diff --git a/refpolicy/Makefile b/refpolicy/Makefile
index bdb98ff..8ef4dca 100644
--- a/refpolicy/Makefile
+++ b/refpolicy/Makefile
@@ -273,7 +273,7 @@ $(POLXML): $(DETECTED_MODS:.te=.if) $(foreach dir,$(ALL_LAYERS),$(dir)/$(LAYERXM
@mkdir -p tmp
$(verbose) echo '' > $@
$(verbose) echo '' >> $@
- $(verbose) $(GENXML) -w -m $(LAYERXML) -t $(GLOBALTUN) -b $(GLOBALBOOL) $(ALL_LAYERS) >> $@
+ $(verbose) $(GENXML) -m $(LAYERXML) -t $(GLOBALTUN) -b $(GLOBALBOOL) -o tmp $(ALL_LAYERS) >> $@
$(verbose) if test -x $(XMLLINT) && test -f $(XMLDTD); then \
$(XMLLINT) --noout --dtdvalid $(XMLDTD) $@ ;\
fi
@@ -358,21 +358,38 @@ $(APPDIR)/users/root: $(APPCONF)/root_default_contexts
#
# Install policy headers
#
-install-headers: $(DETECTED_MODS:.te=.if) $(ROLEMAP) $(M4SUPPORT)
+install-headers: doc/policy.xml
@mkdir -p $(HEADERDIR)
@echo "Installing policy headers"
- $(verbose) install -m 644 $^ $(HEADERDIR)
- $(verbose) $(GENPERM) $(AVS) $(SECCLASS) > $(HEADERDIR)/all_perms.spt
+ $(verbose) install -m 644 tmp/global_{tunables,booleans}.xml $(HEADERDIR)
+ $(verbose) m4 $(M4PARAM) $(ROLEMAP) > $(HEADERDIR)/$(notdir $(ROLEMAP))
+ $(verbose) mkdir -p $(HEADERDIR)/support
+ $(verbose) install -m 644 $(M4SUPPORT) $(GENXML) $(XMLDTD) $(HEADERDIR)/support
+ $(verbose) $(GENPERM) $(AVS) $(SECCLASS) > $(HEADERDIR)/support/all_perms.spt
+ $(verbose) for i in $(notdir $(ALL_LAYERS)); do \
+ mkdir -p $(HEADERDIR)/$$i ;\
+ install -m 644 $(MODDIR)/$$i/*.if \
+ $(MODDIR)/$$i/metadata.xml \
+ $(HEADERDIR)/$$i ;\
+ done
+ $(verbose) echo "TYPE=$(TYPE)" > $(HEADERDIR)/build.conf
+ $(verbose) echo "NAME=$(NAME)" >> $(HEADERDIR)/build.conf
+ifneq "$(DISTRO)" ""
+ $(verbose) echo "DISTRO=$(DISTRO)" >> $(HEADERDIR)/build.conf
+endif
+ $(verbose) echo "MONOLITHIC=n" >> $(HEADERDIR)/build.conf
+ $(verbose) echo "DIRECT_INITRC=$(DIRECT_INITRC)" >> $(HEADERDIR)/build.conf
+ $(verbose) echo "POLY=$(POLY)" >> $(HEADERDIR)/build.conf
+ $(verbose) install -m 644 $(SUPPORT)/Makefile.devel $(HEADERDIR)/Makefile
########################################
#
# Install policy documentation
#
-install-docs: $(DOCFILES) build.conf tmp/html
+install-docs: tmp/html
@mkdir -p $(DOCSDIR)/html
@echo "Installing policy documentation"
$(verbose) install -m 644 $(DOCFILES) $(DOCSDIR)
- $(verbose) install -m 644 build.conf $(DOCSDIR)/build.conf.example
$(verbose) install -m 644 $(wildcard $(HTMLDIR)/*) $(DOCSDIR)/html
########################################
diff --git a/refpolicy/doc/Makefile.example b/refpolicy/doc/Makefile.example
index f236d7d..1fec02b 100644
--- a/refpolicy/doc/Makefile.example
+++ b/refpolicy/doc/Makefile.example
@@ -1,140 +1,6 @@
--include build.conf
+NAME ?= refpolicy
+SHAREDIR := /usr/share/selinux
+HEADERDIR := $(SHAREDIR)/$(NAME)/include
-# executables
-PREFIX := /usr
-BINDIR := $(PREFIX)/bin
-SBINDIR := $(PREFIX)/sbin
-CHECKMODULE := $(BINDIR)/checkmodule
-SEMODULE := $(SBINDIR)/semodule
-SEMOD_PKG := $(BINDIR)/semodule_package
-
-# helper tools
-AWK ?= gawk
-INSTALL ?= install
-M4 ?= m4
-SED ?= sed
-EINFO ?= echo
-
-# installation paths
-SHAREDIR := $(PREFIX)/share/selinux
-MODPKGDIR := $(SHAREDIR)/$(NAME)
-HEADERDIR := $(SHAREDIR)/refpolicy/include
-
-# set default build options
-TYPE ?= strict
-NAME ?= $(TYPE)
-DIRECT_INITRC ?= n
-POLY ?= n
-
-# compile strict policy if requested.
-ifneq ($(findstring strict,$(TYPE)),)
- M4PARAM += -D strict_policy
-endif
-
-# compile targeted policy if requested.
-ifneq ($(findstring targeted,$(TYPE)),)
- M4PARAM += -D targeted_policy
-endif
-
-# enable MLS if requested.
-ifneq ($(findstring -mls,$(TYPE)),)
- M4PARAM += -D enable_mls
- CHECKPOLICY += -M
- CHECKMODULE += -M
-endif
-
-# enable MLS if MCS requested.
-ifneq ($(findstring -mcs,$(TYPE)),)
- M4PARAM += -D enable_mcs
- CHECKPOLICY += -M
- CHECKMODULE += -M
-endif
-
-# enable distribution-specific policy
-ifneq ($(DISTRO),)
- M4PARAM += -D distro_$(DISTRO)
-endif
-
-# enable polyinstantiation
-ifeq ($(POLY),y)
- M4PARAM += -D enable_polyinstantiation
-endif
-
-ifeq ($(DIRECT_INITRC),y)
- M4PARAM += -D direct_sysadm_daemon
-endif
-
-ifneq ($(VERBOSE),y)
- quiet := @
-endif
-
-M4PARAM += -D hide_broken_symptoms
-
-# policy headers
-m4support := $(wildcard $(HEADERDIR)/*.spt)
-all_interfaces := $(wildcard $(HEADERDIR)/*.if)
-rolemap := $(HEADERDIR)/rolemap
-
-detected_mods := $(wildcard *.te)
-detected_ifs := $(detected_mods:.te=.if)
-all_packages := $(detected_mods:.te=.pp)
-install_mods := $(MODPKGDIR)/$(all_packages)
-
-########################################
-#
-# Functions
-#
-
-# parse-rolemap modulename,outputfile
-define parse-rolemap
- $(verbose) $(M4) $(M4PARAM) $(rolemap) | \
- $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_userdomain_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
-endef
-
-# peruser-expansion modulename,outputfile
-define peruser-expansion
- $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" > $2
- $(call parse-rolemap,$1,$2)
- $(verbose) echo "')" >> $2
-endef
-
-########################################
-#
-# Main targets
-#
-
-all: $(all_packages)
-
-########################################
-#
-# Build module packages
-#
-tmp/%.mod: $(m4support) tmp/all_interfaces.conf %.te
- @$(EINFO) "Compliling $(NAME) $(basename $(@F)) module"
- @test -d tmp || mkdir -p tmp
- $(call peruser-expansion,$(basename $(@F)),$@.role)
- $(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
- $(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
-
-tmp/%.mod.fc: $(m4support) %.fc
- $(verbose) $(M4) $(M4PARAM) $^ > $@
-
-%.pp: tmp/%.mod tmp/%.mod.fc
- @echo "Creating $(NAME) $(@F) policy package"
- $(verbose) $(SEMOD_PKG) -o $@ -m $< -f $<.fc
-
-tmp/all_interfaces.conf: $(m4support) $(all_interfaces) $(detected_ifs)
- @test -d tmp || mkdir -p tmp
- $(verbose) m4 $^ | sed -e s/dollarsstar/\$$\*/g > $@
-
-########################################
-#
-# Clean the environment
-#
-
-clean:
- rm -fR tmp
- rm -f *.pp
-
-.PHONY: clean install all default
+include $(HEADERDIR)/Makefile
diff --git a/refpolicy/doc/policy.dtd b/refpolicy/doc/policy.dtd
index 1b4cc17..7990cff 100644
--- a/refpolicy/doc/policy.dtd
+++ b/refpolicy/doc/policy.dtd
@@ -11,11 +11,11 @@
-
+
-
+
@@ -25,7 +25,7 @@
-
+
diff --git a/refpolicy/doc/templates/global_bool_list.html b/refpolicy/doc/templates/global_bool_list.html
index 8172985..a8065af 100644
--- a/refpolicy/doc/templates/global_bool_list.html
+++ b/refpolicy/doc/templates/global_bool_list.html
@@ -8,7 +8,7 @@
[[bool['def_val']]]
[[if bool['desc']]]
Description
-[[bool['desc']]]
+[[bool['desc']]]
[[end]]
[[end]]
diff --git a/refpolicy/doc/templates/global_tun_list.html b/refpolicy/doc/templates/global_tun_list.html
index b08ed59..6ed8013 100644
--- a/refpolicy/doc/templates/global_tun_list.html
+++ b/refpolicy/doc/templates/global_tun_list.html
@@ -8,7 +8,7 @@
[[tun['def_val']]]
[[if tun['desc']]]
Description
-[[tun['desc']]]
+[[tun['desc']]]
[[end]]
[[end]]
diff --git a/refpolicy/policy/global_booleans b/refpolicy/policy/global_booleans
index 7b89ba9..111d004 100644
--- a/refpolicy/policy/global_booleans
+++ b/refpolicy/policy/global_booleans
@@ -4,15 +4,27 @@
# file should be used.
#
+##
+##
## Enabling secure mode disallows programs, such as
## newrole, from transitioning to administrative
## user domains.
+##
+##
gen_bool(secure_mode,false)
+##
+##
## Disable transitions to insmod.
+##
+##
gen_bool(secure_mode_insmod,false)
+##
+##
## boolean to determine whether the system permits loading policy, setting
## enforcing mode, and changing boolean values. Set this to true and you
## have to reboot to set it back
+##
+##
gen_bool(secure_mode_policyload,false)
diff --git a/refpolicy/policy/global_tunables b/refpolicy/policy/global_tunables
index 1dbfc75..3199861 100644
--- a/refpolicy/policy/global_tunables
+++ b/refpolicy/policy/global_tunables
@@ -9,142 +9,312 @@
# Common tunables
#
+##
+##
## Allow cvs daemon to read shadow
+##
+##
+#
gen_tunable(allow_cvs_read_shadow,false)
+##
+##
## Allow making the heap executable.
+##
+##
gen_tunable(allow_execheap,false)
+
+##
+##
## Allow making anonymous memory executable, e.g.
## for runtime-code generation or executable stack.
+##
+##
gen_tunable(allow_execmem,false)
+##
+##
## Allow making a modified private file
## mapping executable (text relocation).
+##
+##
gen_tunable(allow_execmod,false)
+##
+##
## Allow making the stack executable via mprotect.
## Also requires allow_execmem.
+##
+##
gen_tunable(allow_execstack,false)
+##
+##
## Allow ftp servers to modify public files
## used for public file transfer services.
+##
+##
gen_tunable(allow_ftpd_anon_write,false)
+##
+##
## Allow gssd to read temp directory.
+##
+##
gen_tunable(allow_gssd_read_tmp,true)
+##
+##
## Allow Apache to modify public files
## used for public file transfer services.
+##
+##
gen_tunable(allow_httpd_anon_write,false)
+##
+##
## Allow java executable stack
+##
+##
gen_tunable(allow_java_execstack,false)
+##
+##
## Allow system to run with kerberos
+##
+##
gen_tunable(allow_kerberos,false)
+##
+##
## Allow rsync to modify public files
## used for public file transfer services.
+##
+##
gen_tunable(allow_rsync_anon_write,false)
+##
+##
## Allow sasl to read shadow
+##
+##
gen_tunable(allow_saslauthd_read_shadow,false)
+##
+##
## Allow samba to modify public files
## used for public file transfer services.
+##
+##
gen_tunable(allow_smbd_anon_write,false)
+##
+##
## Allow sysadm to ptrace all processes
+##
+##
gen_tunable(allow_ptrace,false)
+##
+##
## Allow system to run with NIS
+##
+##
gen_tunable(allow_ypbind,false)
+##
+##
## Enable extra rules in the cron domain
## to support fcron.
+##
+##
gen_tunable(fcron_crond,false)
+##
+##
## Allow ftp to read and write files in the user home directories
+##
+##
gen_tunable(ftp_home_dir,false)
+##
+##
## Allow ftpd to run directly without inetd
+##
+##
gen_tunable(ftpd_is_daemon,false)
+##
+##
## Allow httpd to use built in scripting (usually php)
+##
+##
gen_tunable(httpd_builtin_scripting,false)
+##
+##
## Allow http daemon to tcp connect
+##
+##
gen_tunable(httpd_can_network_connect,false)
-## allow httpd to connect to mysql/posgresql
+##
+##
+## Allow httpd to connect to mysql/posgresql
+##
+##
gen_tunable(httpd_can_network_connect_db, false)
-## allow httpd to act as a relay
+##
+##
+## Allow httpd to act as a relay
+##
+##
gen_tunable(httpd_can_network_relay, false)
+##
+##
## Allow httpd cgi support
+##
+##
gen_tunable(httpd_enable_cgi,false)
+##
+##
## Allow httpd to act as a FTP server by
## listening on the ftp port.
+##
+##
gen_tunable(httpd_enable_ftp_server,false)
+##
+##
## Allow httpd to read home directories
+##
+##
gen_tunable(httpd_enable_homedirs,false)
+##
+##
## Run SSI execs in system CGI script domain.
+##
+##
gen_tunable(httpd_ssi_exec,false)
+##
+##
## Allow http daemon to communicate with the TTY
+##
+##
gen_tunable(httpd_tty_comm,false)
+##
+##
## Run CGI in the main httpd domain
+##
+##
gen_tunable(httpd_unified,false)
+##
+##
## Allow BIND to write the master zone files.
## Generally this is used for dynamic DNS.
+##
+##
gen_tunable(named_write_master_zones,false)
+##
+##
## Allow nfs to be exported read/write.
+##
+##
gen_tunable(nfs_export_all_rw,false)
+##
+##
## Allow nfs to be exported read only
+##
+##
gen_tunable(nfs_export_all_ro,false)
+##
+##
## Allow pppd to load kernel modules for certain modems
+##
+##
gen_tunable(pppd_can_insmod,false)
+##
+##
## Allow reading of default_t files.
+##
+##
gen_tunable(read_default_t,false)
+##
+##
## Allow ssh to run from inetd instead of as a daemon.
+##
+##
gen_tunable(run_ssh_inetd,false)
+##
+##
## Allow samba to export user home directories.
+##
+##
gen_tunable(samba_enable_home_dirs,false)
+##
+##
## Allow spamassassin to do DNS lookups
+##
+##
gen_tunable(spamassasin_can_network,false)
+##
+##
## Allow squid to connect to all ports, not just
## HTTP, FTP, and Gopher ports.
+##
+##
gen_tunable(squid_connect_any,false)
+##
+##
## Allow ssh logins as sysadm_r:sysadm_t
+##
+##
gen_tunable(ssh_sysadm_login,false)
+##
+##
## Configure stunnel to be a standalone daemon or
## inetd service.
+##
+##
gen_tunable(stunnel_is_daemon,false)
+##
+##
## Support NFS home directories
+##
+##
gen_tunable(use_nfs_home_dirs,false)
+##
+##
## Support SAMBA home directories
+##
+##
gen_tunable(use_samba_home_dirs,false)
+##
+##
## Control users use of ping and traceroute
+##
+##
gen_tunable(user_ping,false)
########################################
@@ -153,69 +323,141 @@ gen_tunable(user_ping,false)
#
ifdef(`targeted_policy',`',`
+##
+##
## Allow gpg executable stack
+##
+##
gen_tunable(allow_gpg_execstack,false)
+##
+##
## allow host key based authentication
+##
+##
gen_tunable(allow_ssh_keysign,false)
+##
+##
## Allow users to connect to mysql
+##
+##
gen_tunable(allow_user_mysql_connect,false)
+##
+##
## Allow cdrecord to read various content.
## nfs, samba, removable devices, user temp
## and untrusted content files
+##
+##
gen_tunable(cdrecord_read_content,false)
+##
+##
## Allow system cron jobs to relabel filesystem
## for restoring file contexts.
+##
+##
gen_tunable(cron_can_relabel,false)
+##
+##
## Allow pppd to be run for a regular user
+##
+##
gen_tunable(pppd_for_user,false)
+##
+##
## Allow applications to read untrusted content
## If this is disallowed, Internet content has
## to be manually relabeled for read access to be granted
+##
+##
gen_tunable(read_untrusted_content,false)
+##
+##
## Allow user spamassassin clients to use the network.
+##
+##
gen_tunable(spamassassin_can_network,false)
+##
+##
## Allow staff_r users to search the sysadm home
## dir and read files (such as ~/.bashrc)
+##
+##
gen_tunable(staff_read_sysadm_file,false)
+##
+##
## Allow regular users direct mouse access
+##
+##
gen_tunable(user_direct_mouse,false)
+##
+##
## Allow users to read system messages.
+##
+##
gen_tunable(user_dmesg,false)
+##
+##
## Allow users to control network interfaces
## (also needs USERCTL=true)
+##
+##
gen_tunable(user_net_control,false)
+##
+##
## Allow user to r/w files on filesystems
## that do not have extended attributes (FAT, CDROM, FLOPPY)
+##
+##
gen_tunable(user_rw_noexattrfile,false)
+##
+##
## Allow users to rw usb devices
+##
+##
gen_tunable(user_rw_usb,false)
+##
+##
## Allow users to run TCP servers (bind to ports and accept connection from
## the same domain and outside users) disabling this forces FTP passive mode
## and may change other protocols.
+##
+##
gen_tunable(user_tcp_server,false)
+##
+##
## Allow w to display everyone
+##
+##
gen_tunable(user_ttyfile_stat,false)
+##
+##
## Allow applications to write untrusted content
## If this is disallowed, no Internet content
## will be stored.
+##
+##
gen_tunable(write_untrusted_content,false)
+##
+##
## Allow xdm logins as sysadm
+##
+##
gen_tunable(xdm_sysadm_login,false)
')
diff --git a/refpolicy/policy/modules/admin/acct.if b/refpolicy/policy/modules/admin/acct.if
index 87aaa03..831295c 100644
--- a/refpolicy/policy/modules/admin/acct.if
+++ b/refpolicy/policy/modules/admin/acct.if
@@ -5,7 +5,9 @@
## Transition to the accounting management domain.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`acct_domtrans',`
@@ -27,7 +29,9 @@ interface(`acct_domtrans',`
## Execute accounting management tools in the caller domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`acct_exec',`
@@ -44,7 +48,9 @@ interface(`acct_exec',`
## Execute accounting management data in the caller domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
# cjp: this is added for logrotate, and does
@@ -63,7 +69,9 @@ interface(`acct_exec_data',`
## Create, read, write, and delete process accounting data.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`acct_manage_data',`
diff --git a/refpolicy/policy/modules/admin/alsa.if b/refpolicy/policy/modules/admin/alsa.if
index 0150f97..f66893c 100644
--- a/refpolicy/policy/modules/admin/alsa.if
+++ b/refpolicy/policy/modules/admin/alsa.if
@@ -5,7 +5,9 @@
## Domain transition to alsa
##
##
+##
## Domain allowed access.
+##
##
#
interface(`alsa_domtrans',`
@@ -27,7 +29,9 @@ interface(`alsa_domtrans',`
## Allow read and write access to alsa semaphores.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`alsa_rw_semaphores',`
@@ -43,7 +47,9 @@ interface(`alsa_rw_semaphores',`
## Allow read and write access to alsa shared memory.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`alsa_rw_shared_mem',`
diff --git a/refpolicy/policy/modules/admin/amanda.if b/refpolicy/policy/modules/admin/amanda.if
index be99340..0b9281f 100644
--- a/refpolicy/policy/modules/admin/amanda.if
+++ b/refpolicy/policy/modules/admin/amanda.if
@@ -5,7 +5,9 @@
## Execute amrecover in the amanda_recover domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`amanda_domtrans_recover',`
