the +## getattr on the filesystem. +## # interface(`fs_getattr_nfsd_fs',` gen_require(` @@ -1146,14 +1035,12 @@ interface(`fs_getattr_nfsd_fs',` ') ######################################## -## -## -## Mount a RAM filesystem. -## -## -## The type of the domain mounting the filesystem. -## -## +## +## Mount a RAM filesystem. +## +## +## The type of the domain mounting the filesystem. +## # interface(`fs_mount_ramfs',` gen_require(` @@ -1165,15 +1052,13 @@ interface(`fs_mount_ramfs',` ') ######################################## -## -## -## Remount a RAM filesystem. This allows -## some mount options to be changed. -## -## -## The type of the domain remounting the filesystem. -## -## +## +## Remount a RAM filesystem. This allows +## some mount options to be changed. +## +## +## The type of the domain remounting the filesystem. +## # interface(`fs_remount_ramfs',` gen_require(` @@ -1185,14 +1070,12 @@ interface(`fs_remount_ramfs',` ') ######################################## -## -## -## Unmount a RAM filesystem. -## -## -## The type of the domain unmounting the filesystem. -## -## +## +## Unmount a RAM filesystem. +## +## +## The type of the domain unmounting the filesystem. +## # interface(`fs_unmount_ramfs',` gen_require(` @@ -1204,15 +1087,13 @@ interface(`fs_unmount_ramfs',` ') ######################################## -## -## -## Get the attributes of a RAM filesystem. -## -## -## The type of the domain doing the -## getattr on the filesystem. -## -## +## +## Get the attributes of a RAM filesystem. +## +## +## The type of the domain doing the +## getattr on the filesystem. +## # interface(`fs_getattr_ramfs',` gen_require(` @@ -1224,14 +1105,12 @@ interface(`fs_getattr_ramfs',` ') ######################################## -## -## -## Mount a ROM filesystem. -## -## -## The type of the domain mounting the filesystem. -## -## +## +## Mount a ROM filesystem. +## +## +## The type of the domain mounting the filesystem. +## # interface(`fs_mount_romfs',` gen_require(` @@ -1243,15 +1122,13 @@ interface(`fs_mount_romfs',` ') ######################################## -## -## -## Remount a ROM filesystem. This allows -## some mount options to be changed. -## -## -## The type of the domain remounting the filesystem. -## -## +## +## Remount a ROM filesystem. This allows +## some mount options to be changed. +## +## +## The type of the domain remounting the filesystem. +## # interface(`fs_remount_romfs',` gen_require(` @@ -1263,14 +1140,12 @@ interface(`fs_remount_romfs',` ') ######################################## -## -## -## Unmount a ROM filesystem. -## -## -## The type of the domain unmounting the filesystem. -## -## +## +## Unmount a ROM filesystem. +## +## +## The type of the domain unmounting the filesystem. +## # interface(`fs_unmount_romfs',` gen_require(` @@ -1282,16 +1157,14 @@ interface(`fs_unmount_romfs',` ') ######################################## -## -## -## Get the attributes of a ROM -## filesystem. -## -## -## The type of the domain doing the -## getattr on the filesystem. -## -## +## +## Get the attributes of a ROM +## filesystem. +## +## +## The type of the domain doing the +## getattr on the filesystem. +## # interface(`fs_getattr_romfs',` gen_require(` @@ -1303,14 +1176,12 @@ interface(`fs_getattr_romfs',` ') ######################################## -## -## -## Mount a RPC pipe filesystem. -## -## -## The type of the domain mounting the filesystem. -## -## +## +## Mount a RPC pipe filesystem. +## +## +## The type of the domain mounting the filesystem. +## # interface(`fs_mount_rpc_pipefs',` gen_require(` @@ -1322,15 +1193,13 @@ interface(`fs_mount_rpc_pipefs',` ') ######################################## -## -## -## Remount a RPC pipe filesystem. This -## allows some mount option to be changed. -## -## -## The type of the domain remounting the filesystem. -## -## +## +## Remount a RPC pipe filesystem. This +## allows some mount option to be changed. +## +## +## The type of the domain remounting the filesystem. +## # interface(`fs_remount_rpc_pipefs',` gen_require(` @@ -1342,14 +1211,12 @@ interface(`fs_remount_rpc_pipefs',` ') ######################################## -## -## -## Unmount a RPC pipe filesystem. -## -## -## The type of the domain unmounting the filesystem. -## -## +## +## Unmount a RPC pipe filesystem. +## +## +## The type of the domain unmounting the filesystem. +## # interface(`fs_unmount_rpc_pipefs',` gen_require(` @@ -1361,16 +1228,14 @@ interface(`fs_unmount_rpc_pipefs',` ') ######################################## -## -## -## Get the attributes of a RPC pipe -## filesystem. -## -## -## The type of the domain doing the -## getattr on the filesystem. -## -## +## +## Get the attributes of a RPC pipe +## filesystem. +## +## +## The type of the domain doing the +## getattr on the filesystem. +## # interface(`fs_getattr_rpc_pipefs',` gen_require(` @@ -1382,14 +1247,12 @@ interface(`fs_getattr_rpc_pipefs',` ') ######################################## -## -## -## Mount a tmpfs filesystem. -## -## -## The type of the domain mounting the filesystem. -## -## +## +## Mount a tmpfs filesystem. +## +## +## The type of the domain mounting the filesystem. +## # interface(`fs_mount_tmpfs',` gen_require(` @@ -1401,14 +1264,12 @@ interface(`fs_mount_tmpfs',` ') ######################################## -## -## -## Remount a tmpfs filesystem. -## -## -## The type of the domain remounting the filesystem. -## -## +## +## Remount a tmpfs filesystem. +## +## +## The type of the domain remounting the filesystem. +## # interface(`fs_remount_tmpfs',` gen_require(` @@ -1420,14 +1281,12 @@ interface(`fs_remount_tmpfs',` ') ######################################## -## -## -## Unmount a tmpfs filesystem. -## -## -## The type of the domain unmounting the filesystem. -## -## +## +## Unmount a tmpfs filesystem. +## +## +## The type of the domain unmounting the filesystem. +## # interface(`fs_unmount_tmpfs',` gen_require(` @@ -1439,16 +1298,14 @@ interface(`fs_unmount_tmpfs',` ') ######################################## -## -## -## Get the attributes of a tmpfs -## filesystem. -## -## -## The type of the domain doing the -## getattr on the filesystem. -## -## +## +## Get the attributes of a tmpfs +## filesystem. +## +## +## The type of the domain doing the +## getattr on the filesystem. +## # interface(`fs_getattr_tmpfs',` gen_require(` @@ -1460,14 +1317,12 @@ interface(`fs_getattr_tmpfs',` ') ######################################## -## -## -## Allow the type to associate to tmpfs filesystems. -## -## -## The type of the object to be associated. -## -## +## +## Allow the type to associate to tmpfs filesystems. +## +## +## The type of the object to be associated. +## # interface(`fs_associate_tmpfs',` gen_require(` @@ -1500,14 +1355,12 @@ interface(`fs_create_tmpfs_data',` ') ######################################## -## -## -## Read and write character nodes on tmpfs filesystems. -## -## -## The type of the process performing this action. -## -## +## +## Read and write character nodes on tmpfs filesystems. +## +## +## The type of the process performing this action. +## # interface(`fs_use_tmpfs_character_devices',` gen_require(` @@ -1521,14 +1374,12 @@ interface(`fs_use_tmpfs_character_devices',` ') ######################################## -## -## -## Relabel character nodes on tmpfs filesystems. -## -## -## The type of the process performing this action. -## -## +## +## Relabel character nodes on tmpfs filesystems. +## +## +## The type of the process performing this action. +## # interface(`fs_relabel_tmpfs_character_devices',` gen_require(` @@ -1542,14 +1393,12 @@ interface(`fs_relabel_tmpfs_character_devices',` ') ######################################## -## -## -## Read and write block nodes on tmpfs filesystems. -## -## -## The type of the process performing this action. -## -## +## +## Read and write block nodes on tmpfs filesystems. +## +## +## The type of the process performing this action. +## # interface(`fs_use_tmpfs_block_devices',` gen_require(` @@ -1563,14 +1412,12 @@ interface(`fs_use_tmpfs_block_devices',` ') ######################################## -## -## -## Relabel block nodes on tmpfs filesystems. -## -## -## The type of the process performing this action. -## -## +## +## Relabel block nodes on tmpfs filesystems. +## +## +## The type of the process performing this action. +## # interface(`fs_relabel_tmpfs_block_devices',` gen_require(` @@ -1584,15 +1431,13 @@ interface(`fs_relabel_tmpfs_block_devices',` ') ######################################## -## -## -## Read and write, create and delete character -## nodes on tmpfs filesystems. -## -## -## The type of the process performing this action. -## -## +## +## Read and write, create and delete character +## nodes on tmpfs filesystems. +## +## +## The type of the process performing this action. +## # interface(`fs_manage_tmpfs_character_devices',` gen_require(` @@ -1606,15 +1451,13 @@ interface(`fs_manage_tmpfs_character_devices',` ') ######################################## -## -## -## Read and write, create and delete block nodes -## on tmpfs filesystems. -## -## -## The type of the process performing this action. -## -## +## +## Read and write, create and delete block nodes +## on tmpfs filesystems. +## +## +## The type of the process performing this action. +## # interface(`fs_manage_tmpfs_block_devices',` gen_require(` @@ -1628,14 +1471,12 @@ interface(`fs_manage_tmpfs_block_devices',` ') ######################################## -## -## -## Mount all filesystems. -## -## -## The type of the domain mounting the filesystem. -## -## +## +## Mount all filesystems. +## +## +## The type of the domain mounting the filesystem. +## # interface(`fs_mount_all_fs',` gen_require(` @@ -1647,15 +1488,13 @@ interface(`fs_mount_all_fs',` ') ######################################## -## -## -## Remount all filesystems. This -## allows some mount options to be changed. -## -## -## The type of the domain mounting the filesystem. -## -## +## +## Remount all filesystems. This +## allows some mount options to be changed. +## +## +## The type of the domain mounting the filesystem. +## # interface(`fs_remount_all_fs',` gen_require(` @@ -1667,14 +1506,12 @@ interface(`fs_remount_all_fs',` ') ######################################## -## -## -## Unmount all filesystems. -## -## -## The type of the domain unmounting the filesystem. -## -## +## +## Unmount all filesystems. +## +## +## The type of the domain unmounting the filesystem. +## # interface(`fs_unmount_all_fs',` gen_require(` @@ -1686,16 +1523,14 @@ interface(`fs_unmount_all_fs',` ') ######################################## -## -## -## Get the attributes of all persistent -## filesystems. -## -## -## The type of the domain doing the -## getattr on the filesystem. -## -## +## +## Get the attributes of all persistent +## filesystems. +## +## +## The type of the domain doing the +## getattr on the filesystem. +## # interface(`fs_getattr_all_fs',` gen_require(` @@ -1707,15 +1542,13 @@ interface(`fs_getattr_all_fs',` ') ######################################## -## -## -## Do not audit attempts to get the attributes -## all filesystems. -## -## -## The type of the domain to not audit. -## -## +## +## Do not audit attempts to get the attributes +## all filesystems. +## +## +## The type of the domain to not audit. +## # interface(`fs_dontaudit_getattr_all_fs',` gen_require(` @@ -1727,14 +1560,12 @@ interface(`fs_dontaudit_getattr_all_fs',` ') ######################################## -## -## -## Get the quotas of all filesystems. -## -## -## The type of the domain getting quotas. -## -## +## +## Get the quotas of all filesystems. +## +## +## The type of the domain getting quotas. +## # interface(`fs_get_all_fs_quotas',` gen_require(` @@ -1746,14 +1577,12 @@ interface(`fs_get_all_fs_quotas',` ') ######################################## -## -## -## Set the quotas of all filesystems. -## -## -## The type of the domain setting quotas. -## -## +## +## Set the quotas of all filesystems. +## +## +## The type of the domain setting quotas. +## # interface(`fs_set_all_quotas',` gen_require(` @@ -1785,4 +1614,3 @@ interface(`fs_getattr_all_files',` allow $1 fs_type:sock_file getattr; ') -## diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if index 601a219..eb2d5e1 100644 --- a/refpolicy/policy/modules/kernel/kernel.if +++ b/refpolicy/policy/modules/kernel/kernel.if @@ -1,22 +1,19 @@ -## ## -## Policy for kernel threads, proc filesystem, -## and unlabeled processes and objects. +## Policy for kernel threads, proc filesystem, +## and unlabeled processes and objects. ## ######################################## -## -## -## Allows to start userland processes -## by transitioning to the specified domain. -## -## -## The process type entered by kernel. -## -## -## The executable type for the entrypoint. -## -## +## +## Allows to start userland processes +## by transitioning to the specified domain. +## +## +## The process type entered by kernel. +## +## +## The executable type for the entrypoint. +## # interface(`kernel_userland_entry',` gen_require(` @@ -35,15 +32,13 @@ interface(`kernel_userland_entry',` ') ######################################## -## -## -## Allows the kernel to mount filesystems on -## the specified directory type. -## -## -## The type of the directory to use as a mountpoint. -## -## +## +## Allows the kernel to mount filesystems on +## the specified directory type. +## +## +## The type of the directory to use as a mountpoint. +## # interface(`kernel_rootfs_mountpoint',` gen_require(` @@ -55,14 +50,12 @@ interface(`kernel_rootfs_mountpoint',` ') ######################################## -## -## -## Send a SIGCHLD signal to kernel threads. -## -## -## The type of the process sending the signal. -## -## +## +## Send a SIGCHLD signal to kernel threads. +## +## +## The type of the process sending the signal. +## # interface(`kernel_sigchld',` gen_require(` @@ -74,15 +67,13 @@ interface(`kernel_sigchld',` ') ######################################## -## -## -## Allows the kernel to share state information with -## the caller. -## -## -## The type of the process with which to share state information. -## -## +## +## Allows the kernel to share state information with +## the caller. +## +## +## The type of the process with which to share state information. +## # interface(`kernel_share_state',` gen_require(` @@ -94,14 +85,12 @@ interface(`kernel_share_state',` ') ######################################## -## -## -## Permits caller to use kernel file descriptors. -## -## -## The type of the process using the descriptors. -## -## +## +## Permits caller to use kernel file descriptors. +## +## +## The type of the process using the descriptors. +## # interface(`kernel_use_fd',` gen_require(` @@ -113,15 +102,13 @@ interface(`kernel_use_fd',` ') ######################################## -## -## -## Do not audit attempts to use -## kernel file descriptors. -## -## -## The type of process not to audit. -## -## +## +## Do not audit attempts to use +## kernel file descriptors. +## +## +## The type of process not to audit. +## # interface(`kernel_dontaudit_use_fd',` gen_require(` @@ -133,14 +120,12 @@ interface(`kernel_dontaudit_use_fd',` ') ######################################## -## -## -## Allows caller to load kernel modules -## -## -## The process type to allow to load kernel modules. -## -## +## +## Allows caller to load kernel modules +## +## +## The process type to allow to load kernel modules. +## # interface(`kernel_load_module',` gen_require(` @@ -153,14 +138,12 @@ interface(`kernel_load_module',` ') ######################################## -## -## -## Allows caller to read the ring buffer. -## -## -## The process type allowed to read the ring buffer. -## -## +## +## Allows caller to read the ring buffer. +## +## +## The process type allowed to read the ring buffer. +## # interface(`kernel_read_ring_buffer',` gen_require(` @@ -172,14 +155,12 @@ interface(`kernel_read_ring_buffer',` ') ######################################## -## -## -## Do not audit attempts to read the ring buffer. -## -## -## The domain to not audit. -## -## +## +## Do not audit attempts to read the ring buffer. +## +## +## The domain to not audit. +## # interface(`kernel_dontaudit_read_ring_buffer',` gen_require(` @@ -191,14 +172,12 @@ interface(`kernel_dontaudit_read_ring_buffer',` ') ######################################## -## -## -## -## -## -## -## -## +## +## +## +## +## +## # interface(`kernel_change_ring_buffer_level',` gen_require(` @@ -210,14 +189,12 @@ interface(`kernel_change_ring_buffer_level',` ') ######################################## -## -## -## Allows the caller to clear the ring buffer. -## -## -## The process type clearing the buffer. -## -## +## +## Allows the caller to clear the ring buffer. +## +## +## The process type clearing the buffer. +## # interface(`kernel_clear_ring_buffer',` gen_require(` @@ -229,14 +206,12 @@ interface(`kernel_clear_ring_buffer',` ') ######################################## -## -## -## Get information on all System V IPC objects. -## -## -## -## -## +## +## Get information on all System V IPC objects. +## +## +## +## # interface(`kernel_get_sysvipc_info',` gen_require(` @@ -248,14 +223,12 @@ interface(`kernel_get_sysvipc_info',` ') ######################################## -## -## -## Allows caller to read system state information. -## -## -## The process type reading the system state information. -## -## +## +## Allows caller to read system state information. +## +## +## The process type reading the system state information. +## # interface(`kernel_read_system_state',` gen_require(` @@ -271,15 +244,13 @@ interface(`kernel_read_system_state',` ') ######################################## -## -## -## Do not