diff --git a/docs/macro_conversion_guide b/docs/macro_conversion_guide new file mode 100644 index 0000000..08199fa --- /dev/null +++ b/docs/macro_conversion_guide @@ -0,0 +1,987 @@ +# +# This is the guide for converting old macros to local policy +# and new interfaces. +# +# $1, $2, etc. are replaced with and the first and second, etc. +# parameters to the old macro. +# + +######################################## +# +# Object class sets +# + +# +# devfile_class_set +# +{ chr_file blk_file } + +# +# dgram_socket_class_set +# +{ udp_socket unix_dgram_socket } + +# +# dir_file_class_set +# +{ dir file lnk_file sock_file fifo_file chr_file blk_file } + +# +# file_class_set +# +{ file lnk_file sock_file fifo_file chr_file blk_file } + +# +# notdevfile_class_set +# +{ file lnk_file sock_file fifo_file } + +# +# socket_class_set +# +{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } + +# +# stream_socket_class_set +# +{ tcp_socket unix_stream_socket } + +# +# unpriv_socket_class_set +# +{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket } + +######################################## +# +# Permission Sets +# + +# +# connected_socket_perms +# +{ create ioctl read getattr write setattr append bind getopt setopt shutdown } + +# +# connected_stream_socket_perms +# +{ create ioctl read getattr write setattr append bind getopt setopt shutdown listen accept } + +# +# create_dir_perms +# +{ create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir } + +# +# create_file_perms +# +{ create ioctl read getattr lock write setattr append link unlink rename } + +# +# create_lnk_perms +# +{ create read getattr setattr link unlink rename } + +# +# create_msgq_perms +# +{ associate getattr setattr create destroy read write enqueue unix_read unix_write } + +# +# create_netlink_socket_perms +# +{ create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write } + +# +# create_sem_perms +# +{ associate getattr setattr create destroy read write unix_read unix_write } + +# +# create_shm_perms +# +{ associate getattr setattr create destroy read write lock unix_read unix_write } + +# +# create_socket_perms +# +{ create ioctl read getattr write setattr append bind connect getopt setopt shutdown } + +# +# create_stream_socket_perms +# +{ create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept } + +# +# link_file_perms +# +{ getattr link unlink rename } + +# +# mount_fs_perms +# +{ mount remount unmount getattr } + +# +# packet_perms +# +{ tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send } + +# +# r_dir_perms +# +{ read getattr lock search ioctl } + +# +# r_file_perms +# +{ read getattr lock ioctl } + +# +# r_msgq_perms +# +{ associate getattr read unix_read } + +# +# r_netlink_socket_perms +# +{ create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read } + +# +# r_sem_perms +# +{ associate getattr read unix_read } + +# +# r_shm_perms +# +{ associate getattr read unix_read } + +# +# ra_dir_perms +# +{ read getattr lock search ioctl add_name write } + +# +# ra_file_perms +# +{ ioctl read getattr lock append } + +# +# rw_dir_perms +# +{ read getattr lock search ioctl add_name remove_name write } + +# +# rw_file_perms +# +{ ioctl read getattr lock write append } + +# +# rw_msgq_perms +# +{ associate getattr read write enqueue unix_read unix_write } + +# +# rw_netlink_socket_perms +# +{ create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write } + +# +# rw_sem_perms +# +{ associate getattr read write unix_read unix_write } + +# +# rw_shm_perms +# +{ associate getattr read write lock unix_read unix_write } + +# +# rw_socket_perms +# +{ ioctl read getattr write setattr append bind connect getopt setopt shutdown } + +# +# rw_stream_socket_perms +# +{ ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept } + +# +# rx_file_perms +# +{ read getattr lock execute ioctl } + +# +# signal_perms +# +{ sigchld sigkill sigstop signull signal } + +# +# stat_file_perms +# +{ getattr } + +# +# x_file_perms +# +{ getattr execute } + +######################################## +# +# Access macros +# + +# +# access_terminal(): +# +allow $1 $2_tty_device_t:chr_file { read write getattr ioctl }; +allow $1 devtty_t:chr_file { read write getattr ioctl }; +allow $1 devpts_t:dir { read search getattr }; +allow $1 $2_devpts_t:chr_file { read write getattr ioctl }; + +# +# admin_domain(): +# + +# +# append_log_domain(): +# +type $1_log_t; +logging_make_log_file($1_log_t) +allow $1_t var_log_t:dir ra_dir_perms; +allow $1_t $1_log_t:file { create ra_file_perms }; +type_transition $1_t var_log_t:file $1_log_t; + +# +# append_logdir_domain(): +# +type $1_log_t; +logging_make_log_file($1_log_t) +allow $1_t var_log_t:dir ra_dir_perms; +allow $1_t $1_log_t:dir { setattr ra_dir_perms }; +allow $1_t $1_log_t:file { create ra_file_perms }; +type_transition $1_t var_log_t:file $1_log_t; + +# +# application_domain(): +# +type $1_t; +type $1_exec_t; +domain_make_domain($1_t) +domain_make_entrypoint_file($1_t,$1_exec_t) +role sysadm_r types $1_t; +domain_auto_trans(sysadm_t, $1_exec_t, $1_t) +libraries_use_dynamic_loader($1_t) +libraries_read_shared_libraries($1_t) + +# +# base_can_network($1,$2): +# +allow $1 self:$2_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown }; +corenetwork_network_$2_on_all_interfaces($1) +corenetwork_network_raw_on_all_interfaces($1) +corenetwork_network_$2_on_all_nodes($1) +corenetwork_network_raw_on_all_nodes($1) +corenetwork_bind_$2_on_all_nodes($1) +corenetwork_network_$2_on_all_ports($1) +sysnetwork_read_network_config($1) + +# +# base_can_network($1,$2,$3): +# +allow $1 self:$2_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown }; +corenetwork_network_$2_on_all_interfaces($1) +corenetwork_network_raw_on_all_interfaces($1) +corenetwork_network_$2_on_all_nodes($1) +corenetwork_network_raw_on_all_nodes($1) +corenetwork_bind_$2_on_all_nodes($1) +corenetwork_network_$2_on_$3_port($1) +sysnetwork_read_network_config($1) + +# +# base_file_read_access(): +# +files_list_home_directories($1) +files_read_general_shared_resources($1) +allow $1 bin_t:dir r_dir_perms; +allow $1 bin_t:notdevfile_class_set r_file_perms; +allow $1 sbin_t:dir r_dir_perms; +allow $1 sbin_t:notdevfile_class_set r_file_perms; +kernel_read_kernel_sysctl($1) +selinux_read_config($1) +if (read_default_t) { +allow $1 default_t:dir r_dir_perms; +allow $1 default_t:notdevfile_class_set r_file_perms; +} + +# +# base_pty_perms(): +# +allow $1_t ptmx_t:chr_file rw_file_perms; +allow $1_t devpts_t:filesystem getattr; +allow $1_t devpts_t:dir { getattr read search }; +dontaudit $1_t bsdpty_device_t:chr_file { getattr read write }; + +# +# base_user_domain(): +# + +# +# can_create(): +# +# for each i in $3 +can_create_internal($1,$2,$i) + +# +# can_create_internal($1,$2,dir): +# +allow $1 $2:$3 create_dir_perms; + +# +# can_create_internal($1,$2,lnk_file): +# +allow $1 $2:$3 create_lnk_perms; + +# +# can_create_internal($1,$2,[file,chr_file,blk_file,sock_file,fifo_file]): +# +allow $1 $2:$3 create_file_perms; + +# +# can_create_other_pty(): complete +# +terminal_make_pseudoterminal($1_t,$2_devpts_t) +allow $1_t $2_devpts_t:chr_file { setattr ioctl read getattr lock write append }; + +# +# can_create_pty(): complete +# +# $2 may require more conversion +type $1_devpts_t $2; +terminal_make_pseudoterminal($1_t,$1_devpts_t) +allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append }; + +# +# can_exec(): complete +# +allow $1 $2:file { getattr read execute execute_no_trans }; + +# +# can_exec_any(): +# +libraries_use_dynamic_loader($1) +libraries_read_shared_libraries($1) +files_execute_system_config_script($1) +libraries_execute_library_scripts($1) +corecommands_execute_general_programs($1) +corecommands_execute_system_programs($1) +domain_execute_all_entrypoint_programs($1) +can_exec($1, ld_so_t) + +# +# can_getcon(): +# +allow $1 proc_t:dir search; +allow $1 proc_t:{ file lnk_file } read; +allow $1 self:process getattr; + +# +# can_getsecurity(): +# +kernel_get_selinuxfs_mount_point($1) +kernel_validate_selinux_context($1) +kernel_compute_selinux_av($1) +kernel_compute_create($1) +kernel_compute_relabel($1) +kernel_compute_reachable_user_contexts($1) + +# +# can_ldap(): +# +ifdef(`slapd.te',` +can_network_client_tcp($1, `ldap_port_t') +') + +# +# can_loadpol(): complete +# +kernel_get_selinuxfs_mount_point($1) +kernel_load_selinux_policy($1) + +# +# can_network(): +# +can_network_tcp($1, `$2') +can_network_udp($1, `$2') +ifdef(`mount.te', ` +allow $1 mount_t:udp_socket rw_socket_perms; +') + +# +# can_network_client(): +# +can_network_client_tcp($1, `$2') +can_network_udp($1, `$2') + +# +# can_network_client_tcp(): +# +base_can_network($1, tcp, `$2') +allow $1 self:tcp_socket { connect }; + +# +# can_network_server(): +# +allow $1 self:tcp_socket { listen accept }; +base_can_network($1, tcp, `$2') + +# +# can_network_server_tcp(): +# +allow $1 self:tcp_socket { listen accept }; +base_can_network($1, tcp, `$2') + +# +# can_network_tcp(): complete +# +can_network_server_tcp($1, `$2') +can_network_client_tcp($1, `$2') + +# +# can_network_udp(): complete +# +base_can_network($1, udp, `$2') +allow $1 self:udp_socket { connect }; + +# +# can_ps(): +# +allow $1 $2:dir { search getattr read }; +allow $1 $2:{ file lnk_file } { read getattr }; +allow $1 $2:process getattr; +# We need to suppress this denial because procps tries to access +# /proc/pid/environ and this now triggers a ptrace check in recent kernels +# (2.4 and 2.6). Might want to change procps to not do this, or only if +# running in a privileged domain. +dontaudit $1 $2:process ptrace; + +# +# can_ptrace(): +# +allow $1 $2:process ptrace; +allow $2 $1:process sigchld; + +# +# can_resolve(): +# +ifdef(`use_dns',` +can_network_udp($1, `dns_port_t') +') + +# +# can_setbool(): complete +# +kernel_get_selinuxfs_mount_point($1) +kernel_set_selinux_boolean($1) + +# +# can_setcon(): +# +allow $1 self:process setcurrent; +allow $1 proc_t:dir search; +allow $1 proc_t:{ file lnk_file } read; + + +# +# can_setenforce(): complete +# +kernel_get_selinuxfs_mount_point($1) +kernel_set_selinux_enforcement_mode($1) + +# +# can_setexec(): +# +allow $1 self:process setexec; +allow $1 proc_t:dir search; +allow $1 proc_t:{ file lnk_file } read; + +# +# can_setfscreate(): +# +allow $1 self:process setfscreate; +allow $1 proc_t:dir search; +allow $1 proc_t:{ file lnk_file } read; + +# +# can_setsecparam(): +# +kernel_get_selinuxfs_mount_point($1) +allow $1 security_t:dir { read search getattr }; +allow $1 security_t:file { getattr read write }; +allow $1 security_t:security setsecparam; +auditallow $1 security_t:security setsecparam; + +# +# can_sysctl(): complete +# +kernel_modify_all_sysctl($1) + +# +# can_tcp_connect +# (policy is commented out) +# Irrelevant until we have labeled networking. +# +#allow $1 $2:tcp_socket { connectto recvfrom }; +#allow $2 $1:tcp_socket { acceptfrom recvfrom }; +#allow $2 kernel_t:tcp_socket recvfrom; +#allow $1 kernel_t:tcp_socket recvfrom; + +# +# can_udp_send(): +# (policy is commented out) +# Irrelevant until we have labeled networking. +# +#allow $1 $2:udp_socket sendto; +#allow $2 $1:udp_socket recvfrom; + +# +# can_unix_connect(): +# +allow $1 $2:unix_stream_socket