@@ -27,13 +29,19 @@ interface(`amanda_domtrans_recover',`
## allow the specified role the amanda_recover domain.
##
##
+##
## The type of the process performing this action.
+##
##
##
+##
## The role to be allowed the amanda_recover domain.
+##
##
##
+##
## The type of the terminal allow the amanda_recover domain to use.
+##
##
#
interface(`amanda_run_recover',`
@@ -51,7 +59,9 @@ interface(`amanda_run_recover',`
## Search amanda library directories.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`amanda_search_lib',`
@@ -68,7 +78,9 @@ interface(`amanda_search_lib',`
## Do not audit attempts to read /etc/dumpdates.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`amanda_dontaudit_read_dumpdates',`
diff --git a/refpolicy/policy/modules/admin/certwatch.if b/refpolicy/policy/modules/admin/certwatch.if
index bebb19e..84e3852 100644
--- a/refpolicy/policy/modules/admin/certwatch.if
+++ b/refpolicy/policy/modules/admin/certwatch.if
@@ -5,7 +5,9 @@
## Domain transition to certwatch.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`certwatch_domtrans',`
@@ -31,13 +33,19 @@ interface(`certwatch_domtrans',`
## backchannel.
##
##
+##
## The type of the process performing this action.
+##
##
##
+##
## The role to be allowed the certwatch domain.
+##
##
##
+##
## The type of the terminal allow the certwatch domain to use.
+##
##
#
interface(`certwatach_run',`
diff --git a/refpolicy/policy/modules/admin/consoletype.if b/refpolicy/policy/modules/admin/consoletype.if
index eb88ef3..58a2018 100644
--- a/refpolicy/policy/modules/admin/consoletype.if
+++ b/refpolicy/policy/modules/admin/consoletype.if
@@ -7,7 +7,9 @@
## Execute consoletype in the consoletype domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`consoletype_domtrans',`
@@ -30,13 +32,19 @@ interface(`consoletype_domtrans',`
## allow the specified role the consoletype domain.
##
##
+##
## The type of the process performing this action.
+##
##
##
+##
## The role to be allowed the consoletype domain.
+##
##
##
+##
## The type of the terminal allow the consoletype domain to use.
+##
##
#
interface(`consoletype_run',`
@@ -54,7 +62,9 @@ interface(`consoletype_run',`
## Execute consoletype in the caller domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`consoletype_exec',`
diff --git a/refpolicy/policy/modules/admin/ddcprobe.if b/refpolicy/policy/modules/admin/ddcprobe.if
index dd008d7..875b7d2 100644
--- a/refpolicy/policy/modules/admin/ddcprobe.if
+++ b/refpolicy/policy/modules/admin/ddcprobe.if
@@ -5,7 +5,9 @@
## Execute ddcprobe in the ddcprobe domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`ddcprobe_domtrans',`
@@ -27,13 +29,19 @@ interface(`ddcprobe_domtrans',`
## allow the specified role the ddcprobe domain.
##
##
+##
## The type of the process performing this action.
+##
##
##
+##
## Role to be authenticated for ddcprobe domain.
+##
##
##
+##
## The type of the terminal allow the clock domain to use.
+##
##
#
interface(`ddcprobe_run',`
diff --git a/refpolicy/policy/modules/admin/dmesg.if b/refpolicy/policy/modules/admin/dmesg.if
index 3eba936..0ca1319 100644
--- a/refpolicy/policy/modules/admin/dmesg.if
+++ b/refpolicy/policy/modules/admin/dmesg.if
@@ -5,7 +5,9 @@
## Execute dmesg in the dmesg domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`dmesg_domtrans',`
@@ -36,7 +38,9 @@ interface(`dmesg_domtrans',`
## Execute dmesg in the caller domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`dmesg_exec',`
diff --git a/refpolicy/policy/modules/admin/dmidecode.if b/refpolicy/policy/modules/admin/dmidecode.if
index 5e5d449..70d6044 100644
--- a/refpolicy/policy/modules/admin/dmidecode.if
+++ b/refpolicy/policy/modules/admin/dmidecode.if
@@ -5,7 +5,9 @@
## Execute dmidecode in the dmidecode domain.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dmidecode_domtrans',`
@@ -27,13 +29,19 @@ interface(`dmidecode_domtrans',`
## allow the specified role the dmidecode domain.
##
##
+##
## The type of the process performing this action.
+##
##
##
+##
## The role to be allowed the dmidecode domain.
+##
##
##
+##
## The type of the terminal allow the dmidecode domain to use.
+##
##
#
interface(`dmidecode_run',`
diff --git a/refpolicy/policy/modules/admin/firstboot.if b/refpolicy/policy/modules/admin/firstboot.if
index d39d686..b545069 100644
--- a/refpolicy/policy/modules/admin/firstboot.if
+++ b/refpolicy/policy/modules/admin/firstboot.if
@@ -8,7 +8,9 @@
## Execute firstboot in the firstboot domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`firstboot_domtrans',`
@@ -30,13 +32,19 @@ interface(`firstboot_domtrans',`
## allow the specified role the firstboot domain.
##
##
+##
## The type of the process performing this action.
+##
##
##
+##
## The role to be allowed the firstboot domain.
+##
##
##
+##
## The type of the terminal allow the firstboot domain to use.
+##
##
#
interface(`firstboot_run',`
@@ -54,7 +62,9 @@ interface(`firstboot_run',`
## Inherit and use a file descriptor from firstboot.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`firstboot_use_fd',`
@@ -71,7 +81,9 @@ interface(`firstboot_use_fd',`
## file descriptor from firstboot.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`firstboot_dontaudit_use_fd',`
@@ -87,7 +99,9 @@ interface(`firstboot_dontaudit_use_fd',`
## Write to a firstboot unnamed pipe.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`firstboot_write_pipes',`
diff --git a/refpolicy/policy/modules/admin/kudzu.if b/refpolicy/policy/modules/admin/kudzu.if
index 437ee02..605a394 100644
--- a/refpolicy/policy/modules/admin/kudzu.if
+++ b/refpolicy/policy/modules/admin/kudzu.if
@@ -5,7 +5,9 @@
## Execute kudzu in the kudzu domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`kudzu_domtrans',`
@@ -27,13 +29,19 @@ interface(`kudzu_domtrans',`
## allow the specified role the kudzu domain.
##
##
+##
## The type of the process performing this action.
+##
##
##
+##
## The role to be allowed the kudzu domain.
+##
##
##
+##
## The type of the terminal allow the kudzu domain to use.
+##
##
#
interface(`kudzu_run',`
@@ -51,7 +59,9 @@ interface(`kudzu_run',`
## Get attributes of kudzu executable.
##
##
+##
## The type of the process performing this action.
+##
##
#
# cjp: added for ddcprobe
diff --git a/refpolicy/policy/modules/admin/logrotate.if b/refpolicy/policy/modules/admin/logrotate.if
index a97588c..b9c680a 100644
--- a/refpolicy/policy/modules/admin/logrotate.if
+++ b/refpolicy/policy/modules/admin/logrotate.if
@@ -5,7 +5,9 @@
## Execute logrotate in the logrotate domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`logrotate_domtrans',`
@@ -27,13 +29,19 @@ interface(`logrotate_domtrans',`
## allow the specified role the logrotate domain.
##
##
+##
## The type of the process performing this action.
+##
##
##
+##
## The role to be allowed the logrotate domain.
+##
##
##
+##
## The type of the terminal allow the logrotate domain to use.
+##
##
#
interface(`logrotate_run',`
@@ -51,7 +59,9 @@ interface(`logrotate_run',`
## Execute logrotate in the caller domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`logrotate_exec',`
@@ -67,7 +77,9 @@ interface(`logrotate_exec',`
## Inherit and use logrotate file descriptors.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`logrotate_use_fd',`
@@ -83,7 +95,9 @@ interface(`logrotate_use_fd',`
## Do not audit attempts to inherit logrotate file descriptors.
##
##
+##
## The type of the process to not audit.
+##
##
#
interface(`logrotate_dontaudit_use_fd',`
@@ -99,7 +113,9 @@ interface(`logrotate_dontaudit_use_fd',`
## Read a logrotate temporary files.
##
##
+##
## The type of the process to not audit.
+##
##
#
interface(`logrotate_read_tmp_files',`
diff --git a/refpolicy/policy/modules/admin/logwatch.if b/refpolicy/policy/modules/admin/logwatch.if
index 5a5deb1..3de6722 100644
--- a/refpolicy/policy/modules/admin/logwatch.if
+++ b/refpolicy/policy/modules/admin/logwatch.if
@@ -5,7 +5,9 @@
## Read logwatch temporary files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`logwatch_read_tmp_files',`
diff --git a/refpolicy/policy/modules/admin/mrtg.if b/refpolicy/policy/modules/admin/mrtg.if
index 8602f09..fab860b 100644
--- a/refpolicy/policy/modules/admin/mrtg.if
+++ b/refpolicy/policy/modules/admin/mrtg.if
@@ -5,7 +5,9 @@
## Create and append mrtg logs.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`mrtg_append_create_logs',`
diff --git a/refpolicy/policy/modules/admin/netutils.if b/refpolicy/policy/modules/admin/netutils.if
index 9e9b2dd..65ae005 100644
--- a/refpolicy/policy/modules/admin/netutils.if
+++ b/refpolicy/policy/modules/admin/netutils.if
@@ -5,7 +5,9 @@
## Execute network utilities in the netutils domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`netutils_domtrans',`
@@ -27,13 +29,19 @@ interface(`netutils_domtrans',`
## allow the specified role the netutils domain.
##
##
+##
## The type of the process performing this action.
+##
##
##
+##
## The role to be allowed the netutils domain.
+##
##
##
+##
## The type of the terminal allow the netutils domain to use.
+##
##
#
interface(`netutils_run',`
@@ -51,7 +59,9 @@ interface(`netutils_run',`
## Execute network utilities in the caller domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`netutils_exec',`
@@ -67,7 +77,9 @@ interface(`netutils_exec',`
## Execute ping in the ping domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`netutils_domtrans_ping',`
@@ -89,13 +101,19 @@ interface(`netutils_domtrans_ping',`
## allow the specified role the ping domain.
##
##
+##
## The type of the process performing this action.
+##
##
##
+##
## The role to be allowed the ping domain.
+##
##
##
+##
## The type of the terminal allow the ping domain to use.
+##
##
#
interface(`netutils_run_ping',`
@@ -114,13 +132,19 @@ interface(`netutils_run_ping',`
## allow the specified role the ping domain.
##
##
+##
## The type of the process performing this action.
+##
##
##
+##
## The role to be allowed the ping domain.
+##
##
##
+##
## The type of the terminal allow the ping domain to use.
+##
##
#
interface(`netutils_run_ping_cond',`
@@ -142,7 +166,9 @@ interface(`netutils_run_ping_cond',`
## Execute ping in the caller domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`netutils_exec_ping',`
@@ -158,7 +184,9 @@ interface(`netutils_exec_ping',`
## Execute traceroute in the traceroute domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`netutils_domtrans_traceroute',`
@@ -180,13 +208,19 @@ interface(`netutils_domtrans_traceroute',`
## allow the specified role the traceroute domain.
##
##
+##
## The type of the process performing this action.
+##
##
##
+##
## The role to be allowed the traceroute domain.
+##
##
##
+##
## The type of the terminal allow the traceroute domain to use.
+##
##
#
interface(`netutils_run_traceroute',`
@@ -205,13 +239,19 @@ interface(`netutils_run_traceroute',`
## allow the specified role the traceroute domain.
##
##
+##
## The type of the process performing this action.
+##
##
##
+##
## The role to be allowed the traceroute domain.
+##
##
##
+##
## The type of the terminal allow the traceroute domain to use.
+##
##
#
interface(`netutils_run_traceroute_cond',`
@@ -233,7 +273,9 @@ interface(`netutils_run_traceroute_cond',`
## Execute traceroute in the caller domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`netutils_exec_traceroute',`
diff --git a/refpolicy/policy/modules/admin/portage.if b/refpolicy/policy/modules/admin/portage.if
index 363ee67..3499865 100644
--- a/refpolicy/policy/modules/admin/portage.if
+++ b/refpolicy/policy/modules/admin/portage.if
@@ -8,7 +8,9 @@
## Execute emerge in the portage domain.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`portage_domtrans',`
@@ -32,13 +34,19 @@ interface(`portage_domtrans',`
## allow the specified role the portage domain.
##
##
+##
## Domain allowed access.
+##
##
##
+##
## The role to allow the portage domain.
+##
##
##
+##
## The type of the terminal allow for portage to use.
+##
##
#
interface(`portage_run',`
@@ -72,7 +80,9 @@ interface(`portage_run',`
##
##
##
+##
## Name to be used to derive types.
+##
##
#
template(`portage_compile_domain_template',`
diff --git a/refpolicy/policy/modules/admin/prelink.if b/refpolicy/policy/modules/admin/prelink.if
index e76434d..899fc9d 100644
--- a/refpolicy/policy/modules/admin/prelink.if
+++ b/refpolicy/policy/modules/admin/prelink.if
@@ -5,7 +5,9 @@
## Execute the prelink program in the prelink domain.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`prelink_domtrans',`
@@ -27,7 +29,9 @@ interface(`prelink_domtrans',`
## Make the specified file type prelinkable.
##
##
+##
## File type to be prelinked.
+##
##
#
# cjp: added for misc non-entrypoint objects
@@ -44,7 +48,9 @@ interface(`prelink_object_file',`
## Read the prelink cache.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`prelink_read_cache',`
@@ -61,7 +67,9 @@ interface(`prelink_read_cache',`
## Delete the prelink cache.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`prelink_delete_cache',`
@@ -78,7 +86,9 @@ interface(`prelink_delete_cache',`
## prelink log files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`prelink_manage_log',`
diff --git a/refpolicy/policy/modules/admin/quota.if b/refpolicy/policy/modules/admin/quota.if
index fd42285..8f4dd73 100644
--- a/refpolicy/policy/modules/admin/quota.if
+++ b/refpolicy/policy/modules/admin/quota.if
@@ -5,7 +5,9 @@
## Execute quota management tools in the quota domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`quota_domtrans',`
@@ -27,13 +29,19 @@ interface(`quota_domtrans',`
## allow the specified role the quota domain.
##
##
+##
## The type of the process performing this action.
+##
##
##
+##
## The role to be allowed the quota domain.
+##
##
##
+##
## The type of the terminal allow the quota domain to use.
+##
##
#
interface(`quota_run',`
@@ -52,7 +60,9 @@ interface(`quota_run',`
## of filesystem quota data files.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`quota_dontaudit_getattr_db',`
diff --git a/refpolicy/policy/modules/admin/rpm.if b/refpolicy/policy/modules/admin/rpm.if
index 2d61196..5141d03 100644
--- a/refpolicy/policy/modules/admin/rpm.if
+++ b/refpolicy/policy/modules/admin/rpm.if
@@ -5,7 +5,9 @@
## Execute rpm programs in the rpm domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`rpm_domtrans',`
@@ -28,7 +30,9 @@ interface(`rpm_domtrans',`
## Execute rpm_script programs in the rpm_script domain.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`rpm_domtrans_script',`
@@ -50,13 +54,19 @@ interface(`rpm_domtrans_script',`
## Execute RPM programs in the RPM domain.
##
##
+##
## The type of the process performing this action.
+##
##
##
+##
## The role to allow the RPM domain.
+##
##
##
+##
## The type of the terminal allow the RPM domain to use.
+##
##
#
interface(`rpm_run',`
@@ -76,7 +86,9 @@ interface(`rpm_run',`
## Inherit and use file descriptors from RPM.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`rpm_use_fd',`
@@ -92,7 +104,9 @@ interface(`rpm_use_fd',`
## Read from an unnamed RPM pipe.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`rpm_read_pipes',`
@@ -108,7 +122,9 @@ interface(`rpm_read_pipes',`
## Read and write an unnamed RPM pipe.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`rpm_rw_pipes',`
@@ -124,7 +140,9 @@ interface(`rpm_rw_pipes',`
## Create, read, write, and delete the RPM log.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`rpm_manage_log',`
@@ -141,7 +159,9 @@ interface(`rpm_manage_log',`
## Inherit and use file descriptors from RPM scripts.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`rpm_use_script_fd',`
@@ -157,7 +177,9 @@ interface(`rpm_use_script_fd',`
## Read the RPM package database.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`rpm_read_db',`
@@ -176,7 +198,9 @@ interface(`rpm_read_db',`
## Create, read, write, and delete the RPM package database.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`rpm_manage_db',`
@@ -196,7 +220,9 @@ interface(`rpm_manage_db',`
## write, and delete the RPM package database.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`rpm_dontaudit_manage_db',`
diff --git a/refpolicy/policy/modules/admin/su.if b/refpolicy/policy/modules/admin/su.if
index 5d79518..5ee377f 100644
--- a/refpolicy/policy/modules/admin/su.if
+++ b/refpolicy/policy/modules/admin/su.if
@@ -98,14 +98,20 @@ template(`su_restricted_domain_template', `
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## The type of the user domain.
+##
##
##
+##
## The role associated with the user domain.
+##
##
#
template(`su_per_userdomain_template',`
@@ -255,7 +261,9 @@ template(`su_per_userdomain_template',`
## Execute su in the caller domain.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`su_exec',`
diff --git a/refpolicy/policy/modules/admin/sudo.if b/refpolicy/policy/modules/admin/sudo.if
index c3d8b9c..12ba56b 100644
--- a/refpolicy/policy/modules/admin/sudo.if
+++ b/refpolicy/policy/modules/admin/sudo.if
@@ -17,14 +17,20 @@
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## The type of the user domain.
+##
##
##
+##
## The role associated with the user domain.
+##
##
#
template(`sudo_per_userdomain_template',`
diff --git a/refpolicy/policy/modules/admin/tmpreaper.if b/refpolicy/policy/modules/admin/tmpreaper.if
index 5dfa8a8..d43b117 100644
--- a/refpolicy/policy/modules/admin/tmpreaper.if
+++ b/refpolicy/policy/modules/admin/tmpreaper.if
@@ -5,7 +5,9 @@
## Execute tmpreaper in the caller domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`tmpreaper_exec',`
diff --git a/refpolicy/policy/modules/admin/updfstab.if b/refpolicy/policy/modules/admin/updfstab.if
index 753454f..dad4bef 100644
--- a/refpolicy/policy/modules/admin/updfstab.if
+++ b/refpolicy/policy/modules/admin/updfstab.if
@@ -5,7 +5,9 @@
## Execute updfstab in the updfstab domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`updfstab_domtrans',`
diff --git a/refpolicy/policy/modules/admin/usbmodules.if b/refpolicy/policy/modules/admin/usbmodules.if
index 394d990..b27fb16 100644
--- a/refpolicy/policy/modules/admin/usbmodules.if
+++ b/refpolicy/policy/modules/admin/usbmodules.if
@@ -5,7 +5,9 @@
## Execute usbmodules in the usbmodules domain.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`usbmodules_domtrans',`
@@ -29,13 +31,19 @@ interface(`usbmodules_domtrans',`
## and use the caller's terminal.
##
##
+##
## The type of the process performing this action.
+##
##
##
+##
## The role to be allowed the usbmodules domain.
+##
##
##
+##
## The type of the terminal allow the usbmodules domain to use.
+##
##
#
interface(`usbmodules_run',`
diff --git a/refpolicy/policy/modules/admin/usermanage.if b/refpolicy/policy/modules/admin/usermanage.if
index 533d203..9a1c41e 100644
--- a/refpolicy/policy/modules/admin/usermanage.if
+++ b/refpolicy/policy/modules/admin/usermanage.if
@@ -5,7 +5,9 @@
## Execute chfn in the chfn domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`usermanage_domtrans_chfn',`
@@ -29,13 +31,19 @@ interface(`usermanage_domtrans_chfn',`
## allow the specified role the chfn domain.
##
##
+##
## The type of the process performing this action.
+##
##
##
+##
## The role to be allowed the chfn domain.
+##
##
##
+##
## The type of the terminal allow the chfn domain to use.
+##
##
#
interface(`usermanage_run_chfn',`
@@ -53,7 +61,9 @@ interface(`usermanage_run_chfn',`
## Execute groupadd in the groupadd domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`usermanage_domtrans_groupadd',`
@@ -77,13 +87,19 @@ interface(`usermanage_domtrans_groupadd',`
## allow the specified role the groupadd domain.
##
##
+##
## The type of the process performing this action.
+##
##
##
+##
## The role to be allowed the groupadd domain.
+##
##
##
+##
## The type of the terminal allow the groupadd domain to use.
+##
##
#
interface(`usermanage_run_groupadd',`
@@ -101,7 +117,9 @@ interface(`usermanage_run_groupadd',`
## Execute passwd in the passwd domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`usermanage_domtrans_passwd',`
@@ -125,13 +143,19 @@ interface(`usermanage_domtrans_passwd',`
## allow the specified role the passwd domain.
##
##
+##
## The type of the process performing this action.
+##
##
##
+##
## The role to be allowed the passwd domain.
+##
##
##
+##
## The type of the terminal allow the passwd domain to use.
+##
##
#
interface(`usermanage_run_passwd',`
@@ -150,7 +174,9 @@ interface(`usermanage_run_passwd',`
## the admin passwd domain.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`usermanage_domtrans_admin_passwd',`
@@ -175,13 +201,19 @@ interface(`usermanage_domtrans_admin_passwd',`
## the admin passwd domain.
##
##
+##
## The type of the process performing this action.
+##
##
##
+##
## The role to be allowed the admin passwd domain.
+##
##
##
+##
## The type of the terminal allow the admin passwd domain to use.
+##
##
#
interface(`usermanage_run_admin_passwd',`
@@ -199,7 +231,9 @@ interface(`usermanage_run_admin_passwd',`
## Execute useradd in the useradd domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`usermanage_domtrans_useradd',`
@@ -223,13 +257,19 @@ interface(`usermanage_domtrans_useradd',`
## allow the specified role the useradd domain.
##
##
+##
## The type of the process performing this action.
+##
##
##
+##
## The role to be allowed the useradd domain.
+##
##
##
+##
## The type of the terminal allow the useradd domain to use.
+##
##
#
interface(`usermanage_run_useradd',`
@@ -247,7 +287,9 @@ interface(`usermanage_run_useradd',`
## Read the crack database.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`usermanage_read_crack_db',`
diff --git a/refpolicy/policy/modules/admin/vbetool.if b/refpolicy/policy/modules/admin/vbetool.if
index efac87e..729e9a0 100644
--- a/refpolicy/policy/modules/admin/vbetool.if
+++ b/refpolicy/policy/modules/admin/vbetool.if
@@ -5,7 +5,9 @@
## Execute vbetool application in the vbetool domain.
##
##
+##
## N/A
+##
##
#
interface(`vbetool_domtrans',`
diff --git a/refpolicy/policy/modules/admin/vpn.if b/refpolicy/policy/modules/admin/vpn.if
index 8258420..eb9b4eb 100644
--- a/refpolicy/policy/modules/admin/vpn.if
+++ b/refpolicy/policy/modules/admin/vpn.if
@@ -5,7 +5,9 @@
## Execute VPN clients in the vpnc domain.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`vpn_domtrans',`
@@ -27,13 +29,19 @@ interface(`vpn_domtrans',`
## allow the specified role the vpnc domain.
##
##
+##
## Domain allowed access.
+##
##
##
+##
## The role to be allowed the vpnc domain.
+##
##
##
+##
## The type of the terminal allow the vpnc domain to use.
+##
##
#
interface(`vpn_run',`
@@ -51,7 +59,9 @@ interface(`vpn_run',`
## Send generic signals to VPN clients.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`vpn_signal',`
diff --git a/refpolicy/policy/modules/apps/cdrecord.if b/refpolicy/policy/modules/apps/cdrecord.if
index 8202d42..a52302e 100644
--- a/refpolicy/policy/modules/apps/cdrecord.if
+++ b/refpolicy/policy/modules/apps/cdrecord.if
@@ -16,14 +16,20 @@
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## The type of the user domain.