audit attempts by caller to -## read system state information. -## -## -## The process type not to audit. -## -## +## +## Do not audit attempts by caller to +## read system state information. +## +## +## The process type not to audit. +## # interface(`kernel_dontaudit_read_system_state',` gen_require(` @@ -291,14 +262,12 @@ interface(`kernel_dontaudit_read_system_state',` ') ####################################### -## -## -## Allow caller to read the state information for software raid. -## -## -## The process type reading software raid state. -## -## +## +## Allow caller to read the state information for software raid. +## +## +## The process type reading software raid state. +## # interface(`kernel_read_software_raid_state',` gen_require(` @@ -312,14 +281,12 @@ interface(`kernel_read_software_raid_state',` ') ######################################## -## -## -## Allows caller to get attribues of core kernel interface. -## -## -## The process type getting the attibutes. -## -## +## +## Allows caller to get attribues of core kernel interface. +## +## +## The process type getting the attibutes. +## # interface(`kernel_getattr_core',` gen_require(` @@ -333,15 +300,13 @@ interface(`kernel_getattr_core',` ') ######################################## -## -## -## Do not audit attempts to get the attributes of -## core kernel interfaces. -## -## -## The process type to not audit. -## -## +## +## Do not audit attempts to get the attributes of +## core kernel interfaces. +## +## +## The process type to not audit. +## # interface(`kernel_dontaudit_getattr_core',` gen_require(` @@ -353,15 +318,13 @@ interface(`kernel_dontaudit_getattr_core',` ') ######################################## -## -## -## Allow caller to read kernel messages -## using the /proc/kmsg interface. -## -## -## The process type reading the messages. -## -## +## +## Allow caller to read kernel messages +## using the /proc/kmsg interface. +## +## +## The process type reading the messages. +## # interface(`kernel_read_messages',` gen_require(` @@ -377,15 +340,13 @@ interface(`kernel_read_messages',` ') ######################################## -## -## -## Allow caller to get the attributes of kernel message -## interface (/proc/kmsg). -## -## -## The process type getting the attributes. -## -## +## +## Allow caller to get the attributes of kernel message +## interface (/proc/kmsg). +## +## +## The process type getting the attributes. +## # interface(`kernel_getattr_message_if',` gen_require(` @@ -399,15 +360,13 @@ interface(`kernel_getattr_message_if',` ') ######################################## -## -## -## Do not audit attempts by caller to get the attributes of kernel -## message interfaces. -## -## -## The process type not to audit. -## -## +## +## Do not audit attempts by caller to get the attributes of kernel +## message interfaces. +## +## +## The process type not to audit. +## # interface(`kernel_dontaudit_getattr_message_if',` gen_require(` @@ -419,14 +378,12 @@ interface(`kernel_dontaudit_getattr_message_if',` ') ######################################## -## -## -## Allow caller to read the network state information. -## -## -## The process type reading the state. -## -## +## +## Allow caller to read the network state information. +## +## +## The process type reading the state. +## ## # interface(`kernel_read_network_state',` @@ -442,14 +399,12 @@ interface(`kernel_read_network_state',` ') ######################################## -## -## -## Do not audit attempts by caller to search the sysctl directory. -## -## -## The process type not to audit. -## -## +## +## Do not audit attempts by caller to search the sysctl directory. +## +## +## The process type not to audit. +## ## # interface(`kernel_dontaudit_search_sysctl_dir',` @@ -462,14 +417,12 @@ interface(`kernel_dontaudit_search_sysctl_dir',` ') ######################################## -## -## -## Allow caller to read the device sysctls. -## -## -## The process type to allow to read the device sysctls. -## -## +## +## Allow caller to read the device sysctls. +## +## +## The process type to allow to read the device sysctls. +## # interface(`kernel_read_device_sysctl',` gen_require(` @@ -485,14 +438,12 @@ interface(`kernel_read_device_sysctl',` ') ######################################## -## -## -## Read and write device sysctls. -## -## -## The type of the process performing this action. -## -## +## +## Read and write device sysctls. +## +## +## The type of the process performing this action. +## # interface(`kernel_rw_device_sysctl',` gen_require(` @@ -507,14 +458,12 @@ interface(`kernel_rw_device_sysctl',` ') ######################################## -## -## -## Allow caller to read virtual memory sysctls. -## -## -## The type of the process performing this action. -## -## +## +## Allow caller to read virtual memory sysctls. +## +## +## The type of the process performing this action. +## ## # interface(`kernel_read_vm_sysctl',` @@ -530,14 +479,12 @@ interface(`kernel_read_vm_sysctl',` ') ######################################## -## -## -## Read and write virtual memory sysctls. -## -## -## The type of the process performing this action. -## -## +## +## Read and write virtual memory sysctls. +## +## +## The type of the process performing this action. +## # interface(`kernel_rw_vm_sysctl',` gen_require(` @@ -552,14 +499,12 @@ interface(`kernel_rw_vm_sysctl',` ') ######################################## -## -## -## Do not audit attempts by caller to search sysctl network directories. -## -## -## The process type not to audit. -## -## +## +## Do not audit attempts by caller to search sysctl network directories. +## +## +## The process type not to audit. +## # interface(`kernel_dontaudit_search_network_sysctl_dir',` gen_require(` @@ -571,14 +516,12 @@ interface(`kernel_dontaudit_search_network_sysctl_dir',` ') ######################################## -## -## -## Allow caller to read network sysctls. -## -## -## The type of the process performing this action. -## -## +## +## Allow caller to read network sysctls. +## +## +## The type of the process performing this action. +## ## # interface(`kernel_read_net_sysctl',` @@ -595,14 +538,12 @@ interface(`kernel_read_net_sysctl',` ') ######################################## -## -## -## Allow caller to modiry contents of sysctl network files. -## -## -## The type of the process performing this action. -## -## +## +## Allow caller to modiry contents of sysctl network files. +## +## +## The type of the process performing this action. +## # interface(`kernel_rw_net_sysctl',` gen_require(` @@ -618,15 +559,13 @@ interface(`kernel_rw_net_sysctl',` ') ######################################## -## -## -## Allow caller to read unix domain -## socket sysctls. -## -## -## The type of the process performing this action. -## -## +## +## Allow caller to read unix domain +## socket sysctls. +## +## +## The type of the process performing this action. +## # interface(`kernel_read_unix_sysctl',` gen_require(` @@ -642,15 +581,13 @@ interface(`kernel_read_unix_sysctl',` ') ######################################## -## -## -## Read and write unix domain -## socket sysctls. -## -## -## The type of the process performing this action. -## -## +## +## Read and write unix domain +## socket sysctls. +## +## +## The type of the process performing this action. +## # interface(`kernel_rw_unix_sysctl',` gen_require(` @@ -666,14 +603,12 @@ interface(`kernel_rw_unix_sysctl',` ') ######################################## -## -## -## Read the hotplug sysctl. -## -## -## The type of the process performing this action. -## -## +## +## Read the hotplug sysctl. +## +## +## The type of the process performing this action. +## # interface(`kernel_read_hotplug_sysctl',` gen_require(` @@ -689,14 +624,12 @@ interface(`kernel_read_hotplug_sysctl',` ') ######################################## -## -## -## Read and write the hotplug sysctl. -## -## -## The type of the process performing this action. -## -## +## +## Read and write the hotplug sysctl. +## +## +## The type of the process performing this action. +## # interface(`kernel_rw_hotplug_sysctl',` gen_require(` @@ -712,14 +645,12 @@ interface(`kernel_rw_hotplug_sysctl',` ') ######################################## -## -## -## Read the modprobe sysctl. -## -## -## The type of the process performing this action. -## -## +## +## Read the modprobe sysctl. +## +## +## The type of the process performing this action. +## # interface(`kernel_read_modprobe_sysctl',` gen_require(` @@ -735,14 +666,12 @@ interface(`kernel_read_modprobe_sysctl',` ') ######################################## -## -## -## Read and write the modprobe sysctl. -## -## -## The type of the process performing this action. -## -## +## +## Read and write the modprobe sysctl. +## +## +## The type of the process performing this action. +## # interface(`kernel_rw_modprobe_sysctl',` gen_require(` @@ -758,14 +687,12 @@ interface(`kernel_rw_modprobe_sysctl',` ') ######################################## -## -## -## Read generic kernel sysctls. -## -## -## The type of the process performing this action. -## -## +## +## Read generic kernel sysctls. +## +## +## The type of the process performing this action. +## # interface(`kernel_read_kernel_sysctl',` gen_require(` @@ -781,14 +708,12 @@ interface(`kernel_read_kernel_sysctl',` ') ######################################## -## -## -## Read and write generic kernel sysctls. -## -## -## The type of the process performing this action. -## -## +## +## Read and write generic kernel sysctls. +## +## +## The type of the process performing this action. +## # interface(`kernel_rw_kernel_sysctl',` gen_require(` @@ -804,14 +729,12 @@ interface(`kernel_rw_kernel_sysctl',` ') ######################################## -## -## -## Read filesystem sysctls. -## -## -## The type of the process performing this action. -## -## +## +## Read filesystem sysctls. +## +## +## The type of the process performing this action. +## # interface(`kernel_read_fs_sysctl',` gen_require(` @@ -827,14 +750,12 @@ interface(`kernel_read_fs_sysctl',` ') ######################################## -## -## -## Read and write fileystem sysctls. -## -## -## The type of the process performing this action. -## -## +## +## Read and write fileystem sysctls. +## +## +## The type of the process performing this action. +## # interface(`kernel_rw_fs_sysctl',` gen_require(` @@ -850,14 +771,12 @@ interface(`kernel_rw_fs_sysctl',` ') ######################################## -## -## -## Read IRQ sysctls. -## -## -## The type of the process performing this action. -## -## +## +## Read IRQ sysctls. +## +## +## The type of the process performing this action. +## # interface(`kernel_read_irq_sysctl',` gen_require(` @@ -872,14 +791,12 @@ interface(`kernel_read_irq_sysctl',` ') ######################################## -## -## -## Read and write IRQ sysctls. -## -## -## The type of the process performing this action. -## -## +## +## Read and write IRQ sysctls. +## +## +## The type of the process performing this action. +## ## # interface(`kernel_rw_irq_sysctl',` @@ -929,14 +846,12 @@ interface(`kernel_rw_rpc_sysctl',` ') ######################################## -## -## -## Allow caller to read all sysctls. -## -## -## The type of the process performing this action. -## -## +## +## Allow caller to read all sysctls. +## +## +## The type of the process performing this action. +## # interface(`kernel_read_all_sysctl',` kernel_read_device_sysctl($1) @@ -952,14 +867,12 @@ interface(`kernel_read_all_sysctl',` ') ######################################## -## -## -## Read and write all sysctls. -## -## -## The type of the process performing this action. -## -## +## +## Read and write all sysctls. +## +## +## The type of the process performing this action. +## # interface(`kernel_rw_all_sysctl',` kernel_rw_device_sysctl($1) @@ -975,14 +888,12 @@ interface(`kernel_rw_all_sysctl',` ') ######################################## -## -## -## Send a kill signal to unlabeled processes. -## -## -## The type of the process performing this action. -## -## +## +## Send a kill signal to unlabeled processes. +## +## +## The type of the process performing this action. +## # interface(`kernel_kill_unlabeled',` gen_require(` @@ -994,14 +905,12 @@ interface(`kernel_kill_unlabeled',` ') ######################################## -## -## -## Send general signals to unlabeled processes. -## -## -## The type of the process performing this action. -## -## +## +## Send general signals to unlabeled processes. +## +## +## The type of the process performing this action. +## # interface(`kernel_signal_unlabeled',` gen_require(` @@ -1013,14 +922,12 @@ interface(`kernel_signal_unlabeled',` ') ######################################## -## -## -## Send a null signal to unlabeled processes. -## -## -## The type of the process performing this action. -## -## +## +## Send a null signal to unlabeled processes. +## +## +## The type of the process performing this action. +## # interface(`kernel_signull_unlabeled',` gen_require(` @@ -1032,14 +939,12 @@ interface(`kernel_signull_unlabeled',` ') ######################################## -## -## -## Send a stop signal to unlabeled processes. -## -## -## The type of the process performing this action. -## -## +## +## Send a stop signal to unlabeled processes. +## +## +## The type of the process performing this action. +## # interface(`kernel_sigstop_unlabeled',` gen_require(` @@ -1051,14 +956,12 @@ interface(`kernel_sigstop_unlabeled',` ') ######################################## -## -## -## Send a child terminated signal to unlabeled processes. -## -## -## The type of the process performing this action. -## -## +## +## Send a child terminated signal to unlabeled processes. +## +## +## The type of the process performing this action. +## # interface(`kernel_sigchld_unlabeled',` gen_require(` @@ -1070,15 +973,13 @@ interface(`kernel_sigchld_unlabeled',` ') ######################################## -## -## -## Do not audit attempts by caller to get attributes for -## unlabeled block devices. -## -## -## The process type not to audit. -## -## +## +## Do not audit attempts by caller to get attributes for +## unlabeled block devices. +## +## +## The process type not to audit. +## # interface(`kernel_dontaudit_getattr_unlabeled_blk_dev',` gen_require(` @@ -1090,14 +991,12 @@ interface(`kernel_dontaudit_getattr_unlabeled_blk_dev',` ') ######################################## -## -## -## Allow caller to relabel unlabeled objects. -## -## -## The process type relabeling the objects. -## -## +## +## Allow caller to relabel unlabeled objects. +## +## +## The process type relabeling the objects. +## # interface(`kernel_relabel_unlabeled',` gen_require(` @@ -1114,4 +1013,3 @@ interface(`kernel_relabel_unlabeled',` allow $1 unlabeled_t:dir_file_class_set { getattr relabelfrom }; ') -## diff --git a/refpolicy/policy/modules/kernel/metadata.xml b/refpolicy/policy/modules/kernel/metadata.xml index 7cd7056..e69de29 100644 --- a/refpolicy/policy/modules/kernel/metadata.xml +++ b/refpolicy/policy/modules/kernel/metadata.xml @@ -1 +0,0 @@ - diff --git a/refpolicy/policy/modules/kernel/selinux.if b/refpolicy/policy/modules/kernel/selinux.if index 61592aa..f8a01cf 100644 --- a/refpolicy/policy/modules/kernel/selinux.if +++ b/refpolicy/policy/modules/kernel/selinux.if @@ -1,17 +1,14 @@ -## ## -## Policy for kernel security interface, in particular, selinuxfs. +## Policy for kernel security interface, in particular, selinuxfs. ## ######################################## -## -## -## Gets the caller the mountpoint of the selinuxfs filesystem. -## -## -## The process type requesting the selinuxfs mountpoint. -## -## +## +## Gets the caller the mountpoint of the selinuxfs filesystem. +## +## +## The process type requesting the selinuxfs mountpoint. +## # interface(`selinux_get_fs_mount',` # read /proc/filesystems to see if selinuxfs is supported @@ -20,15 +17,13 @@ interface(`selinux_get_fs_mount',` ') ######################################## -## -## -## Allows the caller to get the mode of policy enforcement -## (enforcing or permissive mode). -## -## -## The process type to allow to get the enforcing mode. -## -## +## +## Allows the caller to get the mode of policy enforcement +## (enforcing or permissive mode). +## +## +## The process type to allow to get the enforcing mode. +## # interface(`selinux_get_enforce_mode',` gen_require(` @@ -42,15 +37,13 @@ interface(`selinux_get_enforce_mode',` ') ######################################## -## -## -## Allow caller to set the mode of policy enforcement -## (enforcing or permissive mode). -## -## -## The process type to allow to set the enforcement mode. -## -## +## +## Allow caller to set the mode of policy enforcement +## (enforcing or permissive mode). +## +## +## The process type to allow to set the enforcement mode. +## # interface(`selinux_set_enforce_mode',` gen_require(` @@ -69,14 +62,12 @@ interface(`selinux_set_enforce_mode',` ') ######################################## -## -## -## Allow caller to load the policy into the kernel. -## -## -## The process type that will load the policy. -## -## +## +## Allow caller to load the policy into the kernel. +## +## +## The process type that will load the policy. +## # interface(`selinux_load_policy',` gen_require(` @@ -95,18 +86,16 @@ interface(`selinux_load_policy',` ') ######################################## -## -## -## Allow caller to set the state of Booleans to -## enable or disable conditional portions of the policy. -## -## -## The process type allowed to set the Boolean. -## -## -## The type of Booleans the caller is allowed to set. -## -## +## +## Allow caller to set the state of Booleans to +## enable or disable conditional portions of the