connectto; + +# +# can_unix_send(): +# +allow $1 $2:unix_dgram_socket sendto; + +# +# create_append_log_file(): +# +allow $1 $2:dir { read getattr search add_name write }; +allow $1 $2:file { create ioctl getattr setattr append link }; + +# +# create_dir_file(): +# +allow $1 $2:dir create_dir_perms; +allow $1 $2:file create_file_perms; +allow $1 $2:lnk_file create_lnk_perms; + +# +# create_dir_notdevfile(): +# +allow $1 $2:dir create_dir_perms; +allow $1 $2:{ file sock_file fifo_file } create_file_perms; +allow $1 $2:lnk_file create_lnk_perms; + +# +# daemon_domain(): +# +type $1_t; +type $1_exec_t; +domain_make_daemon_domain($1_t,$1_exec_t) +type $1_var_run_t; +files_make_file($1_var_run_t) +allow $1_t $1_var_run_t:file { getattr create read write append setattr unlink }; +files_create_daemon_runtime_data($1_t,$1_var_run_t) +logging_send_system_log_message($1_t) +dontaudit $1_t self:capability sys_tty_config; +allow $1_t init_t:fd use; +libraries_use_dynamic_loader($1_t) +libraries_read_shared_libraries($1_t) +allow $1_t proc_t:dir r_dir_perms; +allow $1_t proc_t:lnk_file read; +ifdef(`udev.te', ` +allow $1_t udev_tdb_t:file r_file_perms; +')dnl end if udev.te +devices_discard_data_stream($1_t) +allow $1_t null_device_t:chr_file r_file_perms; +dontaudit $1_t console_device_t:chr_file rw_file_perms; +dontaudit $1_t unpriv_userdomain:fd use; +kernel_read_hardware_state($1_t) +allow $1_t autofs_t:dir { search getattr }; +ifdef(`targeted_policy', ` +dontaudit $1_t { tty_device_t devpts_t }:chr_file { read write }; +dontaudit $1_t root_t:file { getattr read }; +')dnl end if targeted_policy +terminal_use_controlling_terminal($1_t) +dontaudit $1_t sysadm_home_dir_t:dir search; +filesystem_get_all_filesystem_attributes($1_t) +miscfiles_read_localization($1_t) +rhgb_domain($1_t) +kernel_read_kernel_sysctl($1_t) +ifdef(`direct_sysadm_daemon', ` +dontaudit $1_t admin_tty_type:chr_file rw_file_perms; +') +ifelse(index(`$2',`transitionbool'), -1, `', ` +bool $1_disable_trans false; +if ($1_disable_trans) { +can_exec(initrc_t, $1_exec_t) +can_exec(sysadm_t, $1_exec_t) +} else { +') dnl transitionbool +domain_auto_trans(initrc_t, $1_exec_t, $1_t) +allow initrc_t $1_t:process { noatsecure siginh rlimitinh }; +ifdef(`direct_sysadm_daemon', ` +ifelse(`$3', `nosysadm', `', ` +domain_auto_trans(sysadm_t, $1_exec_t, $1_t) +allow sysadm_t $1_t:process { noatsecure siginh rlimitinh }; +')dnl end direct_sysadm_daemon +')dnl end nosysadm +ifelse(index(`$2', `transitionbool'), -1, `', `}') dnl end transitionbool +ifdef(`direct_sysadm_daemon', ` +ifelse(`$3', `nosysadm', `', ` +role_transition sysadm_r $1_exec_t system_r; +')dnl end nosysadm +')dnl end direct_sysadm_daemon +allow $1_t privfd:fd use; +ifdef(`newrole.te', `allow $1_t newrole_t:process sigchld;') +allow $1_t initrc_devpts_t:chr_file rw_file_perms; + +# +# daemon_sub_domain(): +# +# $1 is the parent domain (or domains), $2_t is the child domain, +# and $3 is any attributes to apply to the child +type $2_t, domain, privlog, daemon $3; +type $2_exec_t, file_type, sysadmfile, exec_type; +role system_r types $2_t; +domain_auto_trans($1, $2_exec_t, $2_t) +allow $2_t $1:fd use; +allow $2_t $1:process sigchld; +allow $2_t self:process signal_perms; +libraries_use_dynamic_loader($2_t) +libraries_read_shared_libraries($2_t) +allow $2_t proc_t:dir r_dir_perms; +allow $2_t proc_t:lnk_file read; +allow $2_t device_t:dir getattr; + +# +# etc_domain(): +# +type $1_etc_t; #, usercanread; +files_make_file($1_etc_t) +allow $1_t $1_etc_t:file r_file_perms; + +# +# etcdir_domain(): +# +type $1_etc_t; #, usercanread; +files_make_file($1_etc_t) +allow $1_t $1_etc_t:file r_file_perms; +allow $1_t $1_etc_t:dir r_dir_perms; +allow $1_t $1_etc_t:lnk_file { getattr read }; + +# +# file_type_auto_trans(): +# +allow $1 $2:dir rw_dir_perms; +allow $1 $2:file create_file_perms; +allow $1 $2:lnk_file create_lnk_perms; +allow $1 $2:sock_file create_file_perms; +allow $1 $2:fifo_file create_file_perms; +type_transition $1 $2:dir $3; +type_transition $1 $2:{ file lnk_file sock_file fifo_file } $3; + +# +# file_type_auto_trans($1,$2,$3,$4): +# +# for each i in $4 +allow $1 $2:dir rw_dir_perms; +can_create_internal($1,$2,$4) +type_transition $1 $2:$4 $3; + +# +# file_type_trans($1,$2,$3): +# +allow $1 $3:dir rw_dir_perms; +allow $1 $3:file create_file_perms; +allow $1 $3:lnk_file create_lnk_perms; +allow $1 $3:sock_file create_file_perms; +allow $1 $3:fifo_file create_file_perms; +type_transition $1 $2:{ dir file lnk_file sock_file fifo_file } $3; + +# +# file_type_trans($1,$2,$3,$4): +# +# for each i in $4 +allow $1 $2:dir rw_dir_perms; +can_create_internal($1,$2,$3,$4) +type_transition $1 $2:$i $3; + +# +# full_user_role(): +# + +# +# general_domain_access(): +# +allow $1 self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition }; +allow $1 self:fd use; +allow $1 self:fifo_file { read getattr lock ioctl write append }; +allow $1 self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; +allow $1 self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }; +allow $1 self:unix_dgram_socket sendto; +allow $1 self:unix_stream_socket connectto; +allow $1 self:shm { associate getattr setattr create destroy read write lock unix_read unix_write }; +allow $1 self:sem { associate getattr setattr create destroy read write unix_read unix_write }; +allow $1 self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write }; +allow $1 self:msg { send receive }; +allow $1 unpriv_userdomain:fd use; +can_ypbind($1) +ifdef(`automount.te', ` +allow $1 autofs_t:dir { search getattr }; +') + +# +# general_proc_read_access(): complete +# +kernel_read_system_state($1) +kernel_read_network_state($1) +kernel_read_software_raid_state($1) +kernel_get_core_interface_attributes($1) +kernel_get_message_interface_attributes($1) +kernel_read_kernel_sysctl($1) + +# +# home_domain(): +# + +# +# home_domain_access(): +# + +# +# home_domain_ro(): +# + +# +# home_domain_ro_access(): +# + +# +# in_user_role(): +# +role user_r types $1; +role staff_r types $1; + +# +# init_service_domain(): +# +type $1_t; +type $1_exec_t; +domain_make_daemon_domain($1_t,$1_exec_t) +kernel_read_hardware_state($1_t) +logging_send_system_log_message($1_t) +libraries_use_dynamic_loader($1_t) +libraries_read_shared_libraries($1_t) +devices_discard_data_stream($1_t) +dontaudit $1_t self:capability sys_tty_config; +allow $1_t init_t:fd use; +allow $1_t proc_t:dir r_dir_perms; +allow $1_t proc_t:lnk_file read; +ifdef(`udev.te', ` +allow $1_t udev_tdb_t:file r_file_perms; +')dnl end if udev.te +allow $1_t null_device_t:chr_file r_file_perms; +allow $1_t autofs_t:dir { search getattr }; +dontaudit $1_t console_device_t:chr_file rw_file_perms; +dontaudit $1_t unpriv_userdomain:fd use; +ifdef(`targeted_policy', ` +dontaudit $1_t { tty_device_t devpts_t }:chr_file { read write }; +dontaudit $1_t root_t:file { getattr read }; +')dnl end if targeted_policy + +# +# legacy_domain(): complete +# +allow $1_t self:process execmem; +libraries_legacy_read_shared_libraries($1_t) +libraries_legacy_use_dynamic_loader($1_t) + +# +# lock_domain(): +# +type $1_lock_t, file_type, sysadmfile, lockfile; +file_type_auto_trans($1_t, var_lock_t, $1_lock_t, file) + +# +# log_domain(): +# +type $1_log_t, file_type, sysadmfile, logfile; +file_type_auto_trans($1_t, var_log_t, $1_log_t, file) + +# +# logdir_domain(): +# +type $1_log_t, file_type, sysadmfile, logfile; +file_type_auto_trans($1_t, var_log_t, $1_log_t, file) +allow $1_t $1_log_t:dir { setattr rw_dir_perms }; + +# +# mini_user_domain(): +# + +# +# network_home_dir(): +# +create_dir_file($1, $2) +can_exec($1, $2) +allow $1 $2:{ sock_file fifo_file } create_file_perms; + +# +# pty_slave_label(): +# +type $1_devpts_t, file_type, sysadmfile, ptyfile $2; +allow $1_devpts_t devpts_t:filesystem associate; +type_transition $1_t devpts_t:chr_file $1_devpts_t; +allow $1_t $1_devpts_t:chr_file { setattr rw_file_perms }; + +# +# r_dir_file(): +# +allow $1 $2:dir r_dir_perms; +allow $1 $2:file r_file_perms; +allow $1 $2:lnk_file { getattr read }; + +# +# ra_dir_create_file(): +# +allow $1 $2:dir ra_dir_perms; +allow $1 $2:file { create ra_file_perms }; +allow $1 $2:lnk_file { create read getattr }; + +# +# ra_dir_file(): +# +allow $1 $2:dir ra_dir_perms; +allow $1 $2:file ra_file_perms; +allow $1 $2:lnk_file { getattr read }; + +# +# read_locale(): complete +# +miscfiles_read_localization($1) + +# +# read_sysctl($1): complete +# +kernel_read_kernel_sysctl($1) + +# +# read_sysctl($1,full): complete +# +kernel_read_all_sysctl($1) + +# +# rhgb_domain(): +# +ifdef(`rhgb.te', ` +allow $1 rhgb_t:process sigchld; +allow $1 rhgb_t:fd use; +allow $1 rhgb_t:fifo_file { read write }; +') + +# +# rw_dir_create_file(): +# +allow $1 $2:dir rw_dir_perms; +allow $1 $2:file create_file_perms; +allow $1 $2:lnk_file create_lnk_perms; + +# +# rw_dir_file(): +# +allow $1 $2:dir rw_dir_perms; +allow $1 $2:file rw_file_perms; +allow $1 $2:lnk_file { getattr read }; + +# +# system_domain(): +# +type $1_t, domain, privlog $2; +type $1_exec_t, file_type, sysadmfile, exec_type; +role system_r types $1_t; +libraries_use_dynamic_loader($1_t) +libraries_read_shared_libraries($1_t) +allow $1_t etc_t:dir r_dir_perms; + +# +# tmp_domain(): complete +# +# $2 may need more handling +# +type $1_tmp_t $2; +files_make_file($1_tmp_t) +# no class specified: +allow $1_t $1_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; +allow $1_t $1_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename }; +files_create_private_tmp_data($1_t, $1_tmp_t, { file dir }) +# class specified: +files_create_private_tmp_data($1_t, $1_tmp_t, $3) +# $3 manage object perms here + +# +# tmpfs_domain(): +# +type $1_tmpfs_t, file_type, sysadmfile, tmpfsfile; +file_type_auto_trans($1_t, tmpfs_t, $1_tmpfs_t) +allow $1_tmpfs_t tmpfs_t:filesystem associate; + +# +# unconfined_domain(): +# + +# +# user_application_domain(): +# +type $1_t, domain, privlog $2; +type $1_exec_t, file_type, sysadmfile, exec_type; +role sysadm_r types $1_t; +domain_auto_trans(sysadm_t, $1_exec_t, $1_t) +libraries_use_dynamic_loader($1_t) +libraries_read_shared_libraries($1_t) +in_user_role($1_t) +domain_auto_trans(userdomain, $1_exec_t, $1_t) + +# +# user_domain(): +# + +# +# uses_authbind(): +# +domain_auto_trans($1, authbind_exec_t, authbind_t) +allow authbind_t $1:process sigchld; +allow authbind_t $1:fd use; +allow authbind_t $1:{ tcp_socket udp_socket } rw_socket_perms; + +# +# uses_shlib(): complete +# +libraries_use_dynamic_loader($1) +libraries_read_shared_libraries($1) + +# +# var_lib_domain(): +# +type $1_var_lib_t, file_type, sysadmfile; +typealias $1_var_lib_t alias var_lib_$1_t; +file_type_auto_trans($1_t, var_lib_t, $1_var_lib_t, file) +allow $1_t $1_var_lib_t:dir rw_dir_perms; + +# +# var_run_domain($1): +# +type $1_var_run_t, file_type, sysadmfile, pidfile; +file_type_auto_trans($1_t, var_run_t, $1_var_run_t, file) +allow $1_t var_t:dir search; +allow $1_t $1_var_run_t:dir rw_dir_perms; + +# +# var_run_domain($1,$2): +# +type $1_var_run_t, file_type, sysadmfile, pidfile; +file_type_auto_trans($1_t, var_run_t, $1_var_run_t, $2) +allow $1_t var_t:dir search; +allow $1_t $1_var_run_t:dir rw_dir_perms;