+##
##
##
+##
## The role associated with the user domain.
+##
##
#
template(`cdrecord_per_userdomain_template', `
diff --git a/refpolicy/policy/modules/apps/gpg.if b/refpolicy/policy/modules/apps/gpg.if
index 140e8ca..d3733ec 100644
--- a/refpolicy/policy/modules/apps/gpg.if
+++ b/refpolicy/policy/modules/apps/gpg.if
@@ -18,14 +18,20 @@
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## The user domain.
+##
##
##
+##
## The role associated with the user.
+##
##
#
template(`gpg_per_userdomain_template',`
diff --git a/refpolicy/policy/modules/apps/irc.if b/refpolicy/policy/modules/apps/irc.if
index 3d604ad..87a6dcd 100644
--- a/refpolicy/policy/modules/apps/irc.if
+++ b/refpolicy/policy/modules/apps/irc.if
@@ -16,14 +16,20 @@
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## The type of the user domain.
+##
##
##
+##
## The role associated with the user domain.
+##
##
#
template(`irc_per_userdomain_template',`
diff --git a/refpolicy/policy/modules/apps/java.if b/refpolicy/policy/modules/apps/java.if
index e99d538..d32cc95 100644
--- a/refpolicy/policy/modules/apps/java.if
+++ b/refpolicy/policy/modules/apps/java.if
@@ -16,14 +16,20 @@
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## The type of the user domain.
+##
##
##
+##
## The role associated with the user domain.
+##
##
#
template(`java_per_userdomain_template',`
diff --git a/refpolicy/policy/modules/apps/loadkeys.if b/refpolicy/policy/modules/apps/loadkeys.if
index 7f6a666..3d96369 100644
--- a/refpolicy/policy/modules/apps/loadkeys.if
+++ b/refpolicy/policy/modules/apps/loadkeys.if
@@ -5,7 +5,9 @@
## Execute the loadkeys program in the loadkeys domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`loadkeys_domtrans',`
@@ -32,13 +34,19 @@ interface(`loadkeys_domtrans',`
## Execute the loadkeys program in the loadkeys domain.
##
##
+##
## The type of the process performing this action.
+##
##
##
+##
## The role to allow the loadkeys domain.
+##
##
##
+##
## The type of the terminal allow the loadkeys domain to use.
+##
##
#
interface(`loadkeys_run',`
@@ -61,7 +69,9 @@ interface(`loadkeys_run',`
## Execute the loadkeys program in the caller domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`loadkeys_exec',`
diff --git a/refpolicy/policy/modules/apps/lockdev.if b/refpolicy/policy/modules/apps/lockdev.if
index 009db0f..6b94b13 100644
--- a/refpolicy/policy/modules/apps/lockdev.if
+++ b/refpolicy/policy/modules/apps/lockdev.if
@@ -17,14 +17,20 @@
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## The type of the user domain.
+##
##
##
+##
## The role associated with the user domain.
+##
##
#
template(`lockdev_per_userdomain_template',`
diff --git a/refpolicy/policy/modules/apps/mono.if b/refpolicy/policy/modules/apps/mono.if
index ea2e1f7..257fa43 100644
--- a/refpolicy/policy/modules/apps/mono.if
+++ b/refpolicy/policy/modules/apps/mono.if
@@ -5,7 +5,9 @@
## Execute the mono program in the mono domain.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`mono_domtrans',`
diff --git a/refpolicy/policy/modules/apps/screen.if b/refpolicy/policy/modules/apps/screen.if
index a8f3132..ff18fe9 100644
--- a/refpolicy/policy/modules/apps/screen.if
+++ b/refpolicy/policy/modules/apps/screen.if
@@ -16,14 +16,20 @@
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## The type of the user domain.
+##
##
##
+##
## The role associated with the user domain.
+##
##
#
template(`screen_per_userdomain_template',`
diff --git a/refpolicy/policy/modules/apps/slocate.if b/refpolicy/policy/modules/apps/slocate.if
index 0e35a1e..4abc8b2 100644
--- a/refpolicy/policy/modules/apps/slocate.if
+++ b/refpolicy/policy/modules/apps/slocate.if
@@ -5,7 +5,9 @@
## Create the locate log with append mode.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`slocate_create_append_log',`
diff --git a/refpolicy/policy/modules/apps/tvtime.if b/refpolicy/policy/modules/apps/tvtime.if
index 9806dc7..ae2a228 100644
--- a/refpolicy/policy/modules/apps/tvtime.if
+++ b/refpolicy/policy/modules/apps/tvtime.if
@@ -16,14 +16,20 @@
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## The type of the user domain.
+##
##
##
+##
## The role associated with the user domain.
+##
##
#
template(`tvtime_per_userdomain_template',`
diff --git a/refpolicy/policy/modules/apps/userhelper.if b/refpolicy/policy/modules/apps/userhelper.if
index 2f10dc0..4f0bbb8 100644
--- a/refpolicy/policy/modules/apps/userhelper.if
+++ b/refpolicy/policy/modules/apps/userhelper.if
@@ -16,14 +16,20 @@
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## The type of the user domain.
+##
##
##
+##
## The role associated with the user domain.
+##
##
#
template(`userhelper_per_userdomain_template',`
@@ -205,7 +211,9 @@ template(`userhelper_per_userdomain_template',`
## Search the userhelper configuration directory.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`userhelper_search_config',`
@@ -222,7 +230,9 @@ interface(`userhelper_search_config',`
## the userhelper configuration directory.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`userhelper_dontaudit_search_config',`
diff --git a/refpolicy/policy/modules/apps/usernetctl.if b/refpolicy/policy/modules/apps/usernetctl.if
index ce58e42..dc2ebb9 100644
--- a/refpolicy/policy/modules/apps/usernetctl.if
+++ b/refpolicy/policy/modules/apps/usernetctl.if
@@ -5,7 +5,9 @@
## Execute usernetctl in the usernetctl domain.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`usernetctl_domtrans',`
@@ -31,13 +33,19 @@ interface(`usernetctl_domtrans',`
## allow the specified role the usernetctl domain.
##
##
+##
## Domain allowed access.
+##
##
##
+##
## The role to be allowed the usernetctl domain.
+##
##
##
+##
## The type of the terminal allow the usernetctl domain to use.
+##
##
#
interface(`usernetctl_run',`
diff --git a/refpolicy/policy/modules/apps/webalizer.if b/refpolicy/policy/modules/apps/webalizer.if
index 8d56589..642ba83 100644
--- a/refpolicy/policy/modules/apps/webalizer.if
+++ b/refpolicy/policy/modules/apps/webalizer.if
@@ -5,7 +5,9 @@
## Execute webalizer in the webalizer domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`webalizer_domtrans',`
@@ -27,13 +29,19 @@ interface(`webalizer_domtrans',`
## allow the specified role the webalizer domain.
##
##
+##
## The type of the process performing this action.
+##
##
##
+##
## The role to be allowed the webalizer domain.
+##
##
##
+##
## The type of the terminal allow the webalizer domain to use.
+##
##
#
interface(`webalizer_run',`
diff --git a/refpolicy/policy/modules/apps/wine.if b/refpolicy/policy/modules/apps/wine.if
index 829367c..00b468e 100644
--- a/refpolicy/policy/modules/apps/wine.if
+++ b/refpolicy/policy/modules/apps/wine.if
@@ -5,7 +5,9 @@
## Execute the wine program in the wine domain.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`wine_domtrans',`
diff --git a/refpolicy/policy/modules/kernel/bootloader.if b/refpolicy/policy/modules/kernel/bootloader.if
index d4673ac..8242530 100644
--- a/refpolicy/policy/modules/kernel/bootloader.if
+++ b/refpolicy/policy/modules/kernel/bootloader.if
@@ -5,7 +5,9 @@
## Execute bootloader in the bootloader domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`bootloader_domtrans',`
@@ -27,13 +29,19 @@ interface(`bootloader_domtrans',`
## a domain transition to the bootloader domain.
##
##
+##
## The type of the process performing this action.
+##
##
##
+##
## The role to be allowed the bootloader domain.
+##
##
##
+##
## The type of the terminal allow the bootloader domain to use.
+##
##
#
interface(`bootloader_run',`
@@ -52,7 +60,9 @@ interface(`bootloader_run',`
## Get attributes of the /boot directory.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`bootloader_getattr_boot_dirs',`
@@ -69,7 +79,9 @@ interface(`bootloader_getattr_boot_dirs',`
## of the /boot directory.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`bootloader_dontaudit_getattr_boot_dirs',`
@@ -85,7 +97,9 @@ interface(`bootloader_dontaudit_getattr_boot_dirs',`
## Search the /boot directory.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`bootloader_search_boot',`
@@ -101,7 +115,9 @@ interface(`bootloader_search_boot',`
## Do not audit attempts to search the /boot directory.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`bootloader_dontaudit_search_boot',`
@@ -118,7 +134,9 @@ interface(`bootloader_dontaudit_search_boot',`
## in the /boot directory.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`bootloader_rw_boot_symlinks',`
@@ -135,7 +153,9 @@ interface(`bootloader_rw_boot_symlinks',`
## Install a kernel into the /boot directory.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`bootloader_create_kernel_img',`
@@ -153,7 +173,9 @@ interface(`bootloader_create_kernel_img',`
## Install a system.map into the /boot directory.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`bootloader_create_kernel_symbol_table',`
@@ -170,7 +192,9 @@ interface(`bootloader_create_kernel_symbol_table',`
## Read system.map in the /boot directory.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`bootloader_read_kernel_symbol_table',`
@@ -190,7 +214,9 @@ interface(`bootloader_read_kernel_symbol_table',`
## Delete a kernel from /boot.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`bootloader_delete_kernel',`
@@ -207,7 +233,9 @@ interface(`bootloader_delete_kernel',`
## Delete a system.map in the /boot directory.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`bootloader_delete_kernel_symbol_table',`
@@ -224,7 +252,9 @@ interface(`bootloader_delete_kernel_symbol_table',`
## Read the bootloader configuration file.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`bootloader_read_config',`
@@ -241,7 +271,9 @@ interface(`bootloader_read_config',`
## configuration file.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`bootloader_rw_config',`
@@ -258,7 +290,9 @@ interface(`bootloader_rw_config',`
## temporary data in /tmp.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`bootloader_rw_tmp_files',`
@@ -276,7 +310,9 @@ interface(`bootloader_rw_tmp_files',`
## temporary data in /tmp.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`bootloader_create_runtime_file',`
@@ -294,7 +330,9 @@ interface(`bootloader_create_runtime_file',`
## Search the contents of the kernel module directories.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`bootloader_search_kernel_modules',`
@@ -310,7 +348,9 @@ interface(`bootloader_search_kernel_modules',`
## List the contents of the kernel module directories.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`bootloader_list_kernel_modules',`
@@ -326,7 +366,9 @@ interface(`bootloader_list_kernel_modules',`
## Get the attributes of kernel module files.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`bootloader_getattr_kernel_modules',`
@@ -343,7 +385,9 @@ interface(`bootloader_getattr_kernel_modules',`
## Read kernel module files.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`bootloader_read_kernel_modules',`
@@ -361,7 +405,9 @@ interface(`bootloader_read_kernel_modules',`
## Write kernel module files.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`bootloader_write_kernel_modules',`
@@ -382,7 +428,9 @@ interface(`bootloader_write_kernel_modules',`
## kernel module files.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`bootloader_manage_kernel_modules',`
diff --git a/refpolicy/policy/modules/kernel/corecommands.if b/refpolicy/policy/modules/kernel/corecommands.if
index 539a8e1..8302033 100644
--- a/refpolicy/policy/modules/kernel/corecommands.if
+++ b/refpolicy/policy/modules/kernel/corecommands.if
@@ -23,7 +23,9 @@
##
##
##
+##
## Alias type for bin_t.
+##
##
interface(`corecmd_bin_alias',`
ifdef(`targeted_policy',`
@@ -42,7 +44,9 @@ interface(`corecmd_bin_alias',`
## Make the shell an entrypoint for the specified domain.
##
##
+##
## The domain for which the shell is an entrypoint.
+##
##
interface(`corecmd_shell_entry_type',`
gen_require(`
@@ -81,7 +85,9 @@ interface(`corecmd_list_bin',`
## Get the attributes of files in bin directories.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`corecmd_getattr_bin_files',`
@@ -97,7 +103,9 @@ interface(`corecmd_getattr_bin_files',`
## Read files in bin directories.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`corecmd_read_bin_files',`
@@ -114,7 +122,9 @@ interface(`corecmd_read_bin_files',`
## Read symbolic links in bin directories.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`corecmd_read_bin_symlinks',`
@@ -131,7 +141,9 @@ interface(`corecmd_read_bin_symlinks',`
## Read pipes in bin directories.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`corecmd_read_bin_pipes',`
@@ -148,7 +160,9 @@ interface(`corecmd_read_bin_pipes',`
## Read named sockets in bin directories.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`corecmd_read_bin_sockets',`
@@ -180,7 +194,9 @@ interface(`corecmd_exec_bin',`
## Create, read, write, and delete bin files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`corecmd_manage_bin_files',`
@@ -197,7 +213,9 @@ interface(`corecmd_manage_bin_files',`
## Relabel to and from the bin type.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`corecmd_relabel_bin_files',`
@@ -214,7 +232,9 @@ interface(`corecmd_relabel_bin_files',`
## Mmap a bin file as executable.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`corecmd_mmap_bin_files',`
@@ -252,10 +272,14 @@ interface(`corecmd_mmap_bin_files',`
##
##
##
+##
## Domain allowed access.
+##
##
##
+##
## The type of the new process.
+##
##
#
interface(`corecmd_bin_spec_domtrans',`
@@ -293,10 +317,14 @@ interface(`corecmd_bin_spec_domtrans',`
##
##
##
+##
## Domain allowed access.
+##
##
##
+##
## The type of the new process.
+##
##
#
interface(`corecmd_bin_domtrans',`
@@ -326,7 +354,9 @@ interface(`corecmd_search_sbin',`
## sbin directories.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`corecmd_dontaudit_search_sbin',`
@@ -378,7 +408,9 @@ interface(`corecmd_dontaudit_getattr_sbin_files',`
## Read files in sbin directories.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`corecmd_read_sbin_files',`
@@ -395,7 +427,9 @@ interface(`corecmd_read_sbin_files',`
## Read symbolic links in sbin directories.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`corecmd_read_sbin_symlinks',`
@@ -412,7 +446,9 @@ interface(`corecmd_read_sbin_symlinks',`
## Read named pipes in sbin directories.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`corecmd_read_sbin_pipes',`
@@ -429,7 +465,9 @@ interface(`corecmd_read_sbin_pipes',`
## Read named sockets in sbin directories.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`corecmd_read_sbin_sockets',`
@@ -460,7 +498,9 @@ interface(`corecmd_exec_sbin',`
## Create, read, write, and delete sbin files.
##
##
+##
## Domain allowed access.
+##
##
#
# cjp: added for prelink
@@ -478,7 +518,9 @@ interface(`corecmd_manage_sbin_files',`
## Relabel to and from the sbin type.
##
##
+##
## Domain allowed access.
+##
##
#
# cjp: added for prelink
@@ -496,7 +538,9 @@ interface(`corecmd_relabel_sbin_files',`
## Mmap a sbin file as executable.
##
##
+##
## Domain allowed access.
+##
##
#
# cjp: added for prelink
@@ -533,10 +577,14 @@ interface(`corecmd_mmap_sbin_files',`
##
##
##
+##
## Domain allowed access.
+##
##
##
+##
## The type of the new process.
+##
##
#
interface(`corecmd_sbin_domtrans',`
@@ -576,10 +624,14 @@ interface(`corecmd_sbin_domtrans',`
##
##
##
+##
## Domain allowed access.
+##
##
##
+##
## The type of the new process.
+##
##
#
interface(`corecmd_sbin_spec_domtrans',`
@@ -598,7 +650,9 @@ interface(`corecmd_sbin_spec_domtrans',`
## Check if a shell is executable (DAC-wise).
##
##
+##
## Domain allowed access.
+##
##
#
interface(`corecmd_check_exec_shell',`
@@ -658,10 +712,14 @@ interface(`corecmd_exec_ls',`
##
##
##
+##
## Domain allowed access.
+##
##
##
+##
## The type of the shell process.
+##
##
#
interface(`corecmd_shell_spec_domtrans',`
@@ -690,10 +748,14 @@ interface(`corecmd_shell_spec_domtrans',`
##
##
##
+##
## Domain allowed access.
+##
##
##
+##
## The type of the shell process.
+##
##
#
interface(`corecmd_shell_domtrans',`
diff --git a/refpolicy/policy/modules/kernel/corenetwork.if.in b/refpolicy/policy/modules/kernel/corenetwork.if.in