policy. +## +## +## The process type allowed to set the Boolean. +## +## +## The type of Booleans the caller is allowed to set. +## # interface(`selinux_set_boolean',` gen_require(` @@ -130,14 +119,12 @@ interface(`selinux_set_boolean',` ') ######################################## -## -## -## Allow caller to set selinux security parameters. -## -## -## The process type to allow to set security parameters. -## -## +## +## Allow caller to set selinux security parameters. +## +## +## The process type to allow to set security parameters. +## # interface(`selinux_set_parameters',` gen_require(` @@ -156,14 +143,12 @@ interface(`selinux_set_parameters',` ') ######################################## -## -## -## Allows caller to validate security contexts. -## -## -## The process type permitted to validate contexts. -## -## +## +## Allows caller to validate security contexts. +## +## +## The process type permitted to validate contexts. +## # interface(`selinux_validate_context',` gen_require(` @@ -179,14 +164,12 @@ interface(`selinux_validate_context',` ') ######################################## -## -## -## Allows caller to compute an access vector. -## -## -## The process type allowed to compute an access vector. -## -## +## +## Allows caller to compute an access vector. +## +## +## The process type allowed to compute an access vector. +## # interface(`selinux_compute_access_vector',` gen_require(` @@ -202,14 +185,12 @@ interface(`selinux_compute_access_vector',` ') ######################################## -## -## -## -## -## -## -## -## +## +## +## +## +## +## # interface(`selinux_compute_create_context',` gen_require(` @@ -225,14 +206,12 @@ interface(`selinux_compute_create_context',` ') ######################################## -## -## -## -## -## -## The process type to -## -## +## +## +## +## +## The process type to +## # interface(`selinux_compute_relabel_context',` gen_require(` @@ -248,14 +227,12 @@ interface(`selinux_compute_relabel_context',` ') ######################################## -## -## -## Allows caller to compute possible contexts for a user. -## -## -## The process type allowed to compute user contexts. -## -## +## +## Allows caller to compute possible contexts for a user. +## +## +## The process type allowed to compute user contexts. +## # interface(`selinux_compute_user_contexts',` gen_require(` @@ -270,4 +247,3 @@ interface(`selinux_compute_user_contexts',` allow $1 security_t:security compute_user; ') -## diff --git a/refpolicy/policy/modules/kernel/storage.if b/refpolicy/policy/modules/kernel/storage.if index f4f9325..79fb67b 100644 --- a/refpolicy/policy/modules/kernel/storage.if +++ b/refpolicy/policy/modules/kernel/storage.if @@ -1,16 +1,13 @@ -## ## Policy controlling access to storage devices ######################################## -## -## -## Allow the caller to get the attributes of fixed disk -## device nodes. -## -## -## The type of the process performing this action. -## -## +## +## Allow the caller to get the attributes of fixed disk +## device nodes. +## +## +## The type of the process performing this action. +## # interface(`storage_getattr_fixed_disk',` gen_require(` @@ -23,15 +20,13 @@ interface(`storage_getattr_fixed_disk',` ') ######################################## -## -## -## Do not audit attempts made by the caller to get -## the attributes of fixed disk device nodes. -## -## -## The type of the process to not audit. -## -## +## +## Do not audit attempts made by the caller to get +## the attributes of fixed disk device nodes. +## +## +## The type of the process to not audit. +## # interface(`storage_dontaudit_getattr_fixed_disk',` gen_require(` @@ -43,15 +38,13 @@ interface(`storage_dontaudit_getattr_fixed_disk',` ') ######################################## -## -## -## Allow the caller to set the attributes of fixed disk -## device nodes. -## -## -## The type of the process performing this action. -## -## +## +## Allow the caller to set the attributes of fixed disk +## device nodes. +## +## +## The type of the process performing this action. +## # interface(`storage_setattr_fixed_disk',` gen_require(` @@ -64,15 +57,13 @@ interface(`storage_setattr_fixed_disk',` ') ######################################## -## -## -## Do not audit attempts made by the caller to set -## the attributes of fixed disk device nodes. -## -## -## The type of the process to not audit. -## -## +## +## Do not audit attempts made by the caller to set +## the attributes of fixed disk device nodes. +## +## +## The type of the process to not audit. +## # interface(`storage_dontaudit_setattr_fixed_disk',` gen_require(` @@ -84,17 +75,15 @@ interface(`storage_dontaudit_setattr_fixed_disk',` ') ######################################## -## -## -## Allow the caller to directly read from a fixed disk. -## This is extremly dangerous as it can bypass the -## SELinux protections for filesystem objects, and -## should only be used by trusted domains. -## -## -## The type of the process performing this action. -## -## +## +## Allow the caller to directly read from a fixed disk. +## This is extremly dangerous as it can bypass the +## SELinux protections for filesystem objects, and +## should only be used by trusted domains. +## +## +## The type of the process performing this action. +## # interface(`storage_raw_read_fixed_disk',` gen_require(` @@ -109,17 +98,15 @@ interface(`storage_raw_read_fixed_disk',` ') ######################################## -## -## -## Allow the caller to directly write to a fixed disk. -## This is extremly dangerous as it can bypass the -## SELinux protections for filesystem objects, and -## should only be used by trusted domains. -## -## -## The type of the process performing this action. -## -## +## +## Allow the caller to directly write to a fixed disk. +## This is extremly dangerous as it can bypass the +## SELinux protections for filesystem objects, and +## should only be used by trusted domains. +## +## +## The type of the process performing this action. +## # interface(`storage_raw_write_fixed_disk',` gen_require(` @@ -134,14 +121,12 @@ interface(`storage_raw_write_fixed_disk',` ') ######################################## -## -## -## Create block devices in /dev with the fixed disk type. -## -## -## The type of the process performing this action. -## -## +## +## Create block devices in /dev with the fixed disk type. +## +## +## The type of the process performing this action. +## # interface(`storage_create_fixed_disk_dev_entry',` gen_require(` @@ -156,14 +141,12 @@ interface(`storage_create_fixed_disk_dev_entry',` ') ######################################## -## -## -## Create, read, write, and delete fixed disk device nodes. -## -## -## The type of the process performing this action. -## -## +## +## Create, read, write, and delete fixed disk device nodes. +## +## +## The type of the process performing this action. +## # interface(`storage_manage_fixed_disk',` gen_require(` @@ -178,17 +161,15 @@ interface(`storage_manage_fixed_disk',` ') ######################################## -## -## -## Allow the caller to directly read from a logical volume. -## This is extremly dangerous as it can bypass the -## SELinux protections for filesystem objects, and -## should only be used by trusted domains. -## -## -## The type of the process performing this action. -## -## +## +## Allow the caller to directly read from a logical volume. +## This is extremly dangerous as it can bypass the +## SELinux protections for filesystem objects, and +## should only be used by trusted domains. +## +## +## The type of the process performing this action. +## # interface(`storage_raw_read_lvm_volume',` gen_require(` @@ -203,17 +184,15 @@ interface(`storage_raw_read_lvm_volume',` ') ######################################## -## -## -## Allow the caller to directly read from a logical volume. -## This is extremly dangerous as it can bypass the -## SELinux protections for filesystem objects, and -## should only be used by trusted domains. -## -## -## The type of the process performing this action. -## -## +## +## Allow the caller to directly read from a logical volume. +## This is extremly dangerous as it can bypass the +## SELinux protections for filesystem objects, and +## should only be used by trusted domains. +## +## +## The type of the process performing this action. +## # interface(`storage_raw_write_lvm_volume',` gen_require(` @@ -228,15 +207,13 @@ interface(`storage_raw_write_lvm_volume',` ') ######################################## -## -## -## Allow the caller to get the attributes of -## the generic SCSI interface device nodes. -## -## -## The type of the process performing this action. -## -## +## +## Allow the caller to get the attributes of +## the generic SCSI interface device nodes. +## +## +## The type of the process performing this action. +## # interface(`storage_getattr_scsi_generic',` gen_require(` @@ -249,15 +226,13 @@ interface(`storage_getattr_scsi_generic',` ') ######################################## -## -## -## Allow the caller to set the attributes of -## the generic SCSI interface device nodes. -## -## -## The type of the process performing this action. -## -## +## +## Allow the caller to set the attributes of +## the generic SCSI interface device nodes. +## +## +## The type of the process performing this action. +## # interface(`storage_setattr_scsi_generic',` gen_require(` @@ -270,18 +245,16 @@ interface(`storage_setattr_scsi_generic',` ') ######################################## -## -## -## Allow the caller to directly read, in a -## generic fashion, from any SCSI device. -## This is extremly dangerous as it can bypass the -## SELinux protections for filesystem objects, and -## should only be used by trusted domains. -## -## -## The type of the process performing this action. -## -## +## +## Allow the caller to directly read, in a +## generic fashion, from any SCSI device. +## This is extremly dangerous as it can bypass the +## SELinux protections for filesystem objects, and +## should only be used by trusted domains. +## +## +## The type of the process performing this action. +## # interface(`storage_read_scsi_generic',` gen_require(` @@ -296,18 +269,16 @@ interface(`storage_read_scsi_generic',` ') ######################################## -## -## -## Allow the caller to directly write, in a -## generic fashion, from any SCSI device. -## This is extremly dangerous as it can bypass the -## SELinux protections for filesystem objects, and -## should only be used by trusted domains. -## -## -## The type of the process performing this action. -## -## +## +## Allow the caller to directly write, in a +## generic fashion, from any SCSI device. +## This is extremly dangerous as it can bypass the +## SELinux protections for filesystem objects, and +## should only be used by trusted domains. +## +## +## The type of the process performing this action. +## # interface(`storage_write_scsi_generic',` gen_require(` @@ -322,15 +293,13 @@ interface(`storage_write_scsi_generic',` ') ######################################## -## -## -## Get attributes of the device nodes -## for the SCSI generic inerface. -## -## -## The type of the process performing this action. -## -## +## +## Get attributes of the device nodes +## for the SCSI generic inerface. +## +## +## The type of the process performing this action. +## # interface(`storage_getattr_scsi_generic',` gen_require(` @@ -343,15 +312,13 @@ interface(`storage_getattr_scsi_generic',` ') ######################################## -## -## -## Set attributes of the device nodes -## for the SCSI generic inerface. -## -## -## The type of the process performing this action. -## -## +## +## Set attributes of the device nodes +## for the SCSI generic inerface. +## +## +## The type of the process performing this action. +## # interface(`storage_set_scsi_generic_attributes',` gen_require(` @@ -364,15 +331,13 @@ interface(`storage_set_scsi_generic_attributes',` ') ######################################## -## -## -## Allow the caller to get the attributes of removable -## devices device nodes. -## -## -## The type of the process performing this action. -## -## +## +## Allow the caller to get the attributes of removable +## devices device nodes. +## +## +## The type of the process performing this action. +## # interface(`storage_getattr_removable_device',` gen_require(` @@ -385,15 +350,13 @@ interface(`storage_getattr_removable_device',` ') ######################################## -## -## -## Do not audit attempts made by the caller to get -## the attributes of removable devices device nodes. -## -## -## The type of the process to not audit. -## -## +## +## Do not audit attempts made by the caller to get +## the attributes of removable devices device nodes. +## +## +## The type of the process to not audit. +## # interface(`storage_dontaudit_getattr_removable_device',` gen_require(` @@ -405,15 +368,13 @@ interface(`storage_dontaudit_getattr_removable_device',` ') ######################################## -## -## -## Allow the caller to set the attributes of removable -## devices device nodes. -## -## -## The type of the process performing this action. -## -## +## +## Allow the caller to set the attributes of removable +## devices device nodes. +## +## +## The type of the process performing this action. +## # interface(`storage_setattr_removable_device',` gen_require(` @@ -426,15 +387,13 @@ interface(`storage_setattr_removable_device',` ') ######################################## -## -## -## Do not audit attempts made by the caller to set -## the attributes of removable devices device nodes. -## -## -## The type of the process to not audit. -## -## +## +## Do not audit attempts made by the caller to set +## the attributes of removable devices device nodes. +## +## +## The type of the process to not audit. +## # interface(`storage_dontaudit_setattr_removable_device',` gen_require(` @@ -446,18 +405,16 @@ interface(`storage_dontaudit_setattr_removable_device',` ') ######################################## -## -## -## Allow the caller to directly read from -## a removable device. -## This is extremly dangerous as it can bypass the -## SELinux protections for filesystem objects, and -## should only be used by trusted domains. -## -## -## The type of the process performing this action. -## -## +## +## Allow the caller to directly read from +## a removable device. +## This is extremly dangerous as it can bypass the +## SELinux protections for filesystem objects, and +## should only be used by trusted domains. +## +## +## The type of the process performing this action. +## # interface(`storage_raw_read_removable_device',` gen_require(` @@ -470,18 +427,16 @@ interface(`storage_raw_read_removable_device',` ') ######################################## -## -## -## Allow the caller to directly write to -## a removable device. -## This is extremly dangerous as it can bypass the -## SELinux protections for filesystem objects, and -## should only be used by trusted domains. -## -## -## The type of the process performing this action. -## -## +## +## Allow the caller to directly write to +## a removable device. +## This is extremly dangerous as it can bypass the +## SELinux protections for filesystem objects, and +## should only be used by trusted domains. +## +## +## The type of the process performing this action. +## # interface(`storage_raw_write_removable_device',` gen_require(` @@ -494,15 +449,13 @@ interface(`storage_raw_write_removable_device',` ') ######################################## -## -## -## Allow the caller to directly read -## a tape device. -## -## -## The type of the process performing this action. -## -## +## +## Allow the caller to directly read +## a tape device. +## +## +## The type of the process performing this action. +## # interface(`storage_read_tape_device',` gen_require(` @@ -515,15 +468,13 @@ interface(`storage_read_tape_device',` ') ######################################## -## -## -## Allow the caller to directly read -## a tape device. -## -## -## The type of the process performing this action. -## -## +## +## Allow the caller to directly read +## a tape device. +## +## +## The type of the process performing this action. +## # interface(`storage_write_tape_device',` gen_require(` @@ -536,15 +487,13 @@ interface(`storage_write_tape_device',` ') ######################################## -## -## -## Allow the caller to get the attributes -## of device nodes of tape devices. -## -## -## The type of the process performing this action. -## -## +## +## Allow the caller to get the attributes +## of device nodes of tape devices. +## +## +## The type of the process performing this action. +## # interface(`storage_getattr_tape_device',` gen_require(` @@ -557,15 +506,13 @@ interface(`storage_getattr_tape_device',` ') ######################################## -## -## -## Allow the caller to set the attributes -## of device nodes of tape devices. -## -## -## The type of the process performing this action. -## -## +## +## Allow the caller to set the attributes +## of device nodes of tape devices. +## +## +## The type of the process performing this action. +## # interface(`storage_setattr_tape_device',` gen_require(` @@ -577,4 +524,3 @@ interface(`storage_setattr_tape_device',` allow $1 tape_device_t:blk_file setattr; ') -## diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if index 4fbefc2..0ef21f1 100644 --- a/refpolicy/policy/modules/kernel/terminal.if +++ b/refpolicy/policy/modules/kernel/terminal.if @@ -1,15 +1,12 @@ -## ## Policy for terminals. ######################################## -## -## -## Transform specified type into a pty type. -## -## -## An object type that will applied to a pty. -## -## +## +## Transform specified type into a pty type. +## +## +## An object type