index 58a3c91..bf0c4e7 100644
--- a/refpolicy/policy/modules/kernel/corenetwork.if.in
+++ b/refpolicy/policy/modules/kernel/corenetwork.if.in
@@ -8,7 +8,9 @@
## Send and receive TCP network traffic on the generic interfaces.
##
##
+##
## The type of the process performing this action.
+##
##
##
#
@@ -25,7 +27,9 @@ interface(`corenet_tcp_sendrecv_generic_if',`
## Send UDP network traffic on generic interfaces.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`corenet_udp_send_generic_if',`
@@ -41,7 +45,9 @@ interface(`corenet_udp_send_generic_if',`
## Receive UDP network traffic on generic interfaces.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`corenet_udp_receive_generic_if',`
@@ -57,7 +63,9 @@ interface(`corenet_udp_receive_generic_if',`
## Send and Receive UDP network traffic on generic interfaces.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`corenet_udp_sendrecv_generic_if',`
@@ -70,7 +78,9 @@ interface(`corenet_udp_sendrecv_generic_if',`
## Send raw IP packets on generic interfaces.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`corenet_raw_send_generic_if',`
@@ -90,7 +100,9 @@ interface(`corenet_raw_send_generic_if',`
## Receive raw IP packets on generic interfaces.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`corenet_raw_receive_generic_if',`
@@ -106,7 +118,9 @@ interface(`corenet_raw_receive_generic_if',`
## Send and receive raw IP packets on generic interfaces.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`corenet_raw_sendrecv_generic_if',`
@@ -119,7 +133,9 @@ interface(`corenet_raw_sendrecv_generic_if',`
## Send and receive TCP network traffic on all interfaces.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`corenet_tcp_sendrecv_all_if',`
@@ -135,7 +151,9 @@ interface(`corenet_tcp_sendrecv_all_if',`
## Send UDP network traffic on all interfaces.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`corenet_udp_send_all_if',`
@@ -151,7 +169,9 @@ interface(`corenet_udp_send_all_if',`
## Receive UDP network traffic on all interfaces.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`corenet_udp_receive_all_if',`
@@ -167,7 +187,9 @@ interface(`corenet_udp_receive_all_if',`
## Send and receive UDP network traffic on all interfaces.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`corenet_udp_sendrecv_all_if',`
@@ -180,7 +202,9 @@ interface(`corenet_udp_sendrecv_all_if',`
## Send raw IP packets on all interfaces.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`corenet_raw_send_all_if',`
@@ -200,7 +224,9 @@ interface(`corenet_raw_send_all_if',`
## Receive raw IP packets on all interfaces.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`corenet_raw_receive_all_if',`
@@ -216,7 +242,9 @@ interface(`corenet_raw_receive_all_if',`
## Send and receive raw IP packets on all interfaces.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`corenet_raw_sendrecv_all_if',`
@@ -229,7 +257,9 @@ interface(`corenet_raw_sendrecv_all_if',`
## Send and receive TCP network traffic on generic nodes.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`corenet_tcp_sendrecv_generic_node',`
@@ -245,7 +275,9 @@ interface(`corenet_tcp_sendrecv_generic_node',`
## Send UDP network traffic on generic nodes.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`corenet_udp_send_generic_node',`
@@ -261,7 +293,9 @@ interface(`corenet_udp_send_generic_node',`
## Receive UDP network traffic on generic nodes.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`corenet_udp_receive_generic_node',`
@@ -277,7 +311,9 @@ interface(`corenet_udp_receive_generic_node',`
## Send and receive UDP network traffic on generic nodes.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`corenet_udp_sendrecv_generic_node',`
@@ -290,7 +326,9 @@ interface(`corenet_udp_sendrecv_generic_node',`
## Send raw IP packets on generic nodes.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`corenet_raw_send_generic_node',`
@@ -306,7 +344,9 @@ interface(`corenet_raw_send_generic_node',`
## Receive raw IP packets on generic nodes.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`corenet_raw_receive_generic_node',`
@@ -322,7 +362,9 @@ interface(`corenet_raw_receive_generic_node',`
## Send and receive raw IP packets on generic nodes.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`corenet_raw_sendrecv_generic_node',`
@@ -335,7 +377,9 @@ interface(`corenet_raw_sendrecv_generic_node',`
## Bind TCP sockets to generic nodes.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`corenet_tcp_bind_generic_node',`
@@ -351,7 +395,9 @@ interface(`corenet_tcp_bind_generic_node',`
## Bind UDP sockets to generic nodes.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`corenet_udp_bind_generic_node',`
@@ -367,7 +413,9 @@ interface(`corenet_udp_bind_generic_node',`
## Send and receive TCP network traffic on all nodes.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`corenet_tcp_sendrecv_all_nodes',`
@@ -383,7 +431,9 @@ interface(`corenet_tcp_sendrecv_all_nodes',`
## Send UDP network traffic on all nodes.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`corenet_udp_send_all_nodes',`
@@ -399,7 +449,9 @@ interface(`corenet_udp_send_all_nodes',`
## Receive UDP network traffic on all nodes.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`corenet_udp_receive_all_nodes',`
@@ -415,7 +467,9 @@ interface(`corenet_udp_receive_all_nodes',`
## Send and receive UDP network traffic on all nodes.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`corenet_udp_sendrecv_all_nodes',`
@@ -428,7 +482,9 @@ interface(`corenet_udp_sendrecv_all_nodes',`
## Send raw IP packets on all nodes.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`corenet_raw_send_all_nodes',`
@@ -444,7 +500,9 @@ interface(`corenet_raw_send_all_nodes',`
## Receive raw IP packets on all nodes.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`corenet_raw_receive_all_nodes',`
@@ -460,7 +518,9 @@ interface(`corenet_raw_receive_all_nodes',`
## Send and receive raw IP packets on all nodes.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`corenet_raw_sendrecv_all_nodes',`
@@ -473,7 +533,9 @@ interface(`corenet_raw_sendrecv_all_nodes',`
## Bind TCP sockets to all nodes.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`corenet_tcp_bind_all_nodes',`
@@ -489,7 +551,9 @@ interface(`corenet_tcp_bind_all_nodes',`
## Bind UDP sockets to all nodes.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`corenet_udp_bind_all_nodes',`
@@ -505,7 +569,9 @@ interface(`corenet_udp_bind_all_nodes',`
## Bind raw sockets to all nodes.
##
##
+##
## The type of the process performing this action.
+##
##
# rawip_socket node_bind does not make much sense.
interface(`corenet_raw_bind_all_nodes',`
@@ -521,7 +587,9 @@ interface(`corenet_raw_bind_all_nodes',`
## Send and receive TCP network traffic on generic ports.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`corenet_tcp_sendrecv_generic_port',`
@@ -537,7 +605,9 @@ interface(`corenet_tcp_sendrecv_generic_port',`
## Send UDP network traffic on generic ports.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`corenet_udp_send_generic_port',`
@@ -553,7 +623,9 @@ interface(`corenet_udp_send_generic_port',`
## Receive UDP network traffic on generic ports.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`corenet_udp_receive_generic_port',`
@@ -569,7 +641,9 @@ interface(`corenet_udp_receive_generic_port',`
## Send and receive UDP network traffic on generic ports.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`corenet_udp_sendrecv_generic_port',`
@@ -582,7 +656,9 @@ interface(`corenet_udp_sendrecv_generic_port',`
## Bind TCP sockets to generic ports.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`corenet_tcp_bind_generic_port',`
@@ -598,7 +674,9 @@ interface(`corenet_tcp_bind_generic_port',`
## Bind UDP sockets to generic ports.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`corenet_udp_bind_generic_port',`
@@ -614,7 +692,9 @@ interface(`corenet_udp_bind_generic_port',`
## Connect TCP sockets to generic ports.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`corenet_tcp_connect_generic_port',`
@@ -630,7 +710,9 @@ interface(`corenet_tcp_connect_generic_port',`
## Send and receive TCP network traffic on all ports.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`corenet_tcp_sendrecv_all_ports',`
@@ -646,7 +728,9 @@ interface(`corenet_tcp_sendrecv_all_ports',`
## Send UDP network traffic on all ports.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`corenet_udp_send_all_ports',`
@@ -662,7 +746,9 @@ interface(`corenet_udp_send_all_ports',`
## Receive UDP network traffic on all ports.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`corenet_udp_receive_all_ports',`
@@ -678,7 +764,9 @@ interface(`corenet_udp_receive_all_ports',`
## Send and receive UDP network traffic on all ports.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`corenet_udp_sendrecv_all_ports',`
@@ -691,7 +779,9 @@ interface(`corenet_udp_sendrecv_all_ports',`
## Bind TCP sockets to all ports.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`corenet_tcp_bind_all_ports',`
@@ -707,7 +797,9 @@ interface(`corenet_tcp_bind_all_ports',`
## Do not audit attepts to bind TCP sockets to any ports.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`corenet_dontaudit_tcp_bind_all_ports',`
@@ -723,7 +815,9 @@ interface(`corenet_dontaudit_tcp_bind_all_ports',`
## Bind UDP sockets to all ports.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`corenet_udp_bind_all_ports',`
@@ -739,7 +833,9 @@ interface(`corenet_udp_bind_all_ports',`
## Connect TCP sockets to all ports.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`corenet_tcp_connect_all_ports',`
@@ -755,7 +851,9 @@ interface(`corenet_tcp_connect_all_ports',`
## Send and receive TCP network traffic on generic reserved ports.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`corenet_tcp_sendrecv_reserved_port',`
@@ -771,7 +869,9 @@ interface(`corenet_tcp_sendrecv_reserved_port',`
## Send UDP network traffic on generic reserved ports.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`corenet_udp_send_reserved_port',`
@@ -787,7 +887,9 @@ interface(`corenet_udp_send_reserved_port',`
## Receive UDP network traffic on generic reserved ports.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`corenet_udp_receive_reserved_port',`
@@ -803,7 +905,9 @@ interface(`corenet_udp_receive_reserved_port',`
## Send and receive UDP network traffic on generic reserved ports.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`corenet_udp_sendrecv_reserved_port',`
@@ -816,7 +920,9 @@ interface(`corenet_udp_sendrecv_reserved_port',`
## Bind TCP sockets to generic reserved ports.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`corenet_tcp_bind_reserved_port',`
@@ -833,7 +939,9 @@ interface(`corenet_tcp_bind_reserved_port',`
## Bind UDP sockets to generic reserved ports.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`corenet_udp_bind_reserved_port',`
@@ -850,7 +958,9 @@ interface(`corenet_udp_bind_reserved_port',`
## Connect TCP sockets to generic reserved ports.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`corenet_tcp_connect_reserved_port',`
@@ -866,7 +976,9 @@ interface(`corenet_tcp_connect_reserved_port',`
## Send and receive TCP network traffic on all reserved ports.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`corenet_tcp_sendrecv_all_reserved_ports',`
@@ -882,7 +994,9 @@ interface(`corenet_tcp_sendrecv_all_reserved_ports',`
## Send UDP network traffic on all reserved ports.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`corenet_udp_send_all_reserved_ports',`
@@ -898,7 +1012,9 @@ interface(`corenet_udp_send_all_reserved_ports',`
## Receive UDP network traffic on all reserved ports.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`corenet_udp_receive_all_reserved_ports',`
@@ -914,7 +1030,9 @@ interface(`corenet_udp_receive_all_reserved_ports',`
## Send and receive UDP network traffic on all reserved ports.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`corenet_udp_sendrecv_all_reserved_ports',`
@@ -927,7 +1045,9 @@ interface(`corenet_udp_sendrecv_all_reserved_ports',`
## Bind TCP sockets to all reserved ports.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`corenet_tcp_bind_all_reserved_ports',`
@@ -944,7 +1064,9 @@ interface(`corenet_tcp_bind_all_reserved_ports',`
## Do not audit attempts to bind TCP sockets to all reserved ports.
##
##
+##
## The type of the process to not audit.
+##
##
#
interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',`
@@ -960,7 +1082,9 @@ interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',`
## Bind UDP sockets to all reserved ports.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`corenet_udp_bind_all_reserved_ports',`
@@ -977,7 +1101,9 @@ interface(`corenet_udp_bind_all_reserved_ports',`
## Do not audit attempts to bind UDP sockets to all reserved ports.
##
##
+##
## The type of the process to not audit.
+##
##
#
interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
@@ -993,7 +1119,9 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
## Connect TCP sockets to reserved ports.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`corenet_tcp_connect_all_reserved_ports',`
@@ -1010,7 +1138,9 @@ interface(`corenet_tcp_connect_all_reserved_ports',`
## all reserved ports.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',`
@@ -1026,7 +1156,9 @@ interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',`
## Read and write the TUN/TAP virtual network device.
##
##
+##
## The domain allowed access.
+##
##
#
interface(`corenet_use_tun_tap_device',`
@@ -1043,7 +1175,9 @@ interface(`corenet_use_tun_tap_device',`
## Read and write the point-to-point device.
##
##
+##
## The domain allowed access.
+##
##
#
interface(`corenet_use_ppp_device',`
@@ -1062,7 +1196,9 @@ interface(`corenet_use_ppp_device',`
## session.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`corenet_non_ipsec_sendrecv',`
@@ -1074,7 +1210,9 @@ interface(`corenet_non_ipsec_sendrecv',`
## Unconfined access to network objects.
##
##
+##
## The domain allowed access.
+##
##
#
interface(`corenet_unconfined',`
diff --git a/refpolicy/policy/modules/kernel/corenetwork.if.m4 b/refpolicy/policy/modules/kernel/corenetwork.if.m4
index b7c6ccb..d7e5eee 100644
--- a/refpolicy/policy/modules/kernel/corenetwork.if.m4
+++ b/refpolicy/policy/modules/kernel/corenetwork.if.m4
@@ -17,7 +17,9 @@ define(`create_netif_interfaces',``
## Send and receive TCP network traffic on the $1 interface.
##
##
+##
## The type of the process performing this action.
+##
##
##
#
@@ -34,7 +36,9 @@ interface(`corenet_tcp_sendrecv_$1_if',`
## Send UDP network traffic on the $1 interface.
##
##
+##
## The type of the process performing this action.
+##
##
##
#
@@ -51,7 +55,9 @@ interface(`corenet_udp_send_$1_if',`
## Receive UDP network traffic on the $1 interface.
##
##
+##
## The type of the process performing this action.
+##
##
##
#
@@ -68,7 +74,9 @@ interface(`corenet_udp_receive_$1_if',`
## Send and receive UDP network traffic on the $1 interface.
##
##
+##
## The type of the process performing this action.
+##
##
##
#
@@ -82,7 +90,9 @@ interface(`corenet_udp_sendrecv_$1_if',`
## Send raw IP packets on the $1 interface.
##
##
+##
## The type of the process performing this action.
+##
##
##
#
@@ -103,7 +113,9 @@ interface(`corenet_raw_send_$1_if',`
## Receive raw IP packets on the $1 interface.
##
##
+##
## The type of the process performing this action.
+##
##
##
#
@@ -120,7 +132,9 @@ interface(`corenet_raw_receive_$1_if',`
## Send and receive raw IP packets on the $1 interface.
##
##
+##
## The type of the process performing this action.
+##
##
##
#
@@ -142,7 +156,9 @@ define(`create_node_interfaces',``
## Send and receive TCP traffic on the $1 node.
##
##
+##
## The type of the process performing this action.
+##
##
##
#
@@ -159,7 +175,9 @@ interface(`corenet_tcp_sendrecv_$1_node',`
## Send UDP traffic on the $1 node.
##
##
+##
## The type of the process performing this action.
+##
##
##
#
@@ -176,7 +194,9 @@ interface(`corenet_udp_send_$1_node',`
## Receive UDP traffic on the $1 node.
##
##
+##
## The type of the process performing this action.
+##
##
##
#
@@ -193,7 +213,9 @@ interface(`corenet_udp_receive_$1_node',`
## Send and receive UDP traffic on the $1 node.
##
##
+##
## The type of the process performing this action.
+##
##
##
#
@@ -207,7 +229,9 @@ interface(`corenet_udp_sendrecv_$1_node',`
## Send raw IP packets on the $1 node.
##
##
+##
## The type of the process performing this action.
+##
##
##
#
@@ -224,7 +248,9 @@ interface(`corenet_raw_send_$1_node',`
## Receive raw IP packets on the $1 node.
##
##
+##
## The type of the process performing this action.
+##
##
##
#
@@ -241,7 +267,9 @@ interface(`corenet_raw_receive_$1_node',`
## Send and receive raw IP packets on the $1 node.
##
##
+##
## The type of the process performing this action.
+##
##
##
#
@@ -255,7 +283,9 @@ interface(`corenet_raw_sendrecv_$1_node',`
## Bind TCP sockets to node $1.
##
##
+##
## The type of the process performing this action.
+##
##
##
#
@@ -272,7 +302,9 @@ interface(`corenet_tcp_bind_$1_node',`
## Bind UDP sockets to the $1 node.
##
##
+##
## The type of the process performing this action.
+##
##
##
#
@@ -297,7 +329,9 @@ define(`create_port_interfaces',``
## Send and receive TCP traffic on the $1 port.
##
##
+##
## The type of the process performing this action.
+##
##
##
#
@@ -314,7 +348,9 @@ interface(`corenet_tcp_sendrecv_$1_port',`
## Send UDP traffic on the $1 port.
##
##
+##
## The type of the process performing this action.
+##
##
##
#
@@ -331,7 +367,9 @@ interface(`corenet_udp_send_$1_port',`
## Receive UDP traffic on the $1 port.
##
##
+##
## The type of the process performing this action.
+##
##
##
#
@@ -348,7 +386,9 @@ interface(`corenet_udp_receive_$1_port',`
## Send and receive UDP traffic on the $1 port.
##
##
+##
## The type of the process performing this action.
+##
##
##
#
@@ -362,7 +402,9 @@ interface(`corenet_udp_sendrecv_$1_port',`
## Bind TCP sockets to the $1 port.
##
##
+##
## The type of the process performing this action.
+##
##
##
#
@@ -380,7 +422,9 @@ interface(`corenet_tcp_bind_$1_port',`
## Bind UDP sockets to the $1 port.
##
##
+##
## The type of the process performing this action.
+##
##
##
#
@@ -398,7 +442,9 @@ interface(`corenet_udp_bind_$1_port',`
## Make a TCP connection to the $1 port.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`corenet_tcp_connect_$1_port',`
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index 4413c65..01e8551 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -33,7 +33,9 @@
## use on device nodes (usually files in /dev).
##
##
+##
## The object type that will be used on device nodes.
+##
##
#
interface(`dev_node',`
@@ -53,7 +55,9 @@ interface(`dev_node',`
## Allow full relabeling (to and from) of all device nodes.
##
##
+##
## Domain allowed to relabel.
+##
##
#
interface(`dev_relabel_all_dev_nodes',`
@@ -76,7 +80,9 @@ interface(`dev_relabel_all_dev_nodes',`
## List all of the device nodes in a device directory.
##
##
+##
## Domain allowed to list device nodes.
+##
##
#
interface(`dev_list_all_dev_nodes',`
@@ -93,7 +99,9 @@ interface(`dev_list_all_dev_nodes',`
## Set the attributes of /dev directories.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_setattr_generic_dirs',`
@@ -109,7 +117,9 @@ interface(`dev_setattr_generic_dirs',`
## Dontaudit attempts to list all device nodes.
##
##
+##
## Domain to dontaudit listing of device nodes.
+##
##
#
interface(`dev_dontaudit_list_all_dev_nodes',`
@@ -125,7 +135,9 @@ interface(`dev_dontaudit_list_all_dev_nodes',`
## Create a directory in the device directory.
##
##
+##
## Domain allowed to create the directory.
+##
##
#
interface(`dev_create_generic_dirs',`
@@ -141,7 +153,9 @@ interface(`dev_create_generic_dirs',`
## Allow full relabeling (to and from) of directories in /dev.
##
##
+##
## Domain allowed to relabel.
+##
##
#
interface(`dev_relabel_generic_dev_dirs',`
@@ -157,7 +171,9 @@ interface(`dev_relabel_generic_dev_dirs',`
## Read and write generic files in /dev.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_rw_generic_files',`
@@ -174,7 +190,9 @@ interface(`dev_rw_generic_files',`
## Delete generic files in /dev.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_delete_generic_files',`
@@ -191,7 +209,9 @@ interface(`dev_delete_generic_files',`
## Dontaudit getattr on generic pipes.
##
##
+##
## Domain to dontaudit.
+##
##
#
interface(`dev_dontaudit_getattr_generic_pipes',`
@@ -207,7 +227,9 @@ interface(`dev_dontaudit_getattr_generic_pipes',`
## Allow getattr on generic block devices.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_getattr_generic_blk_files',`
@@ -224,7 +246,9 @@ interface(`dev_getattr_generic_blk_files',`
## Dontaudit getattr on generic block devices.
##
##
+##
## Domain to dontaudit access.
+##
##
#
interface(`dev_dontaudit_getattr_generic_blk_files',`
@@ -240,7 +264,9 @@ interface(`dev_dontaudit_getattr_generic_blk_files',`
## Dontaudit setattr on generic block devices.
##
##
+##
## Domain to dontaudit access.
+##
##
#
interface(`dev_dontaudit_setattr_generic_blk_files',`
@@ -256,7 +282,9 @@ interface(`dev_dontaudit_setattr_generic_blk_files',`
## Allow read, write, and create for generic character device files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_create_generic_chr_files',`
@@ -275,7 +303,9 @@ interface(`dev_create_generic_chr_files',`
## Allow getattr for generic character device files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_getattr_generic_chr_files',`
@@ -292,7 +322,9 @@ interface(`dev_getattr_generic_chr_files',`
## Dontaudit getattr for generic character device files.
##
##
+##
## Domain to dontaudit access.
+##
##
#
interface(`dev_dontaudit_getattr_generic_chr_files',`
@@ -308,7 +340,9 @@ interface(`dev_dontaudit_getattr_generic_chr_files',`
## Dontaudit setattr for generic character device files.
##
##
+##
## Domain to dontaudit access.
+##
##
#
interface(`dev_dontaudit_setattr_generic_chr_files',`
@@ -325,7 +359,9 @@ interface(`dev_dontaudit_setattr_generic_chr_files',`
## of symbolic links in device directories (/dev).
##
##
+##
## Domain to not audit.
+##
##
#
interface(`dev_dontaudit_setattr_generic_symlinks',`
@@ -341,7 +377,9 @@ interface(`dev_dontaudit_setattr_generic_symlinks',`
## Delete symbolic links in device directories.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_delete_generic_symlinks',`
@@ -358,7 +396,9 @@ interface(`dev_delete_generic_symlinks',`
## Create, delete, read, and write symbolic links in device directories.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_manage_generic_symlinks',`
@@ -375,7 +415,9 @@ interface(`dev_manage_generic_symlinks',`
## Relabel symbolic links in device directories.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_relabel_generic_symlinks',`
@@ -392,7 +434,9 @@ interface(`dev_relabel_generic_symlinks',`
## Create, delete, read, and write device nodes in device directories.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_manage_all_dev_nodes',`
@@ -423,7 +467,9 @@ interface(`dev_manage_all_dev_nodes',`
## Dontaudit getattr for generic device files.
##
##
+##
## Domain to dontaudit access.
+##
##
#
interface(`dev_dontaudit_rw_generic_dev_nodes',`
@@ -439,7 +485,9 @@ interface(`dev_dontaudit_rw_generic_dev_nodes',`
## Create, delete, read, and write block device files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_manage_generic_blk_files',`
@@ -456,7 +504,9 @@ interface(`dev_manage_generic_blk_files',`
## Create, delete, read, and write character device files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_manage_generic_chr_files',`
@@ -474,14 +524,20 @@ interface(`dev_manage_generic_chr_files',`
## will be transitioned to the type provided.
##
##
+##
## Domain allowed access.
+##
##
##
+##
## Type to which the created node will be transitioned.
+##
##
##
+##
## Object class(es) (single or set including {}) for which this
## the transition will occur.
+##
##
#
interface(`dev_filetrans_dev',`
@@ -501,7 +557,9 @@ interface(`dev_filetrans_dev',`
## Getattr on all block file device nodes.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_getattr_all_blk_files',`
@@ -518,7 +576,9 @@ interface(`dev_getattr_all_blk_files',`
## Dontaudit getattr on all block file device nodes.
##
##
+##
## Domain to dontaudit access.
+##
##
#
interface(`dev_dontaudit_getattr_all_blk_files',`
@@ -534,7 +594,9 @@ interface(`dev_dontaudit_getattr_all_blk_files',`
## Getattr on all character file device nodes.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_getattr_all_chr_files',`
@@ -551,7 +613,9 @@ interface(`dev_getattr_all_chr_files',`
## Dontaudit getattr on all character file device nodes.
##
##
+##
## Domain to dontaudit access.
+##
##
#
interface(`dev_dontaudit_getattr_all_chr_files',`
@@ -567,7 +631,9 @@ interface(`dev_dontaudit_getattr_all_chr_files',`
## Setattr on all block file device nodes.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_setattr_all_blk_files',`
@@ -584,7 +650,9 @@ interface(`dev_setattr_all_blk_files',`
## Setattr on all character file device nodes.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_setattr_all_chr_files',`
@@ -601,7 +669,9 @@ interface(`dev_setattr_all_chr_files',`
## Dontaudit read on all block file device nodes.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`dev_dontaudit_read_all_blk_files',`
@@ -617,7 +687,9 @@ interface(`dev_dontaudit_read_all_blk_files',`
## Dontaudit read on all character file device nodes.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`dev_dontaudit_read_all_chr_files',`
@@ -633,7 +705,9 @@ interface(`dev_dontaudit_read_all_chr_files',`
## Read, write, create, and delete all block device files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_manage_all_blk_files',`
@@ -656,7 +730,9 @@ interface(`dev_manage_all_blk_files',`
## Read, write, create, and delete all character device files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_manage_all_chr_files',`
@@ -675,7 +751,9 @@ interface(`dev_manage_all_chr_files',`
## Getattr the agp devices.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_getattr_agp_dev',`
@@ -692,7 +770,9 @@ interface(`dev_getattr_agp_dev',`
## Read and write the agp devices.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_rw_agp',`
@@ -709,7 +789,9 @@ interface(`dev_rw_agp',`
## Get the attributes of the apm bios device node.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_getattr_apm_bios_dev',`
@@ -727,7 +809,9 @@ interface(`dev_getattr_apm_bios_dev',`
## the apm bios device node.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`dev_dontaudit_getattr_apm_bios_dev',`
@@ -743,7 +827,9 @@ interface(`dev_dontaudit_getattr_apm_bios_dev',`
## Set the attributes of the apm bios device node.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_setattr_apm_bios_dev',`
@@ -761,7 +847,9 @@ interface(`dev_setattr_apm_bios_dev',`
## the apm bios device node.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`dev_dontaudit_setattr_apm_bios_dev',`
@@ -777,7 +865,9 @@ interface(`dev_dontaudit_setattr_apm_bios_dev',`
## Read and write the apm bios.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_rw_apm_bios',`
@@ -794,7 +884,9 @@ interface(`dev_rw_apm_bios',`
## Read and write the PCMCIA card manager device.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_rw_cardmgr',`
@@ -812,7 +904,9 @@ interface(`dev_rw_cardmgr',`
## write the PCMCIA card manager device.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`dev_dontaudit_rw_cardmgr',`
@@ -829,7 +923,9 @@ interface(`dev_dontaudit_rw_cardmgr',`
## the PCMCIA card manager device.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_manage_cardmgr_dev',`
@@ -848,7 +944,9 @@ interface(`dev_manage_cardmgr_dev',`
## with the correct type.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_create_cardmgr_dev',`
@@ -867,7 +965,9 @@ interface(`dev_create_cardmgr_dev',`
## microcode and id interfaces.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_getattr_cpu_dev',`
@@ -884,7 +984,9 @@ interface(`dev_getattr_cpu_dev',`
## Read the CPU identity.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_read_cpuid',`
@@ -902,7 +1004,9 @@ interface(`dev_read_cpuid',`
## is required to load CPU microcode.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_rw_cpu_microcode',`
@@ -919,7 +1023,9 @@ interface(`dev_rw_cpu_microcode',`
## Read and write the the hardware SSL accelerator.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_rw_crypto',`
@@ -936,7 +1042,9 @@ interface(`dev_rw_crypto',`
## Read and write the dri devices.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_rw_dri',`
@@ -953,7 +1061,9 @@ interface(`dev_rw_dri',`
## Dontaudit read and write on the dri devices.
##
##
+##
## Domain to dontaudit access.
+##
##
#
interface(`dev_dontaudit_rw_dri',`
@@ -969,7 +1079,9 @@ interface(`dev_dontaudit_rw_dri',`
## Create, read, write, and delete the dri devices.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_manage_dri_dev',`
@@ -987,7 +1099,9 @@ interface(`dev_manage_dri_dev',`
## Read input event devices (/dev/input).
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_read_input',`
@@ -1004,7 +1118,9 @@ interface(`dev_read_input',`
## Read input event devices (/dev/input).
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_rw_input_dev',`
@@ -1021,7 +1137,9 @@ interface(`dev_rw_input_dev',`
## Get the attributes of the framebuffer device node.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_getattr_framebuffer_dev',`
@@ -1038,7 +1156,9 @@ interface(`dev_getattr_framebuffer_dev',`
## Set the attributes of the framebuffer device node.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_setattr_framebuffer_dev',`
@@ -1056,7 +1176,9 @@ interface(`dev_setattr_framebuffer_dev',`
## of the framebuffer device node.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`dev_dontaudit_setattr_framebuffer_dev',`
@@ -1072,7 +1194,9 @@ interface(`dev_dontaudit_setattr_framebuffer_dev',`
## Read the framebuffer.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_read_framebuffer',`
@@ -1089,7 +1213,9 @@ interface(`dev_read_framebuffer',`
## Do not audit attempts to read the framebuffer.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_dontaudit_read_framebuffer',`
@@ -1105,7 +1231,9 @@ interface(`dev_dontaudit_read_framebuffer',`
## Write the framebuffer.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_write_framebuffer',`
@@ -1122,7 +1250,9 @@ interface(`dev_write_framebuffer',`
## Read and write the framebuffer.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_rw_framebuffer',`
@@ -1139,7 +1269,9 @@ interface(`dev_rw_framebuffer',`
## Read the lvm comtrol device.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_read_lvm_control',`
@@ -1156,7 +1288,9 @@ interface(`dev_read_lvm_control',`
## Read and write the lvm control device.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_rw_lvm_control',`
@@ -1173,7 +1307,9 @@ interface(`dev_rw_lvm_control',`
## Delete the lvm control device.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_delete_lvm_control_dev',`
@@ -1190,7 +1326,9 @@ interface(`dev_delete_lvm_control_dev',`
## dontaudit getattr raw memory devices (e.g. /dev/mem).
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_dontaudit_getattr_memory_dev',`
@@ -1206,7 +1344,9 @@ interface(`dev_dontaudit_getattr_memory_dev',`
## Read raw memory devices (e.g. /dev/mem).
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_read_raw_memory',`
@@ -1227,7 +1367,9 @@ interface(`dev_read_raw_memory',`
## Write raw memory devices (e.g. /dev/mem).
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_write_raw_memory',`
@@ -1248,7 +1390,9 @@ interface(`dev_write_raw_memory',`
## Read and execute raw memory devices (e.g. /dev/mem).
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_rx_raw_memory',`
@@ -1265,7 +1409,9 @@ interface(`dev_rx_raw_memory',`
## Write and execute raw memory devices (e.g. /dev/mem).
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_wx_raw_memory',`
@@ -1282,7 +1428,9 @@ interface(`dev_wx_raw_memory',`
## Get the attributes of miscellaneous devices.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_getattr_misc_dev',`
@@ -1300,7 +1448,9 @@ interface(`dev_getattr_misc_dev',`
## of miscellaneous devices.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_dontaudit_getattr_misc_dev',`
@@ -1316,7 +1466,9 @@ interface(`dev_dontaudit_getattr_misc_dev',`
## Set the attributes of miscellaneous devices.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_setattr_misc_dev',`
@@ -1334,7 +1486,9 @@ interface(`dev_setattr_misc_dev',`
## of miscellaneous devices.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_dontaudit_setattr_misc_dev',`
@@ -1350,7 +1504,9 @@ interface(`dev_dontaudit_setattr_misc_dev',`
## Read miscellaneous devices.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_read_misc',`
@@ -1367,7 +1523,9 @@ interface(`dev_read_misc',`
## Write miscellaneous devices.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_write_misc',`
@@ -1384,7 +1542,9 @@ interface(`dev_write_misc',`
## Do not audit attempts to read and write miscellaneous devices.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_dontaudit_rw_misc',`
@@ -1400,7 +1560,9 @@ interface(`dev_dontaudit_rw_misc',`
## Get the attributes of the mouse devices.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_getattr_mouse_dev',`
@@ -1417,7 +1579,9 @@ interface(`dev_getattr_mouse_dev',`
## Set the attributes of the mouse devices.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_setattr_mouse_dev',`
@@ -1434,7 +1598,9 @@ interface(`dev_setattr_mouse_dev',`
## Read the mouse devices.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_read_mouse',`
@@ -1451,7 +1617,9 @@ interface(`dev_read_mouse',`
## Read and write to mouse devices.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_rw_mouse',`
@@ -1468,7 +1636,9 @@ interface(`dev_rw_mouse',`
## Get the attributes of the mtrr device.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_getattr_mtrr_dev',`
@@ -1487,7 +1657,9 @@ interface(`dev_getattr_mtrr_dev',`
## Read the mtrr device.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_read_mtrr',`
@@ -1504,7 +1676,9 @@ interface(`dev_read_mtrr',`
## Write the mtrr device.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_write_mtrr',`
@@ -1521,7 +1695,9 @@ interface(`dev_write_mtrr',`
## Read and write the mtrr device.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_rw_mtrr',`
@@ -1534,7 +1710,9 @@ interface(`dev_rw_mtrr',`
## Read and write to the null device (/dev/null).
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_rw_null',`
@@ -1551,7 +1729,9 @@ interface(`dev_rw_null',`
## Set the attributes of the printer device nodes.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_setattr_printer_dev',`
@@ -1568,7 +1748,9 @@ interface(`dev_setattr_printer_dev',`
## Append the printer device.
##
##
+##
## Domain allowed access.
+##
##
#
# cjp: added for lpd/checkpc_t
@@ -1586,7 +1768,9 @@ interface(`dev_append_printer',`
## Read and write the printer device.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_rw_printer',`
@@ -1604,7 +1788,9 @@ interface(`dev_rw_printer',`
## devices (e.g., /dev/random)
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_read_rand',`
@@ -1622,7 +1808,9 @@ interface(`dev_read_rand',`
## number generator devices (e.g., /dev/random)
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_dontaudit_read_rand',`
@@ -1640,7 +1828,9 @@ interface(`dev_dontaudit_read_rand',`
## random device.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_write_rand',`
@@ -1657,7 +1847,9 @@ interface(`dev_write_rand',`
## Read the realtime clock (/dev/rtc).
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_read_realtime_clock',`
@@ -1674,7 +1866,9 @@ interface(`dev_read_realtime_clock',`
## Set the realtime clock (/dev/rtc).
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_write_realtime_clock',`
@@ -1691,7 +1885,9 @@ interface(`dev_write_realtime_clock',`
## Read and set the realtime clock (/dev/rtc).
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_rw_realtime_clock',`
@@ -1704,7 +1900,9 @@ interface(`dev_rw_realtime_clock',`
## Get the attributes of the scanner device.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_getattr_scanner_dev',`
@@ -1722,7 +1920,9 @@ interface(`dev_getattr_scanner_dev',`
## the scanner device.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`dev_dontaudit_getattr_scanner_dev',`
@@ -1738,7 +1938,9 @@ interface(`dev_dontaudit_getattr_scanner_dev',`
## Set the attributes of the scanner device.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_setattr_scanner_dev',`
@@ -1756,7 +1958,9 @@ interface(`dev_setattr_scanner_dev',`
## the scanner device.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`dev_dontaudit_setattr_scanner_dev',`
@@ -1772,7 +1976,9 @@ interface(`dev_dontaudit_setattr_scanner_dev',`
## Read and write the scanner device.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_rw_scanner',`
@@ -1789,7 +1995,9 @@ interface(`dev_rw_scanner',`
## Get the attributes of the sound devices.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_getattr_sound_dev',`
@@ -1806,7 +2014,9 @@ interface(`dev_getattr_sound_dev',`
## Set the attributes of the sound devices.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_setattr_sound_dev',`
@@ -1823,7 +2033,9 @@ interface(`dev_setattr_sound_dev',`
## Read the sound devices.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_read_sound',`
@@ -1840,7 +2052,9 @@ interface(`dev_read_sound',`
## Write the sound devices.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_write_sound',`
@@ -1857,7 +2071,9 @@ interface(`dev_write_sound',`
## Read the sound mixer devices.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_read_sound_mixer',`
@@ -1874,7 +2090,9 @@ interface(`dev_read_sound_mixer',`
## Write the sound mixer devices.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_write_sound_mixer',`
@@ -1891,7 +2109,9 @@ interface(`dev_write_sound_mixer',`
## Get the attributes of the the power management device.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_getattr_power_mgmt_dev',`
@@ -1908,7 +2128,9 @@ interface(`dev_getattr_power_mgmt_dev',`
## Set the attributes of the the power management device.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_setattr_power_mgmt_dev',`
@@ -1925,7 +2147,9 @@ interface(`dev_setattr_power_mgmt_dev',`
## Read and write the the power management device.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_rw_power_management',`
@@ -1942,7 +2166,9 @@ interface(`dev_rw_power_management',`
## Get the attributes of sysfs directories.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`dev_getattr_sysfs_dirs',`
@@ -1958,7 +2184,9 @@ interface(`dev_getattr_sysfs_dirs',`
## Search the sysfs directories.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`dev_search_sysfs',`
@@ -1974,7 +2202,9 @@ interface(`dev_search_sysfs',`
## Do not audit attempts to search sysfs.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`dev_dontaudit_search_sysfs',`
@@ -1990,7 +2220,9 @@ interface(`dev_dontaudit_search_sysfs',`
## List the contents of the sysfs directories.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`dev_list_sysfs',`
@@ -2006,7 +2238,9 @@ interface(`dev_list_sysfs',`
## Allow caller to read hardware state information.
##
##
+##
## The process type reading hardware state information.
+##
##
#
interface(`dev_read_sysfs',`
@@ -2023,7 +2257,9 @@ interface(`dev_read_sysfs',`
## Allow caller to modify hardware state information.
##
##
+##
## The process type modifying hardware state information.
+##
##
#
interface(`dev_rw_sysfs',`
@@ -2041,7 +2277,9 @@ interface(`dev_rw_sysfs',`
## Read from pseudo random devices (e.g., /dev/urandom)
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_read_urand',`
@@ -2059,7 +2297,9 @@ interface(`dev_read_urand',`
## sets the random number generator seed.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_write_urand',`
@@ -2076,7 +2316,9 @@ interface(`dev_write_urand',`
## Mount a usbfs filesystem.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`dev_mount_usbfs',`
@@ -2092,7 +2334,9 @@ interface(`dev_mount_usbfs',`
## Associate a file to a usbfs filesystem.
##
##
+##
## The type of the file to be associated to usbfs.
+##
##
#
interface(`dev_associate_usbfs',`
@@ -2108,7 +2352,9 @@ interface(`dev_associate_usbfs',`
## Get the attributes of a directory in the usb filesystem.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_getattr_usbfs_dirs',`
@@ -2125,7 +2371,9 @@ interface(`dev_getattr_usbfs_dirs',`
## of a directory in the usb filesystem.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`dev_dontaudit_getattr_usbfs_dirs',`
@@ -2141,7 +2389,9 @@ interface(`dev_dontaudit_getattr_usbfs_dirs',`
## Search the directory containing USB hardware information.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`dev_search_usbfs',`
@@ -2157,7 +2407,9 @@ interface(`dev_search_usbfs',`
## Allow caller to get a list of usb hardware.
##
##
+##
## The process type getting the list.
+##
##
#
interface(`dev_list_usbfs',`
@@ -2176,7 +2428,9 @@ interface(`dev_list_usbfs',`
## the usbfs filesystem interface.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`dev_read_usbfs',`
@@ -2193,7 +2447,9 @@ interface(`dev_read_usbfs',`
## Allow caller to modify usb hardware configuration files.
##
##
+##
## The process type modifying the options.
+##
##
#
interface(`dev_rw_usbfs',`
@@ -2211,7 +2467,9 @@ interface(`dev_rw_usbfs',`
## Get the attributes of video4linux devices.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_getattr_video_dev',`
@@ -2229,7 +2487,9 @@ interface(`dev_getattr_video_dev',`
## of video4linux device nodes.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`dev_dontaudit_getattr_video_dev',`
@@ -2245,7 +2505,9 @@ interface(`dev_dontaudit_getattr_video_dev',`
## Set the attributes of video4linux device nodes.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_setattr_video_dev',`
@@ -2263,7 +2525,9 @@ interface(`dev_setattr_video_dev',`
## of video4linux device nodes.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`dev_dontaudit_setattr_video_dev',`
@@ -2279,7 +2543,9 @@ interface(`dev_dontaudit_setattr_video_dev',`
## Get the attributes of X server miscellaneous devices.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_getattr_xserver_misc_dev',`
@@ -2296,7 +2562,9 @@ interface(`dev_getattr_xserver_misc_dev',`
## Set the attributes of X server miscellaneous devices.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_setattr_xserver_misc_dev',`
@@ -2313,7 +2581,9 @@ interface(`dev_setattr_xserver_misc_dev',`
## Read and write X server miscellaneous devices.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_rw_xserver_misc',`
@@ -2330,7 +2600,9 @@ interface(`dev_rw_xserver_misc',`
## Read and write to the zero device (/dev/zero).
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_rw_zero',`
@@ -2347,7 +2619,9 @@ interface(`dev_rw_zero',`
## Read, write, and execute the zero device (/dev/zero).
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_rwx_zero',`
@@ -2364,7 +2638,9 @@ interface(`dev_rwx_zero',`
## Unconfined access to devices.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dev_unconfined',`
diff --git a/refpolicy/policy/modules/kernel/domain.if b/refpolicy/policy/modules/kernel/domain.if