that will applied to a pty. +## # interface(`term_pty',` gen_require(` @@ -23,20 +20,18 @@ interface(`term_pty',` ') ######################################## -## -## -## Transform specified type into an user -## pty type. This allows it to be relabeled via -## type change by login programs such as ssh. -## -## -## The type of the user domain associated with -## this pty. -## -## -## An object type that will applied to a pty. -## -## +## +## Transform specified type into an user +## pty type. This allows it to be relabeled via +## type change by login programs such as ssh. +## +## +## The type of the user domain associated with +## this pty. +## +## +## An object type that will applied to a pty. +## # interface(`term_user_pty',` gen_require(` @@ -48,15 +43,13 @@ interface(`term_user_pty',` ') ######################################## -## -## -## Transform specified type into a pty type -## used by login programs, such as sshd. -## -## -## An object type that will applied to a pty. -## -## +## +## Transform specified type into a pty type +## used by login programs, such as sshd. +## +## +## An object type that will applied to a pty. +## # interface(`term_login_pty',` gen_require(` @@ -68,14 +61,12 @@ interface(`term_login_pty',` ') ######################################## -## -## -## Transform specified type into a tty type. -## -## -## An object type that will applied to a tty. -## -## +## +## Transform specified type into a tty type. +## +## +## An object type that will applied to a tty. +## # interface(`term_tty',` gen_require(` @@ -98,17 +89,15 @@ interface(`term_tty',` ') ######################################## -## -## -## Create a pty in the /dev/pts directory. -## -## -## The type of the process creating the pty. -## -## -## The type of the pty. -## -## +## +## Create a pty in the /dev/pts directory. +## +## +## The type of the process creating the pty. +## +## +## The type of the pty. +## # interface(`term_create_pty',` gen_require(` @@ -128,15 +117,13 @@ interface(`term_create_pty',` ') ######################################## -## -## -## Read and write the console, all -## ttys and all ptys. -## -## -## The type of the process performing this action. -## -## +## +## Read and write the console, all +## ttys and all ptys. +## +## +## The type of the process performing this action. +## # interface(`term_use_all_terms',` gen_require(` @@ -152,14 +139,12 @@ interface(`term_use_all_terms',` ') ######################################## -## -## -## Write to the console. -## -## -## The type of the process performing this action. -## -## +## +## Write to the console. +## +## +## The type of the process performing this action. +## # interface(`term_write_console',` gen_require(` @@ -172,14 +157,12 @@ interface(`term_write_console',` ') ######################################## -## -## -## Read from and write to the console. -## -## -## The type of the process performing this action. -## -## +## +## Read from and write to the console. +## +## +## The type of the process performing this action. +## # interface(`term_use_console',` gen_require(` @@ -192,15 +175,13 @@ interface(`term_use_console',` ') ######################################## -## -## -## Do not audit attemtps to read from -## or write to the console. -## -## -## The type of the process performing this action. -## -## +## +## Do not audit attemtps to read from +## or write to the console. +## +## +## The type of the process performing this action. +## # interface(`term_dontaudit_use_console',` gen_require(` @@ -212,15 +193,13 @@ interface(`term_dontaudit_use_console',` ') ######################################## -## -## -## Set the attributes of the console -## device node. -## -## -## The type of the process performing this action. -## -## +## +## Set the attributes of the console +## device node. +## +## +## The type of the process performing this action. +## # interface(`term_setattr_console',` gen_require(` @@ -233,15 +212,13 @@ interface(`term_setattr_console',` ') ######################################## -## -## -## Read the /dev/pts directory to -## list all ptys. -## -## -## The type of the process performing this action. -## -## +## +## Read the /dev/pts directory to +## list all ptys. +## +## +## The type of the process performing this action. +## # interface(`term_list_ptys',` gen_require(` @@ -254,15 +231,13 @@ interface(`term_list_ptys',` ') ######################################## -## -## -## Do not audit attempts to read the -## /dev/pts directory to. -## -## -## The type of the process to not audit. -## -## +## +## Do not audit attempts to read the +## /dev/pts directory to. +## +## +## The type of the process to not audit. +## # interface(`term_dontaudit_list_ptys',` gen_require(` @@ -274,16 +249,14 @@ interface(`term_dontaudit_list_ptys',` ') ######################################## -## -## -## Read and write the generic pty -## type. This is generally only used in -## the targeted policy. -## -## -## The type of the process performing this action. -## -## +## +## Read and write the generic pty +## type. This is generally only used in +## the targeted policy. +## +## +## The type of the process performing this action. +## # interface(`term_use_generic_pty',` gen_require(` @@ -296,16 +269,14 @@ interface(`term_use_generic_pty',` ') ######################################## -## -## -## Dot not audit attempts to read and -## write the generic pty type. This is -## generally only used in the targeted policy. -## -## -## The type of the process to not audit. -## -## +## +## Dot not audit attempts to read and +## write the generic pty type. This is +## generally only used in the targeted policy. +## +## +## The type of the process to not audit. +## # interface(`term_dontaudit_use_generic_pty',` gen_require(` @@ -317,15 +288,13 @@ interface(`term_dontaudit_use_generic_pty',` ') ######################################## -## -## -## Read and write the controlling -## terminal (/dev/tty). -## -## -## The type of the process performing this action. -## -## +## +## Read and write the controlling +## terminal (/dev/tty). +## +## +## The type of the process performing this action. +## # interface(`term_use_controlling_term',` gen_require(` @@ -338,15 +307,13 @@ interface(`term_use_controlling_term',` ') ######################################## -## -## -## Do not audit attempts to read and -## write the pty multiplexor (/dev/ptmx). -## -## -## The type of the process to not audit. -## -## +## +## Do not audit attempts to read and +## write the pty multiplexor (/dev/ptmx). +## +## +## The type of the process to not audit. +## # interface(`term_dontaudit_use_ptmx',` gen_require(` @@ -358,15 +325,13 @@ interface(`term_dontaudit_use_ptmx',` ') ######################################## -## -## -## Get the attributes of all user -## pty device nodes. -## -## -## The type of the process performing this action. -## -## +## +## Get the attributes of all user +## pty device nodes. +## +## +## The type of the process performing this action. +## # interface(`term_getattr_all_user_ptys',` gen_require(` @@ -381,14 +346,12 @@ interface(`term_getattr_all_user_ptys',` ') ######################################## -## -## -## Read and write all user ptys. -## -## -## The type of the process performing this action. -## -## +## +## Read and write all user ptys. +## +## +## The type of the process performing this action. +## # interface(`term_use_all_user_ptys',` gen_require(` @@ -403,15 +366,13 @@ interface(`term_use_all_user_ptys',` ') ######################################## -## -## -## Do not audit attempts to read any -## user ptys. -## -## -## The type of the process to not audit. -## -## +## +## Do not audit attempts to read any +## user ptys. +## +## +## The type of the process to not audit. +## # interface(`term_dontaudit_use_all_user_ptys',` gen_require(` @@ -423,15 +384,13 @@ interface(`term_dontaudit_use_all_user_ptys',` ') ######################################## -## -## -## Relabel from and to all user -## user pty device nodes. -## -## -## The type of the process performing this action. -## -## +## +## Relabel from and to all user +## user pty device nodes. +## +## +## The type of the process performing this action. +## # interface(`term_relabel_all_user_ptys',` gen_require(` @@ -444,15 +403,13 @@ interface(`term_relabel_all_user_ptys',` ') ######################################## -## -## -## Get the attributes of all unallocated -## tty device nodes. -## -## -## The type of the process performing this action. -## -## +## +## Get the attributes of all unallocated +## tty device nodes. +## +## +## The type of the process performing this action. +## # interface(`term_getattr_unallocated_ttys',` gen_require(` @@ -465,15 +422,13 @@ interface(`term_getattr_unallocated_ttys',` ') ######################################## -## -## -## Set the attributes of all unallocated -## tty device nodes. -## -## -## The type of the process performing this action. -## -## +## +## Set the attributes of all unallocated +## tty device nodes. +## +## +## The type of the process performing this action. +## # interface(`term_setattr_unallocated_ttys',` gen_require(` @@ -486,15 +441,13 @@ interface(`term_setattr_unallocated_ttys',` ') ######################################## -## -## -## Relabel from and to the unallocated -## tty type. -## -## -## The type of the process performing this action. -## -## +## +## Relabel from and to the unallocated +## tty type. +## +## +## The type of the process performing this action. +## # interface(`term_relabel_unallocated_ttys',` gen_require(` @@ -507,15 +460,13 @@ interface(`term_relabel_unallocated_ttys',` ') ######################################## -## -## -## Relabel from all user tty types to -## the unallocated tty type. -## -## -## The type of the process performing this action. -## -## +## +## Relabel from all user tty types to +## the unallocated tty type. +## +## +## The type of the process performing this action. +## # interface(`term_reset_tty_labels',` gen_require(` @@ -530,14 +481,12 @@ interface(`term_reset_tty_labels',` ') ######################################## -## -## -## Write to unallocated ttys. -## -## -## The type of the process performing this action. -## -## +## +## Write to unallocated ttys. +## +## +## The type of the process performing this action. +## # interface(`term_write_unallocated_ttys',` gen_require(` @@ -550,14 +499,12 @@ interface(`term_write_unallocated_ttys',` ') ######################################## -## -## -## Read and write unallocated ttys. -## -## -## The type of the process performing this action. -## -## +## +## Read and write unallocated ttys. +## +## +## The type of the process performing this action. +## # interface(`term_use_unallocated_tty',` gen_require(` @@ -570,15 +517,13 @@ interface(`term_use_unallocated_tty',` ') ######################################## -## -## -## Do not audit attempts to read or -## write unallocated ttys. -## -## -## The type of the process to not audit. -## -## +## +## Do not audit attempts to read or +## write unallocated ttys. +## +## +## The type of the process to not audit. +## # interface(`term_dontaudit_use_unallocated_tty',` gen_require(` @@ -590,15 +535,13 @@ interface(`term_dontaudit_use_unallocated_tty',` ') ######################################## -## -## -## Get the attributes of all user tty -## device nodes. -## -## -## The type of the process performing this action. -## -## +## +## Get the attributes of all user tty +## device nodes. +## +## +## The type of the process performing this action. +## # interface(`term_getattr_all_user_ttys',` gen_require(` @@ -611,16 +554,14 @@ interface(`term_getattr_all_user_ttys',` ') ######################################## -## -## -## Do not audit attempts to get the -## attributes of any user tty -## device nodes. -## -## -## The type of the process performing this action. -## -## +## +## Do not audit attempts to get the +## attributes of any user tty +## device nodes. +## +## +## The type of the process performing this action. +## # interface(`term_dontaudit_getattr_all_user_ttys',` gen_require(` @@ -633,15 +574,13 @@ interface(`term_dontaudit_getattr_all_user_ttys',` ') ######################################## -## -## -## Set the attributes of all user tty -## device nodes. -## -## -## The type of the process performing this action. -## -## +## +## Set the attributes of all user tty +## device nodes. +## +## +## The type of the process performing this action. +## # interface(`term_setattr_all_user_ttys',` gen_require(` @@ -654,15 +593,13 @@ interface(`term_setattr_all_user_ttys',` ') ######################################## -## -## -## Relabel from and to all user -## user tty device nodes. -## -## -## The type of the process performing this action. -## -## +## +## Relabel from and to all user +## user tty device nodes. +## +## +## The type of the process performing this action. +## # interface(`term_relabel_all_user_ttys',` gen_require(` @@ -675,14 +612,12 @@ interface(`term_relabel_all_user_ttys',` ') ######################################## -## -## -## Write to all user ttys. -## -## -## The type of the process performing this action. -## -## +## +## Write to all user ttys. +## +## +## The type of the process performing this action. +## # interface(`term_write_all_user_ttys',` gen_require(` @@ -695,14 +630,12 @@ interface(`term_write_all_user_ttys',` ') ######################################## -## -## -## Read and write all user to all user ttys. -## -## -## The type of the process performing this action. -## -## +## +## Read and write all user to all user ttys. +## +## +## The type of the process performing this action. +## # interface(`term_use_all_user_ttys',` gen_require(` @@ -715,15 +648,13 @@ interface(`term_use_all_user_ttys',` ') ######################################## -## -## -## Do not audit attempts to read or write -## any user ttys. -## -## -## The type of the process performing this action. -## -## +## +## Do not audit attempts to read or write +## any user ttys. +## +## +## The type of the process performing this action. +## # interface(`term_dontaudit_use_all_user_ttys',` gen_require(` @@ -734,4 +665,3 @@ interface(`term_dontaudit_use_all_user_ttys',` dontaudit $1 ttynode:chr_file { read write }; ') -## diff --git a/refpolicy/policy/modules/services/metadata.xml b/refpolicy/policy/modules/services/metadata.xml index a6814b8..e69de29 100644 --- a/refpolicy/policy/modules/services/metadata.xml +++ b/refpolicy/policy/modules/services/metadata.xml @@ -1 +0,0 @@ - diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if index a48d3f4..7dd5c68 100644 --- a/refpolicy/policy/modules/services/mta.if +++ b/refpolicy/policy/modules/services/mta.if @@ -1,4 +1,3 @@ -## ## Policy common to all email tranfer agents. ####################################### @@ -194,14 +193,12 @@ interface(`mta_exec',` ') ######################################## -## -## -## Read mail address aliases. -## -## -## The type of the process performing this action. -## -## +## +## Read mail address aliases. +## +## +## The type of the process performing this action. +## # interface(`mta_read_aliases',` gen_require(` @@ -293,4 +290,3 @@ interface(`mta_manage_queue',` allow $1 mqueue_spool_t:file create_file_perms; ') -## diff --git a/refpolicy/policy/modules/services/remotelogin.if b/refpolicy/policy/modules/services/remotelogin.if index 064d244..d25467a 100644 --- a/refpolicy/policy/modules/services/remotelogin.if +++ b/refpolicy/policy/modules/services/remotelogin.if @@ -1,15 +1,12 @@ -## ## Policy for rshd, rlogind, and telnetd. ######################################## -## -## -## Domain transition to the remote login domain. -## -## -## The type of the process performing this action. -## -## +## +## Domain transition to the remote login domain. +## +## +## The type of the process performing this action. +## # interface(`remotelogin_domtrans',` gen_require(` @@ -19,4 +16,3 @@ interface(`remotelogin_domtrans',` auth_domtrans_login_program($1,remote_login_t) ') -## diff --git a/refpolicy/policy/modules/services/sendmail.if b/refpolicy/policy/modules/services/sendmail.if index 6a3d98d..8923bb3 100644 --- a/refpolicy/policy/modules/services/sendmail.if +++ b/refpolicy/policy/modules/services/sendmail.if @@ -1,15 +1,12 @@ -## ## Policy for sendmail. ######################################## -## -## -## Domain transition to sendmail. -## -## -## The type of the process performing this action. -## -## +## +## Domain transition to sendmail. +## +## +## The type of the process performing this action. +## # interface(`sendmail_domtrans',` gen_require(` @@ -29,4 +26,3 @@ interface(`sendmail_domtrans',` allow sendmail_t $1:process sigchld; ') -## diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if index 567032a..573068f 100644 --- a/refpolicy/policy/modules/system/authlogin.if +++ b/refpolicy/policy/modules/system/authlogin.if @@ -1,4 +1,3 @@ -## ## Common policy for authentication and user login. ####################################### @@ -89,14 +88,12 @@ interface(`authlogin_per_userdomain_template',` ') dnl end authlogin_per_userdomain_template ######################################## -## -## -## Use the login program as an entry point program. -## -## -## The type of process using the login program as entry point. -## -## +## +## Use the login program as an entry point program. +## +## +## The type of process using the login program as entry point. +## # interface(`auth_login_entry_type',` gen_require(` @@ -107,17 +104,15 @@ interface(`auth_login_entry_type',` ') ######################################## -## -## -## Execute a login_program in the target domain. -## -## -## The type of the process performing this action. -## -## -## The