index 362ee03..add7aa3 100644
--- a/refpolicy/policy/modules/kernel/domain.if
+++ b/refpolicy/policy/modules/kernel/domain.if
@@ -18,7 +18,9 @@
##
##
##
+##
## Type to be used as a basic domain type.
+##
##
#
interface(`domain_base_type',`
@@ -57,7 +59,9 @@ interface(`domain_base_type',`
## Make the specified type usable as a domain.
##
##
+##
## Type to be used as a domain type.
+##
##
#
interface(`domain_type',`
@@ -107,11 +111,15 @@ interface(`domain_type',`
## an entry point for the domain.
##
##
+##
## Domain to be entered.
+##
##
##
+##
## Type of program used for entering
## the domain.
+##
##
#
interface(`domain_entry_file',`
@@ -158,7 +166,9 @@ interface(`domain_dyntrans_type',`
## identity and system role.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`domain_system_change_exemption',`
@@ -175,7 +185,9 @@ interface(`domain_system_change_exemption',`
## changing of user identity.
##
##
+##
## The process type to make an exception to the constraint.
+##
##
#
interface(`domain_subj_id_change_exemption',`
@@ -192,7 +204,9 @@ interface(`domain_subj_id_change_exemption',`
## changing of role.
##
##
+##
## The process type to make an exception to the constraint.
+##
##
#
interface(`domain_role_change_exemption',`
@@ -209,7 +223,9 @@ interface(`domain_role_change_exemption',`
## changing the user identity in object contexts.
##
##
+##
## The process type to make an exception to the constraint.
+##
##
#
interface(`domain_obj_id_change_exemption',`
@@ -242,7 +258,9 @@ interface(`domain_obj_id_change_exemption',`
##
##
##
+##
## Domain target for user exemption.
+##
##
#
interface(`domain_user_exemption_target',`
@@ -275,7 +293,9 @@ interface(`domain_user_exemption_target',`
##
##
##
+##
## Domain target for user exemption.
+##
##
#
interface(`domain_cron_exemption_source',`
@@ -308,7 +328,9 @@ interface(`domain_cron_exemption_source',`
##
##
##
+##
## Domain target for user exemption.
+##
##
#
interface(`domain_cron_exemption_target',`
@@ -349,7 +371,9 @@ interface(`domain_dontaudit_use_wide_inherit_fd',`
## discriptors are widely inheritable.
##
##
+##
## Domain allowed access.
+##
##
#
# cjp: this was added because of newrole
@@ -378,7 +402,9 @@ interface(`domain_setpriority_all_domains',`
## Send general signals to all domains.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`domain_signal_all_domains',`
@@ -394,7 +420,9 @@ interface(`domain_signal_all_domains',`
## Send a null signal to all domains.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`domain_signull_all_domains',`
@@ -410,7 +438,9 @@ interface(`domain_signull_all_domains',`
## Send a stop signal to all domains.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`domain_sigstop_all_domains',`
@@ -426,7 +456,9 @@ interface(`domain_sigstop_all_domains',`
## Send a child terminated signal to all domains.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`domain_sigchld_all_domains',`
@@ -442,7 +474,9 @@ interface(`domain_sigchld_all_domains',`
## Send a kill signal to all domains.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`domain_kill_all_domains',`
@@ -459,7 +493,9 @@ interface(`domain_kill_all_domains',`
## Search the process state directory (/proc/pid) of all domains.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`domain_search_all_domains_state',`
@@ -477,7 +513,9 @@ interface(`domain_search_all_domains_state',`
## state directory (/proc/pid) of all domains.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`domain_dontaudit_search_all_domains_state',`
@@ -493,7 +531,9 @@ interface(`domain_dontaudit_search_all_domains_state',`
## Read the process state (/proc/pid) of all domains.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`domain_read_all_domains_state',`
@@ -512,7 +552,9 @@ interface(`domain_read_all_domains_state',`
## Get the attributes of all domains of all domains.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`domain_getattr_all_domains',`
@@ -528,7 +570,9 @@ interface(`domain_getattr_all_domains',`
## Get the attributes of all domains of all domains.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`domain_dontaudit_getattr_all_domains',`
@@ -544,7 +588,9 @@ interface(`domain_dontaudit_getattr_all_domains',`
## Read the process state (/proc/pid) of all confined domains.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`domain_read_confined_domains_state',`
@@ -566,7 +612,9 @@ interface(`domain_read_confined_domains_state',`
## Get the attributes of all confined domains.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`domain_getattr_confined_domains',`
@@ -582,7 +630,9 @@ interface(`domain_getattr_confined_domains',`
## Ptrace all domains.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`domain_ptrace_all_domains',`
@@ -609,7 +659,9 @@ interface(`domain_ptrace_all_domains',`
##
##
##
+##
## Domain allowed access.
+##
##
#
interface(`domain_dontaudit_ptrace_all_domains',`
@@ -635,7 +687,9 @@ interface(`domain_dontaudit_ptrace_all_domains',`
##
##
##
+##
## Domain allowed access.
+##
##
#
interface(`domain_dontaudit_ptrace_confined_domains',`
@@ -652,7 +706,9 @@ interface(`domain_dontaudit_ptrace_confined_domains',`
## state (/proc/pid) of all domains.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`domain_dontaudit_read_all_domains_state',`
@@ -675,7 +731,9 @@ interface(`domain_dontaudit_read_all_domains_state',`
## directories of all domains.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`domain_dontaudit_list_all_domains_state',`
@@ -691,7 +749,9 @@ interface(`domain_dontaudit_list_all_domains_state',`
## Get the session ID of all domains.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`domain_getsession_all_domains',`
@@ -708,7 +768,9 @@ interface(`domain_getsession_all_domains',`
## session ID of all domains.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`domain_dontaudit_getsession_all_domains',`
@@ -735,7 +797,9 @@ interface(`domain_dontaudit_getsession_all_domains',`
##
##
##
+##
## Domain allowed access.
+##
##
#
interface(`domain_getattr_all_sockets',`
@@ -762,7 +826,9 @@ interface(`domain_getattr_all_sockets',`
##
##
##
+##
## Domain to not audit.
+##
##
#
interface(`domain_dontaudit_getattr_all_sockets',`
@@ -779,7 +845,9 @@ interface(`domain_dontaudit_getattr_all_sockets',`
## of all domains TCP sockets.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`domain_dontaudit_getattr_all_tcp_sockets',`
@@ -796,7 +864,9 @@ interface(`domain_dontaudit_getattr_all_tcp_sockets',`
## of all domains UDP sockets.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`domain_dontaudit_getattr_all_udp_sockets',`
@@ -813,7 +883,9 @@ interface(`domain_dontaudit_getattr_all_udp_sockets',`
## all domains UDP sockets.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`domain_dontaudit_rw_all_udp_sockets',`
@@ -830,7 +902,9 @@ interface(`domain_dontaudit_rw_all_udp_sockets',`
## all domains IPSEC key management sockets.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`domain_dontaudit_getattr_all_key_sockets',`
@@ -847,7 +921,9 @@ interface(`domain_dontaudit_getattr_all_key_sockets',`
## all domains packet sockets.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`domain_dontaudit_getattr_all_packet_sockets',`
@@ -864,7 +940,9 @@ interface(`domain_dontaudit_getattr_all_packet_sockets',`
## all domains raw sockets.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`domain_dontaudit_getattr_all_raw_sockets',`
@@ -881,7 +959,9 @@ interface(`domain_dontaudit_getattr_all_raw_sockets',`
## all domains key sockets.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`domain_dontaudit_rw_all_key_sockets',`
@@ -898,7 +978,9 @@ interface(`domain_dontaudit_rw_all_key_sockets',`
## of all domains unix datagram sockets.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`domain_dontaudit_getattr_all_dgram_sockets',`
@@ -915,7 +997,9 @@ interface(`domain_dontaudit_getattr_all_dgram_sockets',`
## of all domains unix datagram sockets.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`domain_dontaudit_getattr_all_stream_sockets',`
@@ -932,7 +1016,9 @@ interface(`domain_dontaudit_getattr_all_stream_sockets',`
## of all domains unnamed pipes.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`domain_dontaudit_getattr_all_pipes',`
@@ -949,7 +1035,9 @@ interface(`domain_dontaudit_getattr_all_pipes',`
## files for all domains.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`domain_getattr_all_entry_files',`
@@ -992,7 +1080,9 @@ interface(`domain_exec_all_entry_files',`
## entrypoint files.
##
##
+##
## Domain allowed access.
+##
##
#
# cjp: added for prelink
@@ -1010,7 +1100,9 @@ interface(`domain_manage_all_entry_files',`
## file types.
##
##
+##
## Domain allowed access.
+##
##
#
# cjp: added for prelink
@@ -1027,7 +1119,9 @@ interface(`domain_relabel_all_entry_files',`
## Mmap all entry point files as executable.
##
##
+##
## Domain allowed access.
+##
##
#
# cjp: added for prelink
@@ -1044,7 +1138,9 @@ interface(`domain_mmap_all_entry_files',`
## Execute an entry_type in the specified domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
# cjp: added for userhelper
@@ -1061,7 +1157,9 @@ interface(`domain_entry_file_spec_domtrans',`
## Unconfined access to domains.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`domain_unconfined',`
diff --git a/refpolicy/policy/modules/kernel/files.if b/refpolicy/policy/modules/kernel/files.if
index ea44b31..ff04244 100644
--- a/refpolicy/policy/modules/kernel/files.if
+++ b/refpolicy/policy/modules/kernel/files.if
@@ -25,7 +25,9 @@
## in a filesystem.
##
##
+##
## Type to be used for files.
+##
##
#
interface(`files_type',`
@@ -83,7 +85,9 @@ interface(`files_pid_file',`
## configuration file.
##
##
+##
## Type to be used as a configuration file.
+##
##
#
interface(`files_config_file',`
@@ -103,8 +107,10 @@ interface(`files_config_file',`
## polyinstantiated directory.
##
##
+##
## Type of the file to be used as a
## polyinstantiated directory.
+##
##
#
interface(`files_poly',`
@@ -122,8 +128,10 @@ interface(`files_poly',`
## of a polyinstantiated directory.
##
##
+##
## Type of the file to be used as a
## parent directory.
+##
##
#
interface(`files_poly_parent',`
@@ -141,8 +149,10 @@ interface(`files_poly_parent',`
## polyinstantiation member directory.
##
##
+##
## Type of the file to be used as a
## member directory.
+##
##
#
interface(`files_poly_member',`
@@ -160,12 +170,16 @@ interface(`files_poly_member',`
## type of polyinstantiated directory.
##
##
+##
## Domain using the polyinstantiated
## directory.
+##
##
##
+##
## Type of the file to be used as a
## member directory.
+##
##
#
interface(`files_poly_member_tmp',`
@@ -183,8 +197,10 @@ interface(`files_poly_member_tmp',`
## browsing from user domains.
##
##
+##
## Type of the file to be used as a
## member directory.
+##
##
#
interface(`files_security_file',`
@@ -202,8 +218,10 @@ interface(`files_security_file',`
## used for temporary files.
##
##
+##
## Type of the file to be used as a
## temporary file.
+##
##
#
interface(`files_tmp_file',`
@@ -225,7 +243,9 @@ interface(`files_tmp_file',`
## virtual memory filesystem (tmpfs).
##
##
+##
## The type to be transformed.
+##
##
#
interface(`files_tmpfs_file',`
@@ -243,7 +263,9 @@ interface(`files_tmpfs_file',`
## Get the attributes of all directories.
##
##
+##
## Domain allowed access.
+##
##
#
# cjp: this is an odd interface, because to getattr
@@ -263,7 +285,9 @@ interface(`files_getattr_all_dirs',`
## of all directories.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`files_dontaudit_getattr_all_dirs',`
@@ -279,7 +303,9 @@ interface(`files_dontaudit_getattr_all_dirs',`
## List all non-security directories.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`files_list_non_security',`
@@ -296,7 +322,9 @@ interface(`files_list_non_security',`
## non-security directories.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`files_dontaudit_list_non_security',`
@@ -312,7 +340,9 @@ interface(`files_dontaudit_list_non_security',`
## Get the attributes of all files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`files_getattr_all_files',`
@@ -331,7 +361,9 @@ interface(`files_getattr_all_files',`
## of all files.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`files_dontaudit_getattr_all_files',`
@@ -348,7 +380,9 @@ interface(`files_dontaudit_getattr_all_files',`
## of non security files.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`files_dontaudit_getattr_non_security_files',`
@@ -364,7 +398,9 @@ interface(`files_dontaudit_getattr_non_security_files',`
## Read all files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`files_read_all_files',`
@@ -385,7 +421,9 @@ interface(`files_read_all_files',`
## Read all non-security files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`files_read_non_security_files',`
@@ -404,11 +442,15 @@ interface(`files_read_non_security_files',`
## the listed exceptions.
##
##
+##
## The type of the domain perfoming this action.
+##
##
##
+##
## The types to be excluded. Each type or attribute
## must be negated by the caller.
+##
##
#
interface(`files_read_all_dirs_except',`
@@ -425,11 +467,15 @@ interface(`files_read_all_dirs_except',`
## the listed exceptions.
##
##
+##
## The type of the domain perfoming this action.
+##
##
##
+##
## The types to be excluded. Each type or attribute
## must be negated by the caller.
+##
##
#
interface(`files_read_all_files_except',`
@@ -448,11 +494,15 @@ interface(`files_read_all_files_except',`
## the listed exceptions.
##
##
+##
## The type of the domain perfoming this action.
+##
##
##
+##
## The types to be excluded. Each type or attribute
## must be negated by the caller.
+##
##
#
interface(`files_read_all_symlinks_except',`
@@ -470,7 +520,9 @@ interface(`files_read_all_symlinks_except',`
## Get the attributes of all symbolic links.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`files_getattr_all_symlinks',`
@@ -488,7 +540,9 @@ interface(`files_getattr_all_symlinks',`
## of all symbolic links.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`files_dontaudit_getattr_all_symlinks',`
@@ -505,7 +559,9 @@ interface(`files_dontaudit_getattr_all_symlinks',`
## of non security symbolic links.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`files_dontaudit_getattr_non_security_symlinks',`
@@ -522,7 +578,9 @@ interface(`files_dontaudit_getattr_non_security_symlinks',`
## of non security block devices.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`files_dontaudit_getattr_non_security_blk_files',`
@@ -539,7 +597,9 @@ interface(`files_dontaudit_getattr_non_security_blk_files',`
## of non security character devices.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`files_dontaudit_getattr_non_security_chr_files',`
@@ -555,7 +615,9 @@ interface(`files_dontaudit_getattr_non_security_chr_files',`
## Read all symbolic links.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`files_read_all_symlinks',`
@@ -572,7 +634,9 @@ interface(`files_read_all_symlinks',`
## Get the attributes of all named pipes.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`files_getattr_all_pipes',`
@@ -590,7 +654,9 @@ interface(`files_getattr_all_pipes',`
## of all named pipes.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`files_dontaudit_getattr_all_pipes',`
@@ -607,7 +673,9 @@ interface(`files_dontaudit_getattr_all_pipes',`
## of non security named pipes.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`files_dontaudit_getattr_non_security_pipes',`
@@ -623,7 +691,9 @@ interface(`files_dontaudit_getattr_non_security_pipes',`
## Get the attributes of all named sockets.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`files_getattr_all_sockets',`
@@ -641,7 +711,9 @@ interface(`files_getattr_all_sockets',`
## of all named sockets.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`files_dontaudit_getattr_all_sockets',`
@@ -658,7 +730,9 @@ interface(`files_dontaudit_getattr_all_sockets',`
## of non security named sockets.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`files_dontaudit_getattr_non_security_sockets',`
@@ -674,7 +748,9 @@ interface(`files_dontaudit_getattr_non_security_sockets',`
## Read all block nodes with file types.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`files_read_all_blk_files',`
@@ -691,7 +767,9 @@ interface(`files_read_all_blk_files',`
## Read all character nodes with file types.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`files_read_all_chr_files',`
@@ -709,11 +787,15 @@ interface(`files_read_all_chr_files',`
## the listed exceptions.
##
##
+##
## The type of the domain perfoming this action.
+##
##
##
+##
## The types to be excluded. Each type or attribute
## must be negated by the caller.
+##
##
#
interface(`files_relabel_all_files',`
@@ -739,11 +821,15 @@ interface(`files_relabel_all_files',`
## the listed exceptions.
##
##
+##
## The type of the domain perfoming this action.
+##
##
##
+##
## The types to be excluded. Each type or attribute
## must be negated by the caller.
+##
##
#
interface(`files_manage_all_files',`
@@ -866,14 +952,20 @@ interface(`files_list_root',`
## type.
##
##
+##
## The type of the process performing this action.
+##
##
##
+##
## The type of the object to be created.
+##
##
##
+##
## The object class of the object being created. If
## no class is specified, file will be used.
+##
##
#
interface(`files_filetrans_root',`
@@ -955,7 +1047,9 @@ interface(`files_unmount_rootfs',`
## Getattr of directories with the default file type.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`files_getattr_default_dirs',`
@@ -972,7 +1066,9 @@ interface(`files_getattr_default_dirs',`
## directories with the default file type.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`files_dontaudit_getattr_default_dirs',`
@@ -988,7 +1084,9 @@ interface(`files_dontaudit_getattr_default_dirs',`
## Search the contents of directories with the default file type.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`files_search_default',`
@@ -1004,7 +1102,9 @@ interface(`files_search_default',`
## List contents of directories with the default file type.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`files_list_default',`
@@ -1021,7 +1121,9 @@ interface(`files_list_default',`
## directories with the default file type.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`files_dontaudit_list_default',`
@@ -1037,7 +1139,9 @@ interface(`files_dontaudit_list_default',`
## Mount a filesystem on a directory with the default file type.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`files_mounton_default',`
@@ -1054,7 +1158,9 @@ interface(`files_mounton_default',`
## files with the default file type.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`files_dontaudit_getattr_default_files',`
@@ -1070,7 +1176,9 @@ interface(`files_dontaudit_getattr_default_files',`
## Read files with the default file type.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`files_read_default_files',`
@@ -1087,7 +1195,9 @@ interface(`files_read_default_files',`
## with the default file type.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`files_dontaudit_read_default_files',`
@@ -1103,7 +1213,9 @@ interface(`files_dontaudit_read_default_files',`
## Read symbolic links with the default file type.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`files_read_default_symlinks',`
@@ -1119,7 +1231,9 @@ interface(`files_read_default_symlinks',`
## Read sockets with the default file type.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`files_read_default_sockets',`
@@ -1135,7 +1249,9 @@ interface(`files_read_default_sockets',`
## Read named pipes with the default file type.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`files_read_default_pipes',`
@@ -1163,7 +1279,9 @@ interface(`files_search_etc',`
## Set the attributes of the /etc directories.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`files_setattr_etc_dirs',`
@@ -1233,7 +1351,9 @@ interface(`files_manage_etc_files',`
## Delete system configuration files in /etc.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`files_delete_etc_files',`
@@ -1265,7 +1385,9 @@ interface(`files_exec_etc_files',`
## Relabel from and to generic files in /etc.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`files_relabel_etc_files',`
@@ -1299,7 +1421,9 @@ interface(`files_create_boot_flag',`
## created on boot, such as mtab.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`files_read_etc_runtime_files',`
@@ -1319,7 +1443,9 @@ interface(`files_read_etc_runtime_files',`
## created on boot, such as mtab.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`files_dontaudit_read_etc_runtime_files',`
@@ -1336,7 +1462,9 @@ interface(`files_dontaudit_read_etc_runtime_files',`
## created on boot, such as mtab.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`files_rw_etc_runtime_files',`
@@ -1355,7 +1483,9 @@ interface(`files_rw_etc_runtime_files',`
## such as mtab.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`files_manage_etc_runtime_files',`
@@ -1391,7 +1521,9 @@ interface(`files_filetrans_etc',`
## that have not yet been labeled.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`files_getattr_isid_type_dirs',`
@@ -1408,7 +1540,9 @@ interface(`files_getattr_isid_type_dirs',`
## that have not yet been labeled.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`files_dontaudit_search_isid_type_dirs',`
@@ -1425,7 +1559,9 @@ interface(`files_dontaudit_search_isid_type_dirs',`
## that have not yet been labeled.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`files_list_isid_type_dirs',`
@@ -1442,7 +1578,9 @@ interface(`files_list_isid_type_dirs',`
## that have not yet been labeled.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`files_rw_isid_type_dirs',`
@@ -1459,7 +1597,9 @@ interface(`files_rw_isid_type_dirs',`
## on new filesystems that have not yet been labeled.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`files_manage_isid_type_dirs',`
@@ -1476,7 +1616,9 @@ interface(`files_manage_isid_type_dirs',`
## that has not yet been labeled.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`files_mounton_isid_type_dirs',`
@@ -1493,7 +1635,9 @@ interface(`files_mounton_isid_type_dirs',`
## that have not yet been labeled.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`files_read_isid_type_files',`
@@ -1511,7 +1655,9 @@ interface(`files_read_isid_type_files',`
## on new filesystems that have not yet been labeled.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`files_manage_isid_type_files',`
@@ -1529,7 +1675,9 @@ interface(`files_manage_isid_type_files',`
## on new filesystems that have not yet been labeled.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`files_manage_isid_type_symlinks',`
@@ -1547,7 +1695,9 @@ interface(`files_manage_isid_type_symlinks',`
## that have not yet been labeled.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`files_rw_isid_type_blk_files',`
@@ -1565,7 +1715,9 @@ interface(`files_rw_isid_type_blk_files',`
## on new filesystems that have not yet been labeled.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`files_manage_isid_type_blk_files',`
@@ -1583,7 +1735,9 @@ interface(`files_manage_isid_type_blk_files',`
## on new filesystems that have not yet been labeled.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`files_manage_isid_type_chr_files',`