type of the login_program process. -## -## +## +## Execute a login_program in the target domain. +## +## +## The type of the process performing this action. +## +## +## The type of the login_program process. +## # interface(`auth_domtrans_login_program',` gen_require(` @@ -137,14 +132,12 @@ interface(`auth_domtrans_login_program',` ') ######################################## -## -## -## Run unix_chkpwd to check a password. -## -## -## The type of the process performing this action. -## -## +## +## Run unix_chkpwd to check a password. +## +## +## The type of the process performing this action. +## # interface(`auth_domtrans_chk_passwd',` gen_require(` @@ -181,14 +174,12 @@ interface(`auth_domtrans_chk_passwd',` ') ######################################## -## -## -## -## -## -## The type of the process performing this action. -## -## +## +## +## +## +## The type of the process performing this action. +## # interface(`auth_dontaudit_getattr_shadow',` gen_require(` @@ -200,14 +191,12 @@ interface(`auth_dontaudit_getattr_shadow',` ') ######################################## -## -## -## Read the shadow passwords file (/etc/shadow) -## -## -## The type of the process performing this action. -## -## +## +## Read the shadow passwords file (/etc/shadow) +## +## +## The type of the process performing this action. +## # interface(`auth_read_shadow',` gen_require(` @@ -222,15 +211,13 @@ interface(`auth_read_shadow',` ') ######################################## -## -## -## Do not audit attempts to read the shadow -## password file (/etc/shadow). -## -## -## The type of the domain to not audit. -## -## +## +## Do not audit attempts to read the shadow +## password file (/etc/shadow). +## +## +## The type of the domain to not audit. +## # interface(`auth_dontaudit_read_shadow',` gen_require(` @@ -242,14 +229,12 @@ interface(`auth_dontaudit_read_shadow',` ') ######################################## -## -## -## Read and write the shadow password file (/etc/shadow). -## -## -## The type of the process performing this action. -## -## +## +## Read and write the shadow password file (/etc/shadow). +## +## +## The type of the process performing this action. +## # interface(`auth_rw_shadow',` gen_require(` @@ -325,14 +310,12 @@ interface(`auth_rw_lastlog',` ') ######################################## -## -## -## Execute pam programs in the pam domain. -## -## -## The type of the process performing this action. -## -## +## +## Execute pam programs in the pam domain. +## +## +## The type of the process performing this action. +## # interface(`auth_domtrans_pam',` gen_require(` @@ -351,20 +334,18 @@ interface(`auth_domtrans_pam',` ') ######################################## -## -## -## Execute pam programs in the PAM domain. -## -## -## The type of the process performing this action. -## -## -## The role to allow the PAM domain. -## -## -## The type of the terminal allow the PAM domain to use. -## -## +## +## Execute pam programs in the PAM domain. +## +## +## The type of the process performing this action. +## +## +## The role to allow the PAM domain. +## +## +## The type of the terminal allow the PAM domain to use. +## # interface(`auth_run_pam',` gen_require(` @@ -378,14 +359,12 @@ interface(`auth_run_pam',` ') ######################################## -## -## -## Execute the pam program. -## -## -## The type of the process performing this action. -## -## +## +## Execute the pam program. +## +## +## The type of the process performing this action. +## # interface(`auth_exec_pam',` gen_require(` @@ -413,14 +392,12 @@ interface(`auth_read_pam_pid',` ') ######################################## -## -## -## Delete pam PID files. -## -## -## The type of the process performing this action. -## -## +## +## Delete pam PID files. +## +## +## The type of the process performing this action. +## # interface(`auth_delete_pam_pid',` gen_require(` @@ -507,19 +484,17 @@ interface(`auth_manage_pam_console_data',` ') ######################################## -## -## -## Relabel all files on the filesystem, except -## the shadow passwords and listed exceptions. -## -## -## The type of the domain perfoming this action. -## -## -## The types to be excluded. Each type or attribute -## must be negated by the caller. -## -## +## +## Relabel all files on the filesystem, except +## the shadow passwords and listed exceptions. +## +## +## The type of the domain perfoming this action. +## +## +## The types to be excluded. Each type or attribute +## must be negated by the caller. +## # interface(`auth_relabel_all_files_except_shadow',` @@ -531,19 +506,17 @@ interface(`auth_relabel_all_files_except_shadow',` ') ######################################## -## -## -## Manage all files on the filesystem, except -## the shadow passwords and listed exceptions. -## -## -## The type of the domain perfoming this action. -## -## -## The types to be excluded. Each type or attribute -## must be negated by the caller. -## -## +## +## Manage all files on the filesystem, except +## the shadow passwords and listed exceptions. +## +## +## The type of the domain perfoming this action. +## +## +## The types to be excluded. Each type or attribute +## must be negated by the caller. +## # interface(`auth_manage_all_files_except_shadow',` @@ -555,14 +528,12 @@ interface(`auth_manage_all_files_except_shadow',` ') ######################################## -## -## -## Execute utempter programs in the utempter domain. -## -## -## The type of the process performing this action. -## -## +## +## Execute utempter programs in the utempter domain. +## +## +## The type of the process performing this action. +## # interface(`auth_domtrans_utempter',` gen_require(` @@ -581,20 +552,18 @@ interface(`auth_domtrans_utempter',` ') ######################################## -## -## -## Execute utempter programs in the utempter domain. -## -## -## The type of the process performing this action. -## -## -## The role to allow the utempter domain. -## -## -## The type of the terminal allow the utempter domain to use. -## -## +## +## Execute utempter programs in the utempter domain. +## +## +## The type of the process performing this action. +## +## +## The role to allow the utempter domain. +## +## +## The type of the terminal allow the utempter domain to use. +## # interface(`auth_run_utempter',` gen_require(` @@ -648,4 +617,3 @@ interface(`auth_rw_login_records',` logging_search_logs($1) ') -## diff --git a/refpolicy/policy/modules/system/clock.if b/refpolicy/policy/modules/system/clock.if index 3e9f853..cb254ac 100644 --- a/refpolicy/policy/modules/system/clock.if +++ b/refpolicy/policy/modules/system/clock.if @@ -1,15 +1,12 @@ -## ## Policy for reading and setting the hardware clock. ######################################## -## -## -## Execute hwclock in the clock domain. -## -## -## The type of the process performing this action. -## -## +## +## Execute hwclock in the clock domain. +## +## +## The type of the process performing this action. +## # interface(`clock_domtrans',` gen_require(` @@ -27,21 +24,19 @@ interface(`clock_domtrans',` ') ######################################## -## -## -## Execute hwclock in the clock domain, and -## allow the specified role the hwclock domain. -## -## -## The type of the process performing this action. -## -## -## The role to be allowed the clock domain. -## -## -## The type of the terminal allow the clock domain to use. -## -## +## +## Execute hwclock in the clock domain, and +## allow the specified role the hwclock domain. +## +## +## The type of the process performing this action. +## +## +## The role to be allowed the clock domain. +## +## +## The type of the terminal allow the clock domain to use. +## # interface(`clock_run',` gen_require(` @@ -55,14 +50,12 @@ interface(`clock_run',` ') ######################################## -## ## ## Execute hwclock ## ## ## The type of the process performing this action. ## -## # interface(`clock_exec',` gen_require(` @@ -73,14 +66,12 @@ interface(`clock_exec',` ') ######################################## -## ## ## Allow executing domain to modify clock drift ## ## ## The type of the process performing this action. ## -## # interface(`clock_rw_adjtime',` gen_require(` @@ -92,4 +83,3 @@ interface(`clock_rw_adjtime',` files_list_etc($1) ') -## diff --git a/refpolicy/policy/modules/system/corecommands.if b/refpolicy/policy/modules/system/corecommands.if index 5496e11..f5ddc8f 100644 --- a/refpolicy/policy/modules/system/corecommands.if +++ b/refpolicy/policy/modules/system/corecommands.if @@ -1,7 +1,6 @@ -## ## -## Core policy for shells, and generic programs -## in /bin, /sbin, /usr/bin, and /usr/sbin. +## Core policy for shells, and generic programs +## in /bin, /sbin, /usr/bin, and /usr/sbin. ## ####################################### @@ -148,19 +147,17 @@ interface(`corecmd_exec_ls',` ') ######################################## -## -## -## Execute a shell in the target domain. This -## is an explicit transition, requiring the -## caller to use setexeccon(). -## -## -## The type of the process performing this action. -## -## -## The type of the shell process. -## -## +## +## Execute a shell in the target domain. This +## is an explicit transition, requiring the +## caller to use setexeccon(). +## +## +## The type of the process performing this action. +## +## +## The type of the shell process. +## # interface(`corecmd_shell_spec_domtrans',` gen_require(` @@ -184,17 +181,15 @@ interface(`corecmd_shell_spec_domtrans',` ') ######################################## -## -## -## Execute a shell in the target domain. -## -## -## The type of the process performing this action. -## -## -## The type of the shell process. -## -## +## +## Execute a shell in the target domain. +## +## +## The type of the process performing this action. +## +## +## The type of the shell process. +## # interface(`corecmd_domtrans_shell',` gen_require(` @@ -219,4 +214,3 @@ interface(`corecmd_chroot_exec_chroot',` allow $1 self:capability sys_chroot; ') -## diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if index 3be9174..b77214b 100644 --- a/refpolicy/policy/modules/system/domain.if +++ b/refpolicy/policy/modules/system/domain.if @@ -1,4 +1,3 @@ -## ## Core policy for domains. ######################################## @@ -92,15 +91,13 @@ interface(`domain_dyntrans_type',` ') ######################################## -## -## -## Makes caller an exception to the constraint preventing -## changing of user identity. -## -## -## The process type to make an exception to the constraint. -## -## +## +## Makes caller an exception to the constraint preventing +## changing of user identity. +## +## +## The process type to make an exception to the constraint. +## # interface(`domain_subj_id_change_exempt',` gen_require(` @@ -111,15 +108,13 @@ interface(`domain_subj_id_change_exempt',` ') ######################################## -## -## -## Makes caller an exception to the constraint preventing -## changing of role. -## -## -## The process type to make an exception to the constraint. -## -## +## +## Makes caller an exception to the constraint preventing +## changing of role. +## +## +## The process type to make an exception to the constraint. +## # interface(`domain_role_change_exempt',` gen_require(` @@ -130,15 +125,13 @@ interface(`domain_role_change_exempt',` ') ######################################## -## -## -## Makes caller an exception to the constraint preventing -## changing the user identity in object contexts. -## -## -## The process type to make an exception to the constraint. -## -## +## +## Makes caller an exception to the constraint preventing +## changing the user identity in object contexts. +## +## +## The process type to make an exception to the constraint. +## # interface(`domain_obj_id_change_exempt',` gen_require(` @@ -188,14 +181,12 @@ interface(`domain_setpriority_all_domains',` ') ######################################## -## -## -## Send general signals to all domains. -## -## -## The type of the process performing this action. -## -## +## +## Send general signals to all domains. +## +## +## The type of the process performing this action. +## # interface(`domain_signal_all_domains',` gen_require(` @@ -207,14 +198,12 @@ interface(`domain_signal_all_domains',` ') ######################################## -## -## -## Send a null signal to all domains. -## -## -## The type of the process performing this action. -## -## +## +## Send a null signal to all domains. +## +## +## The type of the process performing this action. +## # interface(`domain_signull_all_domains',` gen_require(` @@ -226,14 +215,12 @@ interface(`domain_signull_all_domains',` ') ######################################## -## -## -## Send a stop signal to all domains. -## -## -## The type of the process performing this action. -## -## +## +## Send a stop signal to all domains. +## +## +## The type of the process performing this action. +## # interface(`domain_sigstop_all_domains',` gen_require(` @@ -245,14 +232,12 @@ interface(`domain_sigstop_all_domains',` ') ######################################## -## -## -## Send a child terminated signal to all domains. -## -## -## The type of the process performing this action. -## -## +## +## Send a child terminated signal to all domains. +## +## +## The type of the process performing this action. +## # interface(`domain_sigchld_all_domains',` gen_require(` @@ -264,14 +249,12 @@ interface(`domain_sigchld_all_domains',` ') ######################################## -## -## -## Send a kill signal to all domains. -## -## -## The type of the process performing this action. -## -## +## +## Send a kill signal to all domains. +## +## +## The type of the process performing this action. +## # interface(`domain_kill_all_domains',` gen_require(` @@ -285,14 +268,12 @@ interface(`domain_kill_all_domains',` ') ######################################## -## -## -## Read the process state (/proc/pid) of all domains. -## -## -## The type of the process performing this action. -## -## +## +## Read the process state (/proc/pid) of all domains. +## +## +## The type of the process performing this action. +## # interface(`domain_read_all_domains_state',` gen_require(` @@ -316,15 +297,13 @@ interface(`domain_read_all_domains_state',` ') ######################################## -## -## -## Do not audit attempts to read the process state -## directories of all domains. -## -## -## The type of the process performing this action. -## -## +## +## Do not audit attempts to read the process state +## directories of all domains. +## +## +## The type of the process performing this action. +## # interface(`domain_dontaudit_list_all_domains_proc',` gen_require(` @@ -336,14 +315,12 @@ interface(`domain_dontaudit_list_all_domains_proc',` ') ######################################## -## -## -## Get the session ID of all domains. -## -## -## The type of the process performing this action. -## -## +## +## Get the session ID of all domains. +## +## +## The type of the process performing this action. +## # interface(`domain_getsession_all_domains',` gen_require(` @@ -355,15 +332,13 @@ interface(`domain_getsession_all_domains',` ') ######################################## -## -## -## Do not audit attempts to get the attributes -## of all domains UDP sockets. -## -## -## The type of the process performing this action. -## -## +## +## Do not audit attempts to get the attributes +## of all domains UDP sockets. +## +## +## The type of the process performing this action. +## # interface(`domain_dontaudit_getattr_all_udp_sockets',` gen_require(` @@ -375,15 +350,13 @@ interface(`domain_dontaudit_getattr_all_udp_sockets',` ') ######################################## -## -## -## Do not audit attempts to get the attributes -## of all domains TCP sockets. -## -## -## The type of the process performing this action. -## -## +## +## Do not audit attempts to get the attributes +## of all domains TCP sockets. +## +## +## The type of the process performing this action. +## # interface(`domain_dontaudit_getattr_all_tcp_sockets',` gen_require(` @@ -395,15 +368,13 @@ interface(`domain_dontaudit_getattr_all_tcp_sockets',` ') ######################################## -## -## -## Do not audit attempts to get the attributes -## of all domains unix datagram sockets. -## -## -## The type of the process performing this action. -## -## +## +## Do not audit attempts to get the attributes +## of all domains unix datagram sockets. +## +## +## The type of the process performing this action. +## # interface(`domain_dontaudit_getattr_all_unix_dgram_sockets',` gen_require(` @@ -415,15 +386,13 @@ interface(`domain_dontaudit_getattr_all_unix_dgram_sockets',` ') ######################################## -## -## -## Do not audit attempts to get the attributes -## of all domains unnamed pipes. -## -## -## The type of the process performing this action. -## -## +## +## Do not audit attempts to get the attributes +## of all domains unnamed pipes. +## +## +## The type of the process performing this action. +## # interface(`domain_dontaudit_getattr_all_unnamed_pipes',` gen_require(` @@ -461,7 +430,6 @@ interface(`domain_read_all_entry_files',` allow $1 entry_type:file r_file_perms; ') -## # # These next macros are not interfaces, but actually are diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if index 53fc9d3..1bddf1d 100644 --- a/refpolicy/policy/modules/system/files.if +++ b/refpolicy/policy/modules/system/files.if @@ -1,19 +1,18 @@ -## ## -## Basic filesystem types and interfaces. +## Basic filesystem types and interfaces. ## ## -##

-## This module contains basic filesystem types and interfaces. This -## includes: -##

    -##
  • The concept of different file types including basic -## files, mount points, tmp files, etc.
    • -##
  • Access to groups of files and all files.
    • -##
  • Types and interfaces for the basic filesystem layout -## (/, /etc, /tmp, /usr, etc.).
    • -##
-##

+##

+## This module contains basic filesystem types and interfaces. This +## includes: +##

    +##
  • The concept of different file types including basic +## files, mount points, tmp files, etc.
    • +##
  • Access to groups of files and all files.
    • +##
  • Types and interfaces for the basic filesystem layout +## (/, /etc, /tmp, /usr, etc.).
    • +##
+##

## ######################################## @@ -83,15 +82,13 @@ interface(`files_tmp_file',` ') ######################################## -## -## -## Transform the type into a file, for use on a -## virtual memory filesystem (tmpfs). -## -## -## The type to be transformed. -## -## +## +## Transform the type into a file, for use on a +## virtual memory filesystem (tmpfs). +## +## +## The type to be transformed. +## # interface(`files_tmpfs_file',` gen_require(` @@ -125,19 +122,17 @@ interface(`files_getattr_all_files',` ') ######################################## -## -## -## Relabel all files on the filesystem, except -## the listed exceptions. -## -## -## The type of the domain perfoming this action. -## -## -## The types to be excluded. Each type or attribute -## must be negated by the caller. -## -## +## +## Relabel all files on the filesystem, except +## the listed exceptions. +## +## +## The type of the domain perfoming this action. +## +## +## The types to be excluded. Each type or attribute +## must be negated by the caller. +## # interface(`files_relabel_all_files',` gen_require(` @@ -164,19 +159,17 @@ interface(`files_relabel_all_files',` ') ######################################## -## -## -## Manage all files on the filesystem, except -## the listed exceptions. -## -## -## The type of the domain perfoming this action. -## -## -## The types to be excluded. Each type or attribute -## must be negated by the caller. -## -## +## +## Manage all files on the filesystem, except +## the listed exceptions. +## +## +## The type of the domain perfoming this action. +## +## +## The types to be excluded. Each type or attribute +## must be negated by the caller. +## # interface(`files_manage_all_files',` gen_require(` @@ -306,25 +299,23 @@ interface(`files_list_root',` ') ######################################## -## -## -## Create an object in the root directory, with a private -## type. If no object class is specified, the -## default is file. -## -## -## The type of the process performing this action. -## -## -## The type of the object to be created. If no type -## is specified, the type of the root directory will -## be used. -## -## -## The object class of the object being created. If -## no class is specified, file will be used. -## -## +## +## Create an object in the root directory, with a private +## type. If no object class is specified, the +## default is file. +## +## +## The type of the process performing this action. +## +## +## The type of the object to be created. If no type +## is specified, the type of the root directory will +## be used. +## +## +## The object class of the object being created. If +## no class is specified, file will be used. +## # interface(`files_create_root',` gen_require(` @@ -498,14 +489,12 @@ interface(`files_manage_generic_etc_files',` ') ######################################## -## -## -## Delete system configuration files in /etc. -## -## -## The type of the process performing this action. -## -## +## +## Delete system configuration files in /etc. +## +## +## The type of the process performing this action. +## # interface(`files_delete_generic_etc_files',` gen_require(` @@ -642,14 +631,12 @@ interface(`files_dontaudit_search_isid_type_dir',` ') ######################################## -## -## -## Get listing home home directories. -## -## -## The type of the process performing this action. -## -## +## +## Get listing home home directories. +## +## +## The type of the process performing this action. +## # interface(`files_list_home',` gen_require(` @@ -743,14 +730,12 @@ interface(`files_read_usr_files',` ') ######################################## -## -## -## Execute programs in /usr/src in the caller domain. -## -## -## The type of the process performing this action. -## -## +## +## Execute programs in /usr/src in the caller domain. +## +## +## The type of the process performing this action. +## # interface(`files_exec_usr_files',` gen_require(` @@ -810,14 +795,12 @@ interface(`files_dontaudit_search_var',` ') ######################################## -## -## -## Search the /var/lib directory. -## -## -## The type of the process performing this action. -## -## +## +## Search the /var/lib directory. +## +## +## The type of the process performing this action. +## # interface(`files_search_var_lib',` gen_require(` @@ -987,14 +970,12 @@ interface(`files_rw_generic_pids',` ') ######################################## -## -## -## Do not audit attempts to write to daemon runtime data files. -## -## -## The type of the process performing this action. -## -## +## +## Do not audit attempts to write to daemon runtime data files. +## +## +## The type of the process performing this action. +## # interface(`files_dontaudit_write_all_pids',` gen_require(` @@ -1006,14 +987,12 @@ interface(`files_dontaudit_write_all_pids',` ') ######################################## -## -## -## Do not audit attempts to ioctl daemon runtime data files. -## -## -## The type of the process performing this action. -## -## +## +## Do not audit attempts to ioctl daemon runtime data files. +## +## +## The type of the process performing this action. +## # interface(`files_dontaudit_ioctl_all_pids',` gen_require(` @@ -1123,4 +1102,3 @@ interface(`files_manage_spools',` allow $1 var_spool_t:file create_file_perms; ') -## diff --git a/refpolicy/policy/modules/system/getty.if b/refpolicy/policy/modules/system/getty.if index a1d895f..dd1ec0e 100644 --- a/refpolicy/policy/modules/system/getty.if +++ b/refpolicy/policy/modules/system/getty.if @@ -1,15 +1,12 @@ -## ## Policy for getty. ######################################## -## ## ## Execute gettys in the getty domain. ## ## ## The type of the process performing this action. ## -## # interface(`getty_domtrans',` gen_require(` @@ -29,14 +26,12 @@ interface(`getty_domtrans',` ') ######################################## -## ## ## Allow process to read getty log file. ## ## ## The type of the process performing this action. ## -## # interface(`getty_read_log',` gen_require(` @@ -49,14 +44,12 @@ interface(`getty_read_log',` ') ######################################## -## ## ## Allow process to read getty config file. ## ## ## The type of the process performing this action. ## -## # interface(`getty_read_config',` gen_require(` @@ -69,14 +62,12 @@ interface(`getty_read_config',` ') ######################################## -## ## ## Allow process to edit getty config file. ## ## ## The type of the process performing this action. ## -## # interface(`getty_modify_config',` gen_require(` @@ -88,4 +79,3 @@ interface(`getty_modify_config',` allow $1 getty_etc_t:file rw_file_perms; ') -## diff --git a/refpolicy/policy/modules/system/hostname.if b/refpolicy/policy/modules/system/hostname.if index 52cdcca..622cc90 100644 --- a/refpolicy/policy/modules/system/hostname.if +++ b/refpolicy/policy/modules/system/hostname.if @@ -1,16 +1,13 @@ -## ## Policy for changing the system host name. ######################################## -## -## -## Execute hostname in the hostname domain. -## -## -## The type of the process performing this action. -## Has a sigchld signal backchannel. -## -## +## +## Execute hostname in the hostname domain. +## +## +## The type of the process performing this action. +## Has a sigchld signal backchannel. +## # interface(`hostname_domtrans',` gen_require(` @@ -30,22 +27,20 @@ interface(`hostname_domtrans',` ') ######################################## -## -## -## Execute hostname in the hostname domain, and -## allow the specified role the hostname domain. -## Has a sigchld signal backchannel. -## -## -## The type of the process performing this action. -## -## -## The role to be allowed the hostname domain. -## -## -## The type of the terminal allow the hostname domain to use. -## -## +## +## Execute hostname in the hostname domain, and +## allow the specified role the hostname domain. +## Has a sigchld signal backchannel. +## +## +## The type of the process performing this action. +## +## +## The role to be allowed the hostname domain. +## +## +## The type of the terminal allow the hostname domain to use. +## # interface(`hostname_run',` gen_require(` @@ -59,7 +54,6 @@ interface(`hostname_run',` ') ######################################## -## ## ## Execute hostname in the hostname domain, and ## Has a sigchld signal backchannel. @@ -67,7 +61,6 @@ interface(`hostname_run',` ## ## The type of the process performing this action. ## -## # interface(`hostname_exec',` gen_require(` @@ -77,4 +70,3 @@ interface(`hostname_exec',` can_exec($1,hostname_exec_t) ') -## diff --git a/refpolicy/policy/modules/system/hotplug.if b/refpolicy/policy/modules/system/hotplug.if index 842f950..64c18a7 100644 --- a/refpolicy/policy/modules/system/hotplug.if +++ b/refpolicy/policy/modules/system/hotplug.if @@ -1,7 +1,6 @@ -## ## -## Policy for hotplug system, for supporting the -## connection and disconnection of devices at runtime. +## Policy for hotplug system, for supporting the +## connection and disconnection of devices at runtime. ## ####################################### @@ -78,14 +77,12 @@ interface(`hotplug_dontaudit_search_config',` ') ######################################## -## -## -## Read the configuration files for hotplug. -## -## -## The type of the process performing this action. -## -## +## +## Read the configuration files for hotplug. +## +## +## The type of the process performing this action. +## # interface(`hotplug_read_config',` gen_require(` @@ -101,4 +98,3 @@ interface(`hotplug_read_config',` allow $1 hotplug_etc_t:lnk_file r_file_perms; ') -## diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if index c7ecd2d..d56ece0 100644 --- a/refpolicy/policy/modules/system/init.if +++ b/refpolicy/policy/modules/system/init.if @@ -1,4 +1,3 @@ -## ## System initialization programs (init and init scripts). ######################################## @@ -260,14 +259,12 @@ interface(`init_exec_script',` ') ######################################## -## -## -## Read the process state (/proc/pid) of the init scripts. -## -## -## The type of the process performing this action. -## -## +## +## Read the process state (/proc/pid) of the init scripts. +## +## +## The type of the process performing this action. +## # interface(`init_read_script_process_state',` gen_require(` @@ -330,14 +327,12 @@ interface(`init_get_script_process_group',` ') ######################################## -## -## -## Read and write init script unnamed pipes. -## -## -## The type of the process performing this action. -## -## +## +## Read and write init script unnamed pipes. +## +## +## The type of the process performing this action. +## # interface(`init_rw_script_pipe',` gen_require(` @@ -376,14 +371,12 @@ interface(`init_dontaudit_use_script_pty',` ') ######################################## -## -## -## Read and write init script temporary data. -## -## -## The type of the process performing this action. -## -## +## +## Read and write init script temporary data. +## +## +## The type of the process performing this action. +## # interface(`init_rw_script_tmp_files',` gen_require(` @@ -449,4 +442,3 @@ interface(`init_dontaudit_rw_script_pid',` dontaudit $1 initrc_var_run_t:file { getattr read write append }; ') -## diff --git a/refpolicy/policy/modules/system/iptables.if b/refpolicy/policy/modules/system/iptables.if index d8783d0..23d55fa 100644 --- a/refpolicy/policy/modules/system/iptables.if +++ b/refpolicy/policy/modules/system/iptables.if @@ -1,15 +1,12 @@ -## ## Policy for iptables. ######################################## -## -## -## Execute iptables in the iptables domain. -## -## -## The type of the process performing this action. -## -## +## +## Execute iptables in the iptables domain. +## +## +## The type of the process performing this action. +## # interface(`iptables_domtrans',` gen_require(` @@ -29,21 +26,19 @@ interface(`iptables_domtrans',` ') ######################################## -## -## -## Execute iptables in the iptables domain, and -## allow the specified role the iptables domain. -## -## -## The type of the process performing this action. -## -## -## The role to be allowed the iptables domain. -## -## -## The type of the terminal allow the iptables domain to use. -## -## +## +## Execute iptables in the iptables domain, and +## allow the specified role the iptables domain. +## +## +## The type of the process performing this action. +## +## +## The role to be allowed the iptables domain. +## +## +## The type of the terminal allow the iptables domain to use. +## # interface(`iptables_run',` gen_require(` @@ -57,14 +52,12 @@ interface(`iptables_run',` ') ######################################## -## -## -## Execute iptables in the caller domain. -## -## -## The type of the process performing this action. -## -## +## +## Execute iptables in the caller domain. +## +## +## The type of the process performing this action. +## # interface(`iptables_exec',` gen_require(` @@ -75,4 +68,3 @@ interface(`iptables_exec',` can_exec($1,iptables_exec_t) ') -## diff --git a/refpolicy/policy/modules/system/libraries.if b/refpolicy/policy/modules/system/libraries.if index 08449e0..06145f6 100644 --- a/refpolicy/policy/modules/system/libraries.if +++ b/refpolicy/policy/modules/system/libraries.if @@ -1,15 +1,12 @@ -## ## Policy for system libraries. ######################################## -## -## -## Execute ldconfig in the ldconfig domain. -## -## -## The type of the process performing this action. -## -## +## +## Execute ldconfig in the ldconfig domain. +## +## +## The type of the process performing this action. +## # interface(`libs_domtrans_ldconfig',` gen_require(` @@ -29,20 +26,18 @@ interface(`libs_domtrans_ldconfig',` ') ######################################## -## -## -## Execute ldconfig in the ldconfig domain. -## -## -## The type of the process performing this action. -## -## -## The role to allow the ldconfig domain. -## -## -## The type of the terminal allow the ldconfig domain to use. -## -## +## +## Execute ldconfig in the ldconfig domain. +## +## +## The type of the process performing this action. +## +## +## The role to allow the ldconfig domain. +## +## +## The type of the terminal allow the ldconfig domain to use. +## # interface(`libs_run_ldconfig',` gen_require(` @@ -56,15 +51,13 @@ interface(`libs_run_ldconfig',` ') ######################################## -## -## -## Use the dynamic link/loader for automatic loading -## of shared libraries. -## -## -## The type of the process performing this action. -## -## +## +## Use the dynamic link/loader for automatic loading +## of shared libraries. +## +## +## The type of the process performing this action. +## # interface(`libs_use_ld_so',` gen_require(` @@ -83,15 +76,13 @@ interface(`libs_use_ld_so',` ') ######################################## -## -## -## Use the dynamic link/loader for automatic loading -## of shared libraries with legacy support. -## -## -## The type of the process performing this action. -## -## +## +## Use the dynamic link/loader for automatic loading +## of shared libraries with legacy support. +## +## +## The type of the process performing this action. +## # interface(`libs_legacy_use_ld_so',` gen_require(` @@ -105,16 +96,14 @@ interface(`libs_legacy_use_ld_so',` ') ######################################## -## -## -## Execute the dynamic link/loader in the caller's -## domain. This is commonly needed for the -## /usr/bin/ldd program. -## -## -## The type of the process performing this action. -## -## +## +## Execute the dynamic link/loader in the caller's +## domain. This is commonly needed for the +## /usr/bin/ldd program. +## +## +## The type of the process performing this action. +## # interface(`libs_exec_ld_so',` gen_require(` @@ -130,15 +119,13 @@ interface(`libs_exec_ld_so',` ') ######################################## -## -## -## Modify the dynamic link/loader's cached listing -## of shared libraries. -## -## -## The type of the process performing this action. -## -## +## +## Modify the dynamic link/loader's cached listing +## of shared libraries. +## +## +## The type of the process performing this action. +## # interface(`libs_rw_ld_so_cache',` gen_require(` @@ -151,14 +138,12 @@ interface(`libs_rw_ld_so_cache',` ') ######################################## -## -## -## Search lib directories. -## -## -## The type of the process performing this action. -## -## +## +## Search lib directories. +## +## +## The type of the process performing this action. +## # interface(`libs_search_lib',` gen_require(` @@ -170,15 +155,13 @@ interface(`libs_search_lib',` ') ######################################## -## -## -## Read files in the library directories, such -## as static libraries. -## -## -## The type of the process performing this action. -## -## +## +## Read files in the library directories, such +## as static libraries. +## +## +## The type of the process performing this action. +## # interface(`libs_read_lib',` gen_require(` @@ -194,14 +177,12 @@ interface(`libs_read_lib',` ') ######################################## -## -## -## Execute library scripts in the caller domain. -## -## -## The type of the process performing this action. -## -## +## +## Execute library scripts in the caller domain. +## +## +## The type of the process performing this action. +## # interface(`libs_exec_lib_files',` gen_require(` @@ -217,14 +198,12 @@ interface(`libs_exec_lib_files',` ') ######################################## -## -## -## Load and execute functions from shared libraries. -## -## -## The type of the process performing this action. -## -## +## +## Load and execute functions from shared libraries. +## +## +## The type of the process performing this action. +## # interface(`libs_use_shared_libs',` gen_require(` @@ -242,15 +221,13 @@ interface(`libs_use_shared_libs',` ') ######################################## -## -## -## Load and execute functions from shared libraries, -## with legacy support. -## -## -## The type of the process performing this action. -## -## +## +## Load and execute functions from shared libraries, +## with legacy support. +## +## +## The type of the process performing this action. +## # interface(`libs_legacy_use_shared_libs',` gen_require(` @@ -262,4 +239,3 @@ interface(`libs_legacy_use_shared_libs',` allow $1 { shlib_t texrel_shlib_t }:file execmod; ') -## diff --git a/refpolicy/policy/modules/system/locallogin.if b/refpolicy/policy/modules/system/locallogin.if index fa9d179..07dc767 100644 --- a/refpolicy/policy/modules/system/locallogin.if +++ b/refpolicy/policy/modules/system/locallogin.if @@ -1,15 +1,12 @@ -## ## Policy for local logins. ######################################## -## ## ## Execute local logins in the locallogin domain. ## ## ## The type of the process performing this action. ## -## # interface(`locallogin_domtrans',` gen_require(` @@ -20,14 +17,12 @@ interface(`locallogin_domtrans',` ') ######################################## -## ## ## Allow processes to inherit local login file descriptors ## ## ## The type of the process performing this action. ## -## # interface(`locallogin_use_fd',` gen_require(` @@ -38,4 +33,3 @@ interface(`locallogin_use_fd',` allow $1 local_login_t:fd use; ') -## diff --git a/refpolicy/policy/modules/system/logging.if b/refpolicy/policy/modules/system/logging.if index 4dcd83f..e3da815 100644 --- a/refpolicy/policy/modules/system/logging.if +++ b/refpolicy/policy/modules/system/logging.if @@ -1,4 +1,3 @@ -## ## Policy for the kernel message logger and system logging daemon. ####################################### @@ -60,16 +59,14 @@ interface(`logging_send_syslog_msg',` ') ######################################## -## -## -## Allows the domain to open a file in the -## log directory, but does not allow the listing -## of the contents of the log directory. -## -## -## The type of the process performing this action. -## -## +## +## Allows the domain to open a file in the +## log directory, but does not allow the listing +## of the contents of the log directory. +## +## +## The type of the process performing this action. +## # interface(`logging_search_logs',` gen_require(` @@ -176,4 +173,3 @@ interface(`logging_rw_generic_logs',` allow $1 var_log_t:file rw_file_perms; ') -## diff --git a/refpolicy/policy/modules/system/lvm.if b/refpolicy/policy/modules/system/lvm.if index 9b2a325..1f1ee77 100644 --- a/refpolicy/policy/modules/system/lvm.if +++ b/refpolicy/policy/modules/system/lvm.if @@ -1,15 +1,12 @@ -## ## Policy for logical volume management programs. ######################################## -## -## -## Execute lvm programs in the lvm domain. -## -## -## The type of the process performing this action. -## -## +## +## Execute lvm programs in the lvm domain. +## +## +## The type of the process performing this action. +## # interface(`lvm_domtrans',` gen_require(` @@ -29,20 +26,18 @@ interface(`lvm_domtrans',` ') ######################################## -## -## -## Execute lvm programs in the lvm domain. -## -## -## The type of the process performing this action. -## -## -## The role to allow the LVM domain. -## -## -## The type of the terminal allow the LVM domain to use. -## -## +## +## Execute lvm programs in the lvm domain. +## +## +## The type of the process performing this action. +## +## +## The role to allow the LVM domain. +## +## +## The type of the terminal allow the LVM domain to use. +## # interface(`lvm_run',` gen_require(` @@ -56,14 +51,12 @@ interface(`lvm_run',` ') ######################################## -## -## -## Read LVM configuration files. -## -## -## The type of the process performing this action. -## -## +## +## Read LVM configuration files. +## +## +## The type of the process performing this action. +## # interface(`lvm_read_config',` gen_require(` @@ -77,4 +70,3 @@ interface(`lvm_read_config',` allow $1 lvm_etc_t:file r_file_perms; ') -## diff --git a/refpolicy/policy/modules/system/metadata.xml b/refpolicy/policy/modules/system/metadata.xml index 581649f..e69de29 100644 --- a/refpolicy/policy/modules/system/metadata.xml +++ b/refpolicy/policy/modules/system/metadata.xml @@ -1 +0,0 @@ - diff --git a/refpolicy/policy/modules/system/miscfiles.if b/refpolicy/policy/modules/system/miscfiles.if index 99549df..a439efd 100644 --- a/refpolicy/policy/modules/system/miscfiles.if +++ b/refpolicy/policy/modules/system/miscfiles.if @@ -1,8 +1,6 @@ -## ## Miscelaneous files. ######################################## -## ## ## Allow process to create files and dirs in /var/cache/man ## and /var/catman/ @@ -10,7 +8,6 @@ ## ## Type type of the process performing this action. ## -## # interface(`miscfiles_rw_man_cache',` gen_require(` @@ -25,14 +22,12 @@ interface(`miscfiles_rw_man_cache',` ') ######################################## -## ## ## Allow process to read fonts files ## ## ## Type type of the process performing this action. ## -## # interface(`miscfiles_read_fonts',` gen_require(` @@ -50,14 +45,12 @@ interface(`miscfiles_read_fonts',` ') ######################################## -## ## ## Allow process to read localization info ## ## ## Type type of the process performing this action. ## -## # interface(`miscfiles_read_localization',` gen_require(` @@ -79,14 +72,12 @@ interface(`miscfiles_read_localization',` ') ######################################## -## ## ## Allow process to read legacy time localization info ## ## ## Type type of the process performing this action. ## -## # interface(`miscfiles_legacy_read_localization',` gen_require(` @@ -99,14 +90,12 @@ interface(`miscfiles_legacy_read_localization',` ') ######################################## -## ## ## Allow process to read manpages ## ## ## Type type of the process performing this action. ## -## # interface(`miscfiles_read_man_pages',` gen_require(` @@ -122,4 +111,3 @@ interface(`miscfiles_read_man_pages',` allow $1 man_t:lnk_file r_file_perms; ') -## diff --git a/refpolicy/policy/modules/system/modutils.if b/refpolicy/policy/modules/system/modutils.if index 8c9eb47..eb6d927 100644 --- a/refpolicy/policy/modules/system/modutils.if +++ b/refpolicy/policy/modules/system/modutils.if @@ -1,15 +1,12 @@ -## ## Policy for kernel module utilities ######################################## -## -## -## Read the dependencies of kernel modules. -## -## -## The type of the process performing this action. -## -## +## +## Read the dependencies of kernel modules. +## +## +## The type of the process performing this action. +## # interface(`modutils_read_kernel_module_dependencies',` gen_require(` @@ -22,15 +19,13 @@ interface(`modutils_read_kernel_module_dependencies',` ') ######################################## -## -## -## Read the configuration options used when -## loading modules. -## -## -## The type of the process performing this action. -## -## +## +## Read the configuration options used when +## loading modules. +## +## +## The type of the process performing this action. +## # interface(`modutils_read_module_conf',` gen_require(` @@ -47,14 +42,12 @@ interface(`modutils_read_module_conf',` ') ######################################## -## -## -## Execute insmod in the insmod domain. -## -## -## The type of the process performing this action. -## -## +## +## Execute insmod in the insmod domain. +## +## +## The type of the process performing this action. +## # interface(`modutils_domtrans_insmod',` gen_require(` @@ -74,23 +67,21 @@ interface(`modutils_domtrans_insmod',` ') ######################################## -## -## -## Execute insmod in the insmod domain, and -## allow the specified role the insmod domain, -## and use the caller's terminal. Has a sigchld -## backchannel. -## -## -## The type of the process performing this action. -## -## -## The role to be allowed the insmod domain. -## -## -## The type of the terminal allow the insmod domain to use. -## -## +## +## Execute insmod in the insmod domain, and +## allow the specified role the insmod domain, +## and use the caller's terminal. Has a sigchld +## backchannel. +## +## +## The type of the process performing this action. +## +## +## The role to be allowed the insmod domain. +## +## +## The type of the terminal allow the insmod domain to use. +## # interface(`modutils_run_insmod',` gen_require(` @@ -117,14 +108,12 @@ interface(`modutils_exec_insmod',` ') ######################################## -## -## -## Execute depmod in the depmod domain. -## -## -## The type of the process performing this action. -## -## +## +## Execute depmod in the depmod domain. +## +## +## The type of the process performing this action. +## # interface(`modutils_domtrans_depmod',` gen_require(` @@ -144,20 +133,18 @@ interface(`modutils_domtrans_depmod',` ') ######################################## -## -## -## Execute depmod in the depmod domain. -## -## -## The type of the process performing this action. -## -## -## The role to be allowed the depmod domain. -## -## -## The type of the terminal allow the depmod domain to use. -## -## +## +## Execute depmod in the depmod domain. +## +## +## The type of the process performing this action. +## +## +## The role to be allowed the depmod domain. +## +## +## The type of the terminal allow the depmod domain to use. +## # interface(`modutils_run_depmod',` gen_require(` @@ -184,14 +171,12 @@ interface(`modutils_exec_depmod',` ') ######################################## -## -## -## Execute depmod in the depmod domain. -## -## -## The type of the process performing this action. -## -## +## +## Execute depmod in the depmod domain. +## +## +## The type of the process performing this action. +## # interface(`modutils_domtrans_update_mods',` gen_require(` @@ -211,20 +196,18 @@ interface(`modutils_domtrans_update_mods',` ') ######################################## -## -## -## Execute update_modules in the update_modules domain. -## -## -## The type of the process performing this action. -## -## -## The role to be allowed the update_modules domain. -## -## -## The type of the terminal allow the update_modules domain to use. -## -## +## +## Execute update_modules in the update_modules domain. +## +## +## The type of the process performing this action. +## +## +## The role to be allowed the update_modules domain. +## +## +## The type of the terminal allow the update_modules domain to use. +## # interface(`modutils_run_update_mods',` gen_require(` @@ -250,4 +233,3 @@ interface(`modutils_exec_update_mods',` can_exec($1, update_modules_exec_t) ') -## diff --git a/refpolicy/policy/modules/system/mount.if b/refpolicy/policy/modules/system/mount.if index ec6c88a..03f6d50 100644 --- a/refpolicy/policy/modules/system/mount.if +++ b/refpolicy/policy/modules/system/mount.if @@ -1,15 +1,12 @@ -## ## Policy for mount. ######################################## -## -## -## Execute mount in the mount domain. -## -## -## The type of the process performing this action. -## -## +## +## Execute mount in the mount domain. +## +## +## The type of the process performing this action. +## # interface(`mount_domtrans',` gen_require(` @@ -28,22 +25,20 @@ interface(`mount_domtrans',` ') ######################################## -## -## -## Execute mount in the mount domain, and -## allow the specified role the mount domain, -## and use the caller's terminal. -## -## -## The type of the process performing this action. -## -## -## The role to be allowed the mount domain. -## -## -## The type of the terminal allow the mount domain to use. -## -## +## +## Execute mount in the mount domain, and +## allow the specified role the mount domain, +## and use the caller's terminal. +## +## +## The type of the process performing this action. +## +## +## The role to be allowed the mount domain. +## +## +## The type of the terminal allow the mount domain to use. +## # interface(`mount_run',` gen_require(` @@ -57,14 +52,12 @@ interface(`mount_run',` ') ######################################## -## ## ## Use file descriptors for mount. ## ## ## The type of the process performing this action. ## -## # interface(`mount_use_fd',` gen_require(` @@ -76,7 +69,6 @@ interface(`mount_use_fd',` ') ######################################## -## ## ## Allow the mount domain to send nfs requests for mounting ## network drives @@ -84,7 +76,6 @@ interface(`mount_use_fd',` ## ## The type of the process performing this action. ## -## # interface(`mount_send_nfs_client_request',` gen_require(` @@ -95,4 +86,3 @@ interface(`mount_send_nfs_client_request',` allow $1 mount_t:udp_socket rw_socket_perms; ') -## diff --git a/refpolicy/policy/modules/system/selinuxutil.if b/refpolicy/policy/modules/system/selinuxutil.if index e42bd22..f5e0ec7 100644 --- a/refpolicy/policy/modules/system/selinuxutil.if +++ b/refpolicy/policy/modules/system/selinuxutil.if @@ -1,15 +1,12 @@ -## ## Policy for SELinux policy and userland applications. ####################################### -## -## -## Execute checkpolicy in the checkpolicy domain. -## -## -## The type of the process performing this action. -## -## +## +## Execute checkpolicy in the checkpolicy domain. +## +## +## The type of the process performing this action. +## # interface(`seutil_domtrans_checkpol',` gen_require(` @@ -30,23 +27,21 @@ interface(`seutil_domtrans_checkpol',` ') ######################################## -## -## -## Execute checkpolicy in the checkpolicy domain, and -## allow the specified role the checkpolicy domain, -## and use the caller's terminal. -## Has a SIGCHLD signal backchannel. -## -## -## The type of the process performing this action. -## -## -## The role to be allowed the checkpolicy domain. -## -## -## The type of the terminal allow the checkpolicy domain to use. -## -## +## +## Execute checkpolicy in the checkpolicy domain, and +## allow the specified role the checkpolicy domain, +## and use the caller's terminal. +## Has a SIGCHLD signal backchannel. +## +## +## The type of the process performing this action. +## +## +## The role to be allowed the checkpolicy domain. +## +## +## The type of the terminal allow the checkpolicy domain to use. +## # interface(`seutil_run_checkpol',` gen_require(` @@ -74,14 +69,12 @@ interface(`seutil_exec_checkpol',` ') ####################################### -## -## -## Execute load_policy in the load_policy domain. -## -## -## The type of the process performing this action. -## -## +## +## Execute load_policy in the load_policy domain. +## +## +## The type of the process performing this action. +## # interface(`seutil_domtrans_loadpol',` gen_require(` @@ -101,23 +94,21 @@ interface(`seutil_domtrans_loadpol',` ') ######################################## -## -## -## Execute load_policy in the load_policy domain, and -## allow the specified role the load_policy domain, -## and use the caller's terminal. -## Has a SIGCHLD signal backchannel. -## -## -## The type of the process performing this action. -## -## -## The role to be allowed the load_policy domain. -## -## -## The type of the terminal allow the load_policy domain to use. -## -## +## +## Execute load_policy in the load_policy domain, and +## allow the specified role the load_policy domain, +## and use the caller's terminal. +## Has a SIGCHLD signal backchannel. +## +## +## The type of the process performing this action. +## +## +## The role to be allowed the load_policy domain. +## +## +## The type of the terminal allow the load_policy domain to use. +## # interface(`seutil_run_loadpol',` gen_require(` @@ -158,14 +149,12 @@ interface(`seutil_read_loadpol',` ') ####################################### -## -## -## Execute newrole in the load_policy domain. -## -## -## The type of the process performing this action. -## -## +## +## Execute newrole in the load_policy domain. +## +## +## The type of the process performing this action. +## # interface(`seutil_domtrans_newrole',` gen_require(` @@ -186,22 +175,20 @@ interface(`seutil_domtrans_newrole',` ') ######################################## -## -## -## Execute newrole in the newrole domain, and -## allow the specified role the newrole domain, -## and use the caller's terminal. -## -## -## The type of the process performing this action. -## -## -## The role to be allowed the newrole domain. -## -## -## The type of the terminal allow the newrole domain to use. -## -## +## +## Execute newrole in the newrole domain, and +## allow the specified role the newrole domain, +## and use the caller's terminal. +## +## +## The type of the process performing this action. +## +## +## The role to be allowed the newrole domain. +## +## +## The type of the terminal allow the newrole domain to use. +## # interface(`seutil_run_newrole',` gen_require(` @@ -229,15 +216,13 @@ interface(`seutil_exec_newrole',` ') ######################################## -## -## -## Do not audit the caller attempts to send -## a signal to newrole. -## -## -## The type of the process performing this action. -## -## +## +## Do not audit the caller attempts to send +## a signal to newrole. +## +## +## The type of the process performing this action. +## # interface(`seutil_dontaudit_newrole_signal',` gen_require(` @@ -275,14 +260,12 @@ interface(`seutil_use_newrole_fd',` ') ####################################### -## -## -## Execute restorecon in the restorecon domain. -## -## -## The type of the process performing this action. -## -## +## +## Execute restorecon in the restorecon domain. +## +## +## The type of the process performing this action. +## # interface(`seutil_domtrans_restorecon',` gen_require(` @@ -302,22 +285,20 @@ interface(`seutil_domtrans_restorecon',` ') ######################################## -## -## -## Execute restorecon in the restorecon domain, and -## allow the specified role the restorecon domain, -## and use the caller's terminal. -## -## -## The type of the process performing this action. -## -## -## The role to be allowed the restorecon domain. -## -## -## The type of the terminal allow the restorecon domain to use. -## -## +## +## Execute restorecon in the restorecon domain, and +## allow the specified role the restorecon domain, +## and use the caller's terminal. +## +## +## The type of the process performing this action. +## +## +## The role to be allowed the restorecon domain. +## +## +## The type of the terminal allow the restorecon domain to use. +## # interface(`seutil_run_restorecon',` gen_require(` @@ -344,14 +325,12 @@ interface(`seutil_exec_restorecon',` ') ######################################## -## -## -## Execute run_init in the run_init domain. -## -## -## The type of the process performing this action. -## -## +## +## Execute run_init in the run_init domain. +## +## +## The type of the process performing this action. +## # interface(`seutil_domtrans_runinit',` gen_require(` @@ -372,22 +351,20 @@ interface(`seutil_domtrans_runinit',` ') ######################################## -## -## -## Execute run_init in the run_init domain, and -## allow the specified role the run_init domain, -## and use the caller's terminal. -## -## -## The type of the process performing this action. -## -## -## The role to be allowed the run_init domain. -## -## -## The type of the terminal allow the run_init domain to use. -## -## +## +## Execute run_init in the run_init domain, and +## allow the specified role the run_init domain, +## and use the caller's terminal. +## +## +## The type of the process performing this action. +## +## +## The role to be allowed the run_init domain. +## +## +## The type of the terminal allow the run_init domain to use. +## # interface(`seutil_run_runinit',` gen_require(` @@ -414,14 +391,12 @@ interface(`seutil_use_runinit_fd',` ') ######################################## -## -## -## Execute setfiles in the setfiles domain. -## -## -## The type of the process performing this action. -## -## +## +## Execute setfiles in the setfiles domain. +## +## +## The type of the process performing this action. +## # interface(`seutil_domtrans_setfiles',` gen_require(` @@ -442,22 +417,20 @@ interface(`seutil_domtrans_setfiles',` ') ######################################## -## -## -## Execute setfiles in the setfiles domain, and -## allow the specified role the setfiles domain, -## and use the caller's terminal. -## -## -## The type of the process performing this action. -## -## -## The role to be allowed the setfiles domain. -## -## -## The type of the terminal allow the setfiles domain to use. -## -## +## +## Execute setfiles in the setfiles domain, and +## allow the specified role the setfiles domain, +## and use the caller's terminal. +## +## +## The type of the process performing this action. +## +## +## The role to be allowed the setfiles domain. +## +## +## The type of the terminal allow the setfiles domain to use. +## # interface(`seutil_run_setfiles',` gen_require(` @@ -571,14 +544,12 @@ interface(`seutil_create_binary_pol',` ') ######################################## -## -## -## Allow the caller to relabel a file to the binary policy type. -## -## -## The type of the process performing this action. -## -## +## +## Allow the caller to relabel a file to the binary policy type. +## +## +## The type of the process performing this action. +## # interface(`seutil_relabelto_binary_pol',` gen_require(` @@ -644,4 +615,3 @@ interface(`seutil_manage_src_pol',` allow $1 policy_src_t:file create_file_perms; ') -## diff --git a/refpolicy/policy/modules/system/sysnetwork.if b/refpolicy/policy/modules/system/sysnetwork.if index 1aa265d..05ae1f2 100644 --- a/refpolicy/policy/modules/system/sysnetwork.if +++ b/refpolicy/policy/modules/system/sysnetwork.if @@ -1,15 +1,12 @@ -## ## Policy for network configuration: ifconfig and dhcp client. ####################################### -## ## ## Execute dhcp client in dhcpc domain. ## ## ## The type of the process performing this action. ## -## # interface(`sysnet_domtrans_dhcpc',` gen_require(` @@ -29,14 +26,12 @@ interface(`sysnet_domtrans_dhcpc',` ') ####################################### -## -## -## Execute ifconfig in the ifconfig domain. -## -## -## The type of the process performing this action. -## -## +## +## Execute ifconfig in the ifconfig domain. +## +## +## The type of the process performing this action. +## # interface(`sysnet_domtrans_ifconfig',` gen_require(` @@ -56,22 +51,20 @@ interface(`sysnet_domtrans_ifconfig',` ') ######################################## -## -## -## Execute ifconfig in the ifconfig domain, and -## allow the specified role the ifconfig domain, -## and use the caller's terminal. -## -## -## The type of the process performing this action. -## -## -## The role to be allowed the ifconfig domain. -## -## -## The type of the terminal allow the ifconfig domain to use. -## -## +## +## Execute ifconfig in the ifconfig domain, and +## allow the specified role the ifconfig domain, +## and use the caller's terminal. +## +## +## The type of the process performing this action. +## +## +## The role to be allowed the ifconfig domain. +## +## +## The type of the terminal allow the ifconfig domain to use. +## # interface(`sysnet_run_ifconfig',` gen_require(` @@ -86,14 +79,12 @@ interface(`sysnet_run_ifconfig',` ') ####################################### -## ## ## Allow network init to read network config files. ## ## ## The type of the process performing this action. ## -## # interface(`sysnet_read_config',` gen_require(` @@ -105,4 +96,3 @@ interface(`sysnet_read_config',` allow $1 net_conf_t:file r_file_perms; ') -## diff --git a/refpolicy/policy/modules/system/udev.if b/refpolicy/policy/modules/system/udev.if index 33d2815..9a54cbe 100644 --- a/refpolicy/policy/modules/system/udev.if +++ b/refpolicy/policy/modules/system/udev.if @@ -1,15 +1,12 @@ -## ## Policy for udev. ######################################## -## ## ## Execute udev in the udev domain. ## ## ## The type of the process performing this action. ## -## # interface(`udev_domtrans',` gen_require(` @@ -28,14 +25,12 @@ interface(`udev_domtrans',` ') ######################################## -## ## ## Allow process to read list of devices. ## ## ## The type of the process performing this action. ## -## # interface(`udev_read_db',` gen_require(` @@ -48,14 +43,12 @@ interface(`udev_read_db',` ') ######################################## -## ## ## Allow process to modify list of devices. ## ## ## The type of the process performing this action. ## -## # interface(`udev_rw_db',` gen_require(` @@ -67,4 +60,3 @@ interface(`udev_rw_db',` allow $1 udev_tdb_t:file rw_file_perms; ') -## diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index b05018b..86abffc 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -1,4 +1,3 @@ -## ## Policy for user domains ######################################## @@ -809,16 +808,14 @@ template(`admin_domain_template',` ') ######################################## -## -## -## Execute a shell in all user domains. This -## is an explicit transition, requiring the -## caller to use setexeccon(). -## -## -## The type of the process performing this action. -## -## +## +## Execute a shell in all user domains. This +## is an explicit transition, requiring the +## caller to use setexeccon(). +## +## +## The type of the process performing this action. +## # interface(`userdom_spec_domtrans_all_users',` gen_require(` @@ -829,16 +826,14 @@ interface(`userdom_spec_domtrans_all_users',` ') ######################################## -## -## -## Execute a shell in all unprivileged user domains. This -## is an explicit transition, requiring the -## caller to use setexeccon(). -## -## -## The type of the process performing this action. -## -## +## +## Execute a shell in all unprivileged user domains. This +## is an explicit transition, requiring the +## caller to use setexeccon(). +## +## +## The type of the process performing this action. +## # interface(`userdom_spec_domtrans_unpriv_users',` gen_require(` @@ -849,14 +844,12 @@ interface(`userdom_spec_domtrans_unpriv_users',` ') ######################################## -## -## -## Execute a shell in the sysadm domain. -## -## -## The type of the process performing this action. -## -## +## +## Execute a shell in the sysadm domain. +## +## +## The type of the process performing this action. +## # interface(`userdom_shell_domtrans_sysadm',` gen_require(` @@ -867,14 +860,12 @@ interface(`userdom_shell_domtrans_sysadm',` ') ######################################## -## -## -## Read and write sysadm ttys. -## -## -## The type of the process performing this action. -## -## +## +## Read and write sysadm ttys. +## +## +## The type of the process performing this action. +## # interface(`userdom_use_sysadm_tty',` gen_require(` @@ -888,14 +879,12 @@ interface(`userdom_use_sysadm_tty',` ') ######################################## -## -## -## Read and write sysadm ttys and ptys. -## -## -## The type of the process performing this action. -## -## +## +## Read and write sysadm ttys and ptys. +## +## +## The type of the process performing this action. +## # interface(`userdom_use_sysadm_terms',` gen_require(` @@ -909,14 +898,12 @@ interface(`userdom_use_sysadm_terms',` ') ######################################## -## -## -## Do not audit attempts to use admin ttys and ptys. -## -## -## The type of the process performing this action. -## -## +## +## Do not audit attempts to use admin ttys and ptys. +## +## +## The type of the process performing this action. +## # interface(`userdom_dontaudit_use_sysadm_terms',` gen_require(` @@ -928,14 +915,12 @@ interface(`userdom_dontaudit_use_sysadm_terms',` ') ######################################## -## -## -## Search all users home directories. -## -## -## The type of the process performing this action. -## -## +## +## Search all users home directories. +## +## +## The type of the process performing this action. +## # interface(`userdom_search_all_users_home',` gen_require(` @@ -948,14 +933,12 @@ interface(`userdom_search_all_users_home',` ') ######################################## -## -## -## Read all files in all users home directories. -## -## -## The type of the process performing this action. -## -## +## +## Read all files in all users home directories. +## +## +## The type of the process performing this action. +## # interface(`userdom_read_all_user_data',` gen_require(` @@ -970,14 +953,12 @@ interface(`userdom_read_all_user_data',` ') ######################################## -## -## -## Inherit the file descriptors from all user domains -## -## -## The type of the process performing this action. -## -## +## +## Inherit the file descriptors from all user domains +## +## +## The type of the process performing this action. +## # interface(`userdom_use_all_user_fd',` gen_require(` @@ -989,14 +970,12 @@ interface(`userdom_use_all_user_fd',` ') ######################################## -## -## -## Send general signals to all user domains. -## -## -## The type of the process performing this action. -## -## +## +## Send general signals to all user domains. +## +## +## The type of the process performing this action. +## # interface(`userdom_signal_all_users',` gen_require(` @@ -1008,14 +987,12 @@ interface(`userdom_signal_all_users',` ') ######################################## -## -## -## Send general signals to unprivileged user domains. -## -## -## The type of the process performing this action. -## -## +## +## Send general signals to unprivileged user domains. +## +## +## The type of the process performing this action. +## # interface(`userdom_signal_unpriv_users',` gen_require(` @@ -1027,14 +1004,12 @@ interface(`userdom_signal_unpriv_users',` ') ######################################## -## -## -## Inherit the file descriptors from all user domains. -## -## -## The type of the process performing this action. -## -## +## +## Inherit the file descriptors from all user domains. +## +## +## The type of the process performing this action. +## # interface(`userdom_use_unpriv_users_fd',` gen_require(` @@ -1046,15 +1021,13 @@ interface(`userdom_use_unpriv_users_fd',` ') ######################################## -## -## -## Do not audit attempts to inherit the -## file descriptors from all user domains. -## -## -## The type of the process performing this action. -## -## +## +## Do not audit attempts to inherit the +## file descriptors from all user domains. +## +## +## The type of the process performing this action. +## # interface(`userdom_dontaudit_use_unpriv_user_fd',` gen_require(` @@ -1065,4 +1038,3 @@ interface(`userdom_dontaudit_use_unpriv_user_fd',` dontaudit $1 unpriv_userdomain:fd use; ') -##