@@ -1601,7 +1755,9 @@ interface(`files_manage_isid_type_chr_files',`
## (/home).
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`files_getattr_home_dir',`
@@ -1619,7 +1775,9 @@ interface(`files_getattr_home_dir',`
## (/home).
##
##
+##
## Domain to not audit.
+##
##
#
interface(`files_dontaudit_getattr_home_dir',`
@@ -1635,7 +1793,9 @@ interface(`files_dontaudit_getattr_home_dir',`
## Search home directories root (/home).
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`files_search_home',`
@@ -1652,7 +1812,9 @@ interface(`files_search_home',`
## home directories root (/home).
##
##
+##
## Domain to not audit.
+##
##
#
interface(`files_dontaudit_search_home',`
@@ -1669,7 +1831,9 @@ interface(`files_dontaudit_search_home',`
## home directories root (/home).
##
##
+##
## Domain to not audit.
+##
##
#
interface(`files_dontaudit_list_home',`
@@ -1685,7 +1849,9 @@ interface(`files_dontaudit_list_home',`
## Get listing of home directories.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`files_list_home',`
@@ -1701,14 +1867,20 @@ interface(`files_list_home',`
## Create objects in /home.
##
##
+##
## The type of the process performing this action.
+##
##
##
+##
## The private type.
+##
##
##
+##
## The object class of the object being created. If
## no class is specified, dir will be used.
+##
##
#
interface(`files_filetrans_home',`
@@ -1732,7 +1904,9 @@ interface(`files_filetrans_home',`
## lost+found directories.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`files_manage_lost_found',`
@@ -1776,7 +1950,9 @@ interface(`files_list_mnt',`
## Mount a filesystem on /mnt.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`files_mounton_mnt',`
@@ -1792,7 +1968,9 @@ interface(`files_mounton_mnt',`
## Create, read, write, and delete directories in /mnt.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`files_manage_mnt_dirs',`
@@ -1808,7 +1986,9 @@ interface(`files_manage_mnt_dirs',`
## Create, read, write, and delete files in /mnt.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`files_manage_mnt_files',`
@@ -1825,7 +2005,9 @@ interface(`files_manage_mnt_files',`
## Create, read, write, and delete symbolic links in /mnt.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`files_manage_mnt_symlinks',`
@@ -1842,7 +2024,9 @@ interface(`files_manage_mnt_symlinks',`
## List world-readable directories.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`files_list_world_readable',`
@@ -1858,7 +2042,9 @@ interface(`files_list_world_readable',`
## Read world-readable files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`files_read_world_readable_files',`
@@ -1874,7 +2060,9 @@ interface(`files_read_world_readable_files',`
## Read world-readable symbolic links.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`files_read_world_readable_symlinks',`
@@ -1890,7 +2078,9 @@ interface(`files_read_world_readable_symlinks',`
## Read world-readable named pipes.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`files_read_world_readable_pipes',`
@@ -1906,7 +2096,9 @@ interface(`files_read_world_readable_pipes',`
## Read world-readable sockets.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`files_read_world_readable_sockets',`
@@ -1924,7 +2116,9 @@ interface(`files_read_world_readable_sockets',`
## temporary directory (/tmp).
##
##
+##
## Type of the file to associate.
+##
##
#
interface(`files_associate_tmp',`
@@ -1940,7 +2134,9 @@ interface(`files_associate_tmp',`
## Get the attributes of the tmp directory (/tmp).
##
##
+##
## Domain allowed access.
+##
##
#
interface(`files_getattr_tmp_dirs',`
@@ -1957,7 +2153,9 @@ interface(`files_getattr_tmp_dirs',`
## attributes of the tmp directory (/tmp).
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`files_dontaudit_getattr_tmp_dirs',`
@@ -1973,7 +2171,9 @@ interface(`files_dontaudit_getattr_tmp_dirs',`
## Search the tmp directory (/tmp).
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`files_search_tmp',`
@@ -1989,7 +2189,9 @@ interface(`files_search_tmp',`
## Read the tmp directory (/tmp).
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`files_list_tmp',`
@@ -2005,7 +2207,9 @@ interface(`files_list_tmp',`
## Do not audit listing of the tmp directory (/tmp).
##
##
+##
## Domain not to audit.
+##
##
#
interface(`files_dontaudit_list_tmp',`
@@ -2021,7 +2225,9 @@ interface(`files_dontaudit_list_tmp',`
## Read files in the tmp directory (/tmp).
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`files_read_generic_tmp_files',`
@@ -2038,7 +2244,9 @@ interface(`files_read_generic_tmp_files',`
## Read symbolic links in the tmp directory (/tmp).
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`files_read_generic_tmp_symlinks',`
@@ -2055,7 +2263,9 @@ interface(`files_read_generic_tmp_symlinks',`
## Read and write generic named sockets in the tmp directory (/tmp).
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`files_rw_generic_tmp_sockets',`
@@ -2072,7 +2282,9 @@ interface(`files_rw_generic_tmp_sockets',`
## Set the attributes of all tmp directories.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`files_setattr_all_tmp_dirs',`
@@ -2132,7 +2344,9 @@ interface(`files_search_usr',`
## directories in /usr.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`files_list_usr',`
@@ -2148,7 +2362,9 @@ interface(`files_list_usr',`
## Get the attributes of files in /usr.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`files_getattr_usr_files',`
@@ -2178,7 +2394,9 @@ interface(`files_read_usr_files',`
## Execute generic programs in /usr in the caller domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`files_exec_usr_files',`
@@ -2197,7 +2415,9 @@ interface(`files_exec_usr_files',`
## Relabel a file to the type used in /usr.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`files_relabelto_usr_files',`
@@ -2213,7 +2433,9 @@ interface(`files_relabelto_usr_files',`
## Read symbolic links in /usr.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`files_read_usr_symlinks',`
@@ -2230,13 +2452,19 @@ interface(`files_read_usr_symlinks',`
## Create objects in the /usr directory
##
##
+##
## Domain allowed access.
+##
##
##
+##
## The type of the object to be created
+##
##
##
+##
## The object class. If not specified, file is used.
+##
##
#
interface(`files_filetrans_usr',`
@@ -2258,7 +2486,9 @@ interface(`files_filetrans_usr',`
## Execute programs in /usr/src in the caller domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`files_exec_usr_src_files',`
@@ -2303,7 +2533,9 @@ interface(`files_read_usr_src_files',`
## Search the contents of /var.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`files_search_var',`
@@ -2319,7 +2551,9 @@ interface(`files_search_var',`
## Do not audit attempts to write to /var.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`files_dontaudit_write_var_dirs',`
@@ -2336,7 +2570,9 @@ interface(`files_dontaudit_write_var_dirs',`
## the contents of /var.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`files_dontaudit_search_var',`
@@ -2352,7 +2588,9 @@ interface(`files_dontaudit_search_var',`
## List the contents of /var.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`files_list_var',`
@@ -2369,7 +2607,9 @@ interface(`files_list_var',`
## in the /var directory.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`files_manage_var_dirs',`
@@ -2385,7 +2625,9 @@ interface(`files_manage_var_dirs',`
## Read files in the /var directory.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`files_read_var_files',`
@@ -2402,7 +2644,9 @@ interface(`files_read_var_files',`
## Create, read, write, and delete files in the /var directory.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`files_manage_var_files',`
@@ -2419,7 +2663,9 @@ interface(`files_manage_var_files',`
## Read symbolic links in the /var directory.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`files_read_var_symlinks',`
@@ -2437,7 +2683,9 @@ interface(`files_read_var_symlinks',`
## links in the /var directory.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`files_manage_var_symlinks',`
@@ -2454,13 +2702,19 @@ interface(`files_manage_var_symlinks',`
## Create objects in the /var directory
##
##
+##
## Domain allowed access.
+##
##
##
+##
## The type of the object to be created
+##
##
##
+##
## The object class. If not specified, file is used.
+##
##
#
interface(`files_filetrans_var',`
@@ -2482,7 +2736,9 @@ interface(`files_filetrans_var',`
## Get the attributes of the /var/lib directory.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`files_getattr_var_lib_dirs',`
@@ -2499,7 +2755,9 @@ interface(`files_getattr_var_lib_dirs',`
## Search the /var/lib directory.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`files_search_var_lib',`
@@ -2515,7 +2773,9 @@ interface(`files_search_var_lib',`
## List the contents of the /var/lib directory.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`files_list_var_lib',`
@@ -2532,13 +2792,19 @@ interface(`files_list_var_lib',`
## Create objects in the /var/lib directory
##
##
+##
## Domain allowed access.
+##
##
##
+##
## The type of the object to be created
+##
##
##
+##
## The object class. If not specified, file is used.
+##
##
#
interface(`files_filetrans_var_lib',`
@@ -2561,7 +2827,9 @@ interface(`files_filetrans_var_lib',`
## Read generic files in /var/lib.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`files_read_var_lib_files',`
@@ -2578,7 +2846,9 @@ interface(`files_read_var_lib_files',`
## Read generic symbolic links in /var/lib
##
##
+##
## Domain allowed access.
+##
##
#
interface(`files_read_var_lib_symlinks',`
@@ -2613,7 +2883,9 @@ interface(`files_manage_urandom_seed',`
## necessary for rpcd, nfsd, etc.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`files_manage_mounttab',`
@@ -2631,7 +2903,9 @@ interface(`files_manage_mounttab',`
## Search the locks directory (/var/lock).
##
##
+##
## Domain allowed access.
+##
##
#
interface(`files_search_locks',`
@@ -2648,7 +2922,9 @@ interface(`files_search_locks',`
## locks directory (/var/lock).
##
##
+##
## Domain to not audit.
+##
##
#
interface(`files_dontaudit_search_locks',`
@@ -2665,7 +2941,9 @@ interface(`files_dontaudit_search_locks',`
## directories.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`files_rw_lock_dirs',`
@@ -2722,7 +3000,9 @@ interface(`files_delete_all_locks',`
## Read all lock files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`files_read_all_locks',`
@@ -2762,7 +3042,9 @@ interface(`files_filetrans_lock',`
## of the /var/run directory.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`files_dontaudit_getattr_pid_dirs',`
@@ -2792,7 +3074,9 @@ interface(`files_search_pids',`
## the /var/run directory.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`files_dontaudit_search_pids',`
@@ -2854,7 +3138,9 @@ interface(`files_rw_generic_pids',`
## Do not audit attempts to write to daemon runtime data files.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`files_dontaudit_write_all_pids',`
@@ -2870,7 +3156,9 @@ interface(`files_dontaudit_write_all_pids',`
## Do not audit attempts to ioctl daemon runtime data files.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`files_dontaudit_ioctl_all_pids',`
@@ -2902,7 +3190,9 @@ interface(`files_read_all_pids',`
## member directories.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`files_mounton_all_poly_members',`
@@ -2964,7 +3254,9 @@ interface(`files_search_spool',`
## spool directories.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`files_dontaudit_search_spool',`
@@ -3035,7 +3327,9 @@ interface(`files_manage_generic_spool',`
## directories on the system.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`files_polyinstantiate_all',`
@@ -3075,7 +3369,9 @@ interface(`files_polyinstantiate_all',`
## Unconfined access to files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`files_unconfined',`
@@ -3107,7 +3403,9 @@ interface(`files_unconfined',`
## Allow attempts to modify any directory
##
##
+##
## Domain to allow
+##
##
#
interface(`files_write_non_security_dirs',`
diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if
index 988b22e..e884cef 100644
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@@ -8,7 +8,9 @@
## Transform specified type into a filesystem type.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`fs_type',`
@@ -28,7 +30,9 @@ interface(`fs_type',`
## support.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`fs_noxattr_type',`
@@ -49,7 +53,9 @@ interface(`fs_noxattr_type',`
## a filesystem such as ext3, JFS, and XFS.
##
##
+##
## The type of the to be associated.
+##
##
#
interface(`fs_associate',`
@@ -69,7 +75,9 @@ interface(`fs_associate',`
## FAT32, and NFS.
##
##
+##
## The type of the to be associated.
+##
##
#
interface(`fs_associate_noxattr',`
@@ -86,7 +94,9 @@ interface(`fs_associate_noxattr',`
## not support extended attributes.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`fs_exec_noxattr',`
@@ -104,7 +114,9 @@ interface(`fs_exec_noxattr',`
## ext3, JFS, or XFS.
##
##
+##
## The type of the domain mounting the filesystem.
+##
##
#
interface(`fs_mount_xattr_fs',`
@@ -123,7 +135,9 @@ interface(`fs_mount_xattr_fs',`
## some mount options to be changed.
##
##
+##
## The type of the domain remounting the filesystem.
+##
##
#
interface(`fs_remount_xattr_fs',`
@@ -141,7 +155,9 @@ interface(`fs_remount_xattr_fs',`
## ext3, JFS, or XFS.
##
##
+##
## The type of the domain unmounting the filesystem.
+##
##
#
interface(`fs_unmount_xattr_fs',`
@@ -159,8 +175,10 @@ interface(`fs_unmount_xattr_fs',`
## attributes, such as ext3, JFS, or XFS.
##
##
+##
## The type of the domain doing the
## getattr on the filesystem.
+##
##
#
interface(`fs_getattr_xattr_fs',`
@@ -179,7 +197,9 @@ interface(`fs_getattr_xattr_fs',`
## attributes, such as ext3, JFS, or XFS.
##
##
+##
## The type of the domain to not audit.
+##
##
#
interface(`fs_dontaudit_getattr_xattr_fs',`
@@ -197,7 +217,9 @@ interface(`fs_dontaudit_getattr_xattr_fs',`
## using the context= mount option.
##
##
+##
## The type of the domain mounting the filesystem.
+##
##
#
interface(`fs_relabelfrom_xattr_fs',`
@@ -214,7 +236,9 @@ interface(`fs_relabelfrom_xattr_fs',`
## with extended attributes.
##
##
+##
## The type of the domain mounting the filesystem.
+##
##
#
interface(`fs_get_xattr_fs_quotas',`
@@ -231,7 +255,9 @@ interface(`fs_get_xattr_fs_quotas',`
## with extended attributes.
##
##
+##
## The type of the domain mounting the filesystem.
+##
##
#
interface(`fs_set_xattr_fs_quotas',`
@@ -247,7 +273,9 @@ interface(`fs_set_xattr_fs_quotas',`
## Mount an automount pseudo filesystem.
##
##
+##
## The type of the domain mounting the filesystem.
+##
##
#
interface(`fs_mount_autofs',`
@@ -265,7 +293,9 @@ interface(`fs_mount_autofs',`
## This allows some mount options to be changed.
##
##
+##
## The type of the domain remounting the filesystem.
+##
##
#
interface(`fs_remount_autofs',`
@@ -281,7 +311,9 @@ interface(`fs_remount_autofs',`
## Unmount an automount pseudo filesystem.
##
##
+##
## The type of the domain unmounting the filesystem.
+##
##
#
interface(`fs_unmount_autofs',`
@@ -298,8 +330,10 @@ interface(`fs_unmount_autofs',`
## pseudo filesystem.
##
##
+##
## The type of the domain doing the
## getattr on the filesystem.
+##
##
#
interface(`fs_getattr_autofs',`
@@ -316,7 +350,9 @@ interface(`fs_getattr_autofs',`
## mounted filesystems.
##
##
+##
## The type of the domain performing this action.
+##
##
#
interface(`fs_search_auto_mountpoints',`
@@ -333,7 +369,9 @@ interface(`fs_search_auto_mountpoints',`
## mounted filesystems.
##
##
+##
## The type of the domain performing this action.
+##
##
#
interface(`fs_list_auto_mountpoints',`
@@ -350,7 +388,9 @@ interface(`fs_list_auto_mountpoints',`
## mounted filesystems.
##
##
+##
## The type of the domain performing this action.
+##
##
#
interface(`fs_dontaudit_list_auto_mountpoints',`
@@ -372,8 +412,10 @@ interface(`fs_dontaudit_list_auto_mountpoints',`
## without specifying the interpreter.
##
##
+##
## The type of the domain registering
## the interpreter.
+##
##
#
interface(`fs_register_binary_executable_type',`
@@ -390,7 +432,9 @@ interface(`fs_register_binary_executable_type',`
## Mount a CIFS or SMB network filesystem.
##
##
+##
## The type of the domain mounting the filesystem.
+##
##
#
interface(`fs_mount_cifs',`
@@ -407,7 +451,9 @@ interface(`fs_mount_cifs',`
## This allows some mount options to be changed.
##
##
+##
## The type of the domain mounting the filesystem.
+##
##
#
interface(`fs_remount_cifs',`
@@ -423,7 +469,9 @@ interface(`fs_remount_cifs',`
## Unmount a CIFS or SMB network filesystem.
##
##
+##
## The type of the domain mounting the filesystem.
+##
##
#
interface(`fs_unmount_cifs',`
@@ -440,8 +488,10 @@ interface(`fs_unmount_cifs',`
## SMB network filesystem.
##
##
+##
## The type of the domain doing the
## getattr on the filesystem.
+##
##
#
interface(`fs_getattr_cifs',`
@@ -457,7 +507,9 @@ interface(`fs_getattr_cifs',`
## Search directories on a CIFS or SMB filesystem.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`fs_search_cifs',`
@@ -474,7 +526,9 @@ interface(`fs_search_cifs',`
## CIFS or SMB filesystem.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`fs_list_cifs',`
@@ -491,7 +545,9 @@ interface(`fs_list_cifs',`
## of directories on a CIFS or SMB filesystem.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`fs_dontaudit_list_cifs',`
@@ -507,7 +563,9 @@ interface(`fs_dontaudit_list_cifs',`
## Read files on a CIFS or SMB filesystem.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`fs_read_cifs_files',`
@@ -524,7 +582,9 @@ interface(`fs_read_cifs_files',`
## Read all noxattrfs directories.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`fs_list_noxattr_fs',`
@@ -541,7 +601,9 @@ interface(`fs_list_noxattr_fs',`
## Read all noxattrfs files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`fs_read_noxattr_fs_files',`
@@ -559,7 +621,9 @@ interface(`fs_read_noxattr_fs_files',`
## Read all noxattrfs symbolic links.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`fs_read_noxattr_fs_symlinks',`
@@ -577,7 +641,9 @@ interface(`fs_read_noxattr_fs_symlinks',`
## files on a CIFS or SMB filesystem.
##
##
+##
## The type of the domain to not audit.
+##
##
#
interface(`fs_dontaudit_read_cifs_files',`
@@ -594,7 +660,9 @@ interface(`fs_dontaudit_read_cifs_files',`
## write files on a CIFS or SMB filesystem.
##
##
+##
## The type of the domain to not audit.
+##
##
#
interface(`fs_dontaudit_rw_cifs_files',`
@@ -610,7 +678,9 @@ interface(`fs_dontaudit_rw_cifs_files',`
## Read symbolic links on a CIFS or SMB filesystem.
##
##
+##
## The type of the domain reading the symbolic links.
+##
##
#
interface(`fs_read_cifs_symlinks',`
@@ -629,7 +699,9 @@ interface(`fs_read_cifs_symlinks',`
## domain.
##
##
+##
## The type of the domain executing the files.
+##
##
#
interface(`fs_exec_cifs_files',`
@@ -647,7 +719,9 @@ interface(`fs_exec_cifs_files',`
## on a CIFS or SMB network filesystem.
##
##
+##
## The type of the domain managing the directories.
+##
##
#
interface(`fs_manage_cifs_dirs',`
@@ -665,7 +739,9 @@ interface(`fs_manage_cifs_dirs',`
## on a CIFS or SMB network filesystem.
##
##
+##
## The type of the domain managing the directories.
+##
##
#
interface(`fs_dontaudit_manage_cifs_dirs',`
@@ -682,7 +758,9 @@ interface(`fs_dontaudit_manage_cifs_dirs',`
## on a CIFS or SMB network filesystem.
##
##
+##
## The type of the domain managing the files.
+##
##
#
interface(`fs_manage_cifs_files',`
@@ -701,7 +779,9 @@ interface(`fs_manage_cifs_files',`
## on a CIFS or SMB network filesystem.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`fs_dontaudit_manage_cifs_files',`
@@ -718,7 +798,9 @@ interface(`fs_dontaudit_manage_cifs_files',`
## on a CIFS or SMB network filesystem.
##
##
+##
## The type of the domain managing the symbolic links.
+##
##
#
interface(`fs_manage_cifs_symlinks',`
@@ -736,7 +818,9 @@ interface(`fs_manage_cifs_symlinks',`
## on a CIFS or SMB network filesystem.
##
##
+##
## The type of the domain managing the pipes.
+##
##
#
interface(`fs_manage_cifs_named_pipes',`
@@ -754,7 +838,9 @@ interface(`fs_manage_cifs_named_pipes',`
## on a CIFS or SMB network filesystem.
##
##
+##
## The type of the domain managing the sockets.
+##
##
#
interface(`fs_manage_cifs_named_sockets',`
@@ -791,10 +877,14 @@ interface(`fs_manage_cifs_named_sockets',`
##
##
##
+##
## The type of the process performing this action.
+##
##
##
+##
## The type of the new process.
+##
##
#
interface(`fs_cifs_domtrans',`
@@ -813,7 +903,9 @@ interface(`fs_cifs_domtrans',`
## FAT32 or NTFS.
##
##
+##
## The type of the domain mounting the filesystem.
+##
##
#
interface(`fs_mount_dos_fs',`
@@ -831,7 +923,9 @@ interface(`fs_mount_dos_fs',`
## some mount options to be changed.
##
##
+##
## The type of the domain remounting the filesystem.
+##
##
#
interface(`fs_remount_dos_fs',`
@@ -848,7 +942,9 @@ interface(`fs_remount_dos_fs',`
## FAT32 or NTFS.
##
##
+##
## The type of the domain unmounting the filesystem.
+##
##
#
interface(`fs_unmount_dos_fs',`
@@ -865,8 +961,10 @@ interface(`fs_unmount_dos_fs',`
## filesystem, such as FAT32 or NTFS.
##
##
+##
## The type of the domain doing the
## getattr on the filesystem.
+##
##
#
interface(`fs_getattr_dos_fs',`
@@ -883,7 +981,9 @@ interface(`fs_getattr_dos_fs',`
## DOS filesystem using the context= mount option.
##
##
+##
## The type of the domain mounting the filesystem.
+##
##
#
interface(`fs_relabelfrom_dos_fs',`
@@ -899,7 +999,9 @@ interface(`fs_relabelfrom_dos_fs',`
## Read eventpollfs files
##
##
+##
## Domain allowed access.
+##
##
#
interface(`fs_read_eventpollfs',`
@@ -916,7 +1018,9 @@ interface(`fs_read_eventpollfs',`
## Search inotifyfs filesystem.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`fs_search_inotifyfs',`
@@ -933,7 +1037,9 @@ interface(`fs_search_inotifyfs',`
## is usually used on CDs.
##
##
+##
## The type of the domain mounting the filesystem.
+##
##
#
interface(`fs_mount_iso9660_fs',`
@@ -951,7 +1057,9 @@ interface(`fs_mount_iso9660_fs',`
## some mount options to be changed.
##
##
+##
## The type of the domain remounting the filesystem.
+##
##
#
interface(`fs_remount_iso9660_fs',`
@@ -968,7 +1076,9 @@ interface(`fs_remount_iso9660_fs',`
## is usually used on CDs.
##
##
+##
## The type of the domain unmounting the filesystem.
+##
##
#
interface(`fs_unmount_iso9660_fs',`
@@ -985,8 +1095,10 @@ interface(`fs_unmount_iso9660_fs',`
## filesystem, which is usually used on CDs.
##
##
+##
## The type of the domain doing the
## getattr on the filesystem.
+##
##
#
interface(`fs_getattr_iso9660_fs',`
@@ -1002,7 +1114,9 @@ interface(`fs_getattr_iso9660_fs',`
## Mount a NFS filesystem.
##
##
+##
## The type of the domain mounting the filesystem.
+##
##
#
interface(`fs_mount_nfs',`
@@ -1019,7 +1133,9 @@ interface(`fs_mount_nfs',`
## some mount options to be changed.
##
##
+##
## The type of the domain remounting the filesystem.
+##
##
#
interface(`fs_remount_nfs',`
@@ -1035,7 +1151,9 @@ interface(`fs_remount_nfs',`
## Unmount a NFS filesystem.
##
##
+##
## The type of the domain unmounting the filesystem.
+##
##
#
interface(`fs_unmount_nfs',`
@@ -1051,8 +1169,10 @@ interface(`fs_unmount_nfs',`
## Get the attributes of a NFS filesystem.
##
##
+##
## The type of the domain doing the
## getattr on the filesystem.
+##
##
#
interface(`fs_getattr_nfs',`
@@ -1068,7 +1188,9 @@ interface(`fs_getattr_nfs',`
## Search directories on a NFS filesystem.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`fs_search_nfs',`
@@ -1084,7 +1206,9 @@ interface(`fs_search_nfs',`
## List NFS filesystem.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`fs_list_nfs',`
@@ -1101,7 +1225,9 @@ interface(`fs_list_nfs',`
## of directories on a NFS filesystem.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`fs_dontaudit_list_nfs',`
@@ -1117,7 +1243,9 @@ interface(`fs_dontaudit_list_nfs',`
## Read files on a NFS filesystem.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`fs_read_nfs_files',`
@@ -1135,7 +1263,9 @@ interface(`fs_read_nfs_files',`
## files on a NFS filesystem.
##
##
+##
## The type of the domain to not audit.
+##
##
#
interface(`fs_dontaudit_read_nfs_files',`
@@ -1151,7 +1281,9 @@ interface(`fs_dontaudit_read_nfs_files',`
## Read files on a NFS filesystem.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`fs_write_nfs_files',`
@@ -1168,7 +1300,9 @@ interface(`fs_write_nfs_files',`
## Execute files on a NFS filesystem.
##
##
+##
## The type of the domain executing the files.
+##
##
#
interface(`fs_exec_nfs_files',`
@@ -1186,7 +1320,9 @@ interface(`fs_exec_nfs_files',`
## write files on a NFS filesystem.
##
##
+##
## The type of the domain to not audit.
+##
##
#
interface(`fs_dontaudit_rw_nfs_files',`
@@ -1202,7 +1338,9 @@ interface(`fs_dontaudit_rw_nfs_files',`
## Read symbolic links on a NFS filesystem.
##
##
+##
## The type of the domain reading the symbolic links.
+##
##
#
interface(`fs_read_nfs_symlinks',`
@@ -1219,7 +1357,9 @@ interface(`fs_read_nfs_symlinks',`
## Read directories of RPC file system pipes.
##
##
+##
## The type of the domain reading the symbolic links.
+##
##
#
interface(`fs_getattr_rpc_dirs',`
@@ -1236,7 +1376,9 @@ interface(`fs_getattr_rpc_dirs',`
## Search directories of RPC file system pipes.
##
##
+##
## The type of the domain reading the symbolic links.
+##
##
#
interface(`fs_search_rpc',`
@@ -1252,7 +1394,9 @@ interface(`fs_search_rpc',`
## Search removable storage directories.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`fs_search_removable',`
@@ -1269,7 +1413,9 @@ interface(`fs_search_removable',`
## Do not audit attempts to list removable storage directories.
##
##
+##
## Domain not to audit.
+##
##
#
interface(`fs_dontaudit_list_removable',`
@@ -1284,7 +1430,9 @@ interface(`fs_dontaudit_list_removable',`
## Read removable storage files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`fs_read_removable_files',`
@@ -1301,7 +1449,9 @@ interface(`fs_read_removable_files',`
## Do not audit attempts to read removable storage files.
##
##
+##
## Domain not to audit.
+##
##
#
interface(`fs_donaudit_read_removable_files',`
@@ -1316,7 +1466,9 @@ interface(`fs_donaudit_read_removable_files',`
## Read removable storage symbolic links.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`fs_read_removable_symlinks',`
@@ -1333,7 +1485,9 @@ interface(`fs_read_removable_symlinks',`
## Read directories of RPC file system pipes.
##
##
+##
## The type of the domain reading the symbolic links.
+##
##
#
interface(`fs_list_rpc',`
@@ -1350,7 +1504,9 @@ interface(`fs_list_rpc',`
## Read files of RPC file system pipes.
##
##
+##
## The type of the domain reading the symbolic links.
+##
##
#
interface(`fs_read_rpc_files',`
@@ -1367,7 +1523,9 @@ interface(`fs_read_rpc_files',`
## Read symbolic links of RPC file system pipes.
##
##
+##
## The type of the domain reading the symbolic links.
+##
##
#
interface(`fs_read_rpc_symlinks',`
@@ -1384,7 +1542,9 @@ interface(`fs_read_rpc_symlinks',`
## Read sockets of RPC file system pipes.
##
##
+##
## The type of the domain reading the symbolic links.
+##
##
#
interface(`fs_read_rpc_sockets',`
@@ -1402,7 +1562,9 @@ interface(`fs_read_rpc_sockets',`
## on a NFS filesystem.
##
##
+##
## The type of the domain managing the directories.
+##
##
#
interface(`fs_manage_nfs_dirs',`
@@ -1420,7 +1582,9 @@ interface(`fs_manage_nfs_dirs',`
## on a NFS filesystem.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`fs_dontaudit_manage_nfs_dirs',`
@@ -1437,7 +1601,9 @@ interface(`fs_dontaudit_manage_nfs_dirs',`
## on a NFS filesystem.
##
##
+##
## The type of the domain managing the files.
+##
##
#
interface(`fs_manage_nfs_files',`
@@ -1456,7 +1622,9 @@ interface(`fs_manage_nfs_files',`
## on a NFS filesystem.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`fs_dontaudit_manage_nfs_files',`
@@ -1473,7 +1641,9 @@ interface(`fs_dontaudit_manage_nfs_files',`
## on a CIFS or SMB network filesystem.
##
##
+##
## The type of the domain managing the symbolic links.
+##
##
#
interface(`fs_manage_nfs_symlinks',`
@@ -1491,7 +1661,9 @@ interface(`fs_manage_nfs_symlinks',`
## on a NFS filesystem.
##
##
+##
## The type of the domain managing the pipes.
+##
##
#
interface(`fs_manage_nfs_named_pipes',`
@@ -1509,7 +1681,9 @@ interface(`fs_manage_nfs_named_pipes',`
## on a NFS filesystem.
##
##
+##
## The type of the domain managing the sockets.
+##
##
#
interface(`fs_manage_nfs_named_sockets',`
@@ -1546,10 +1720,14 @@ interface(`fs_manage_nfs_named_sockets',`
##
##
##
+##
## The type of the process performing this action.
+##
##
##
+##
## The type of the new process.
+##
##
#
interface(`fs_nfs_domtrans',`
@@ -1567,7 +1745,9 @@ interface(`fs_nfs_domtrans',`
## Mount a NFS server pseudo filesystem.
##
##
+##
## The type of the domain mounting the filesystem.
+##
##
#
interface(`fs_mount_nfsd_fs',`
@@ -1584,7 +1764,9 @@ interface(`fs_mount_nfsd_fs',`
## This allows some mount options to be changed.
##
##
+##
## The type of the domain remounting the filesystem.
+##
##
#
interface(`fs_remount_nfsd_fs',`
@@ -1600,7 +1782,9 @@ interface(`fs_remount_nfsd_fs',`
## Unmount a NFS server pseudo filesystem.
##
##
+##
## The type of the domain unmounting the filesystem.
+##
##
#
interface(`fs_unmount_nfsd_fs',`
@@ -1617,8 +1801,10 @@ interface(`fs_unmount_nfsd_fs',`
## pseudo filesystem.
##
##
+##
## The type of the domain doing the
## getattr on the filesystem.
+##
##
#
interface(`fs_getattr_nfsd_fs',`
@@ -1634,8 +1820,10 @@ interface(`fs_getattr_nfsd_fs',`
## Search NFS server directories.
##
##
+##
## The type of the domain doing the
## search on nfsd directories.
+##
##
#
interface(`fs_search_nfsd_fs',`
@@ -1651,8 +1839,10 @@ interface(`fs_search_nfsd_fs',`
## Read and write NFS server files.
##
##
+##
## The type of the domain doing the
## read or write on nfsd files.
+##
##
#
interface(`fs_rw_nfsd_fs',`
@@ -1668,7 +1858,9 @@ interface(`fs_rw_nfsd_fs',`
## Mount a RAM filesystem.
##
##
+##
## The type of the domain mounting the filesystem.
+##
##
#
interface(`fs_mount_ramfs',`
@@ -1685,7 +1877,9 @@ interface(`fs_mount_ramfs',`
## some mount options to be changed.
##
##
+##
## The type of the domain remounting the filesystem.
+##
##
#
interface(`fs_remount_ramfs',`
@@ -1701,7 +1895,9 @@ interface(`fs_remount_ramfs',`
## Unmount a RAM filesystem.
##
##
+##
## The type of the domain unmounting the filesystem.
+##
##
#
interface(`fs_unmount_ramfs',`
@@ -1717,8 +1913,10 @@ interface(`fs_unmount_ramfs',`
## Get the attributes of a RAM filesystem.
##
##
+##
## The type of the domain doing the
## getattr on the filesystem.
+##
##
#
interface(`fs_getattr_ramfs',`
@@ -1734,7 +1932,9 @@ interface(`fs_getattr_ramfs',`
## Search directories on a ramfs
##
##
+##
## Domain allowed access.
+##
##
#
interface(`fs_search_ramfs',`
@@ -1750,7 +1950,9 @@ interface(`fs_search_ramfs',`
## Dontaudit Search directories on a ramfs
##
##
+##
## Domain allowed access.
+##
##
#
interface(`fs_dontaudit_search_ramfs',`
@@ -1766,7 +1968,9 @@ interface(`fs_dontaudit_search_ramfs',`
## Write to named pipe on a ramfs filesystem.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`fs_write_ramfs_pipes',`
@@ -1782,7 +1986,9 @@ interface(`fs_write_ramfs_pipes',`
## Read and write a named pipe on a ramfs filesystem.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`fs_rw_ramfs_pipes',`
@@ -1798,7 +2004,9 @@ interface(`fs_rw_ramfs_pipes',`
## Write to named socket on a ramfs filesystem.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`fs_write_ramfs_sockets',`
@@ -1814,7 +2022,9 @@ interface(`fs_write_ramfs_sockets',`
## Mount a ROM filesystem.
##
##
+##
## The type of the domain mounting the filesystem.
+##
##
#
interface(`fs_mount_romfs',`
@@ -1831,7 +2041,9 @@ interface(`fs_mount_romfs',`
## some mount options to be changed.
##
##
+##
## The type of the domain remounting the filesystem.
+##
##
#
interface(`fs_remount_romfs',`
@@ -1847,7 +2059,9 @@ interface(`fs_remount_romfs',`
## Unmount a ROM filesystem.
##
##
+##
## The type of the domain unmounting the filesystem.
+##
##
#
interface(`fs_unmount_romfs',`
@@ -1864,8 +2078,10 @@ interface(`fs_unmount_romfs',`
## filesystem.
##
##
+##
## The type of the domain doing the
## getattr on the filesystem.
+##
##
#
interface(`fs_getattr_romfs',`
@@ -1881,7 +2097,9 @@ interface(`fs_getattr_romfs',`
## Mount a RPC pipe filesystem.
##
##
+##
## The type of the domain mounting the filesystem.
+##
##
#
interface(`fs_mount_rpc_pipefs',`
@@ -1898,7 +2116,9 @@ interface(`fs_mount_rpc_pipefs',`
## allows some mount option to be changed.
##
##
+##
## The type of the domain remounting the filesystem.
+##
##
#
interface(`fs_remount_rpc_pipefs',`
@@ -1914,7 +2134,9 @@ interface(`fs_remount_rpc_pipefs',`
## Unmount a RPC pipe filesystem.
##
##
+##
## The type of the domain unmounting the filesystem.
+##
##
#
interface(`fs_unmount_rpc_pipefs',`
@@ -1931,8 +2153,10 @@ interface(`fs_unmount_rpc_pipefs',`
## filesystem.
##
##
+##
## The type of the domain doing the
## getattr on the filesystem.
+##
##
#
interface(`fs_getattr_rpc_pipefs',`
@@ -1948,7 +2172,9 @@ interface(`fs_getattr_rpc_pipefs',`
## Mount a tmpfs filesystem.
##
##
+##
## The type of the domain mounting the filesystem.
+##
##
#
interface(`fs_mount_tmpfs',`
@@ -1964,7 +2190,9 @@ interface(`fs_mount_tmpfs',`
## Remount a tmpfs filesystem.
##
##
+##
## The type of the domain remounting the filesystem.
+##
##
#
interface(`fs_remount_tmpfs',`
@@ -1980,7 +2208,9 @@ interface(`fs_remount_tmpfs',`
## Unmount a tmpfs filesystem.
##
##
+##
## The type of the domain unmounting the filesystem.
+##
##
#
interface(`fs_unmount_tmpfs',`
@@ -1997,8 +2227,10 @@ interface(`fs_unmount_tmpfs',`
## filesystem.
##
##
+##
## The type of the domain doing the
## getattr on the filesystem.
+##
##
#
interface(`fs_getattr_tmpfs',`
@@ -2014,7 +2246,9 @@ interface(`fs_getattr_tmpfs',`
## Allow the type to associate to tmpfs filesystems.
##
##
+##
## The type of the object to be associated.
+##
##
#
interface(`fs_associate_tmpfs',`
@@ -2030,7 +2264,9 @@ interface(`fs_associate_tmpfs',`
## Get the attributes of tmpfs directories.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`fs_getattr_tmpfs_dirs',`
@@ -2046,7 +2282,9 @@ interface(`fs_getattr_tmpfs_dirs',`
## Set the attributes of tmpfs directories.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`fs_setattr_tmpfs_dirs',`
@@ -2062,7 +2300,9 @@ interface(`fs_setattr_tmpfs_dirs',`
## Search tmpfs directories.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`fs_search_tmpfs',`
@@ -2078,7 +2318,9 @@ interface(`fs_search_tmpfs',`
## List the contents of generic tmpfs directories.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`fs_list_tmpfs',`
@@ -2095,7 +2337,9 @@ interface(`fs_list_tmpfs',`
## contents of generic tmpfs directories.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`fs_dontaudit_list_tmpfs',`
@@ -2112,7 +2356,9 @@ interface(`fs_dontaudit_list_tmpfs',`
## tmpfs directories
##
##
+##
## Domain allowed access.
+##
##
#
interface(`fs_manage_tmpfs_dirs',`
@@ -2148,7 +2394,9 @@ interface(`fs_filetrans_tmpfs',`
## generic tmpfs files.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`fs_dontaudit_rw_tmpfs_files',`
@@ -2165,7 +2413,9 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
## auto moutpoints.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`fs_manage_auto_mountpoints',`
@@ -2181,7 +2431,9 @@ interface(`fs_manage_auto_mountpoints',`
## Read and write generic tmpfs files.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`fs_rw_tmpfs_files',`
@@ -2198,7 +2450,9 @@ interface(`fs_rw_tmpfs_files',`
## Read tmpfs link files.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`fs_read_tmpfs_symlinks',`
@@ -2215,7 +2469,9 @@ interface(`fs_read_tmpfs_symlinks',`
## Read and write character nodes on tmpfs filesystems.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`fs_rw_tmpfs_chr_files',`
@@ -2232,7 +2488,9 @@ interface(`fs_rw_tmpfs_chr_files',`
## dontaudit Read and write character nodes on tmpfs filesystems.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`fs_dontaudit_use_tmpfs_chr_dev',`
@@ -2249,7 +2507,9 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
## Relabel character nodes on tmpfs filesystems.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`fs_relabel_tmpfs_chr_file',`
@@ -2266,7 +2526,9 @@ interface(`fs_relabel_tmpfs_chr_file',`
## Read and write block nodes on tmpfs filesystems.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`fs_rw_tmpfs_blk_files',`
@@ -2283,7 +2545,9 @@ interface(`fs_rw_tmpfs_blk_files',`
## Relabel block nodes on tmpfs filesystems.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`fs_relabel_tmpfs_blk_file',`
@@ -2301,7 +2565,9 @@ interface(`fs_relabel_tmpfs_blk_file',`
## files on tmpfs filesystems.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`fs_manage_tmpfs_files',`
@@ -2319,7 +2585,9 @@ interface(`fs_manage_tmpfs_files',`
## links on tmpfs filesystems.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`fs_manage_tmpfs_symlinks',`
@@ -2337,7 +2605,9 @@ interface(`fs_manage_tmpfs_symlinks',`
## files on tmpfs filesystems.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`fs_manage_tmpfs_sockets',`
@@ -2355,7 +2625,9 @@ interface(`fs_manage_tmpfs_sockets',`
## nodes on tmpfs filesystems.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`fs_manage_tmpfs_chr_files',`
@@ -2373,7 +2645,9 @@ interface(`fs_manage_tmpfs_chr_files',`
## on tmpfs filesystems.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`fs_manage_tmpfs_blk_files',`
@@ -2390,7 +2664,9 @@ interface(`fs_manage_tmpfs_blk_files',`
## Mount all filesystems.
##
##
+##
## The type of the domain mounting the filesystem.
+##
##
#
interface(`fs_mount_all_fs',`
@@ -2407,7 +2683,9 @@ interface(`fs_mount_all_fs',`
## allows some mount options to be changed.
##
##
+##
## The type of the domain mounting the filesystem.
+##
##
#
interface(`fs_remount_all_fs',`
@@ -2423,7 +2701,9 @@ interface(`fs_remount_all_fs',`
## Unmount all filesystems.
##
##
+##
## The type of the domain unmounting the filesystem.
+##
##
#
interface(`fs_unmount_all_fs',`
@@ -2440,8 +2720,10 @@ interface(`fs_unmount_all_fs',`
## filesystems.
##
##
+##
## The type of the domain doing the
## getattr on the filesystem.
+##
##
#
interface(`fs_getattr_all_fs',`
@@ -2458,7 +2740,9 @@ interface(`fs_getattr_all_fs',`
## all filesystems.
##
##
+##
## The type of the domain to not audit.
+##
##
#
interface(`fs_dontaudit_getattr_all_fs',`
@@ -2474,7 +2758,9 @@ interface(`fs_dontaudit_getattr_all_fs',`
## Get the quotas of all filesystems.
##
##
+##
## The type of the domain getting quotas.
+##
##
#
interface(`fs_get_all_fs_quotas',`
@@ -2490,7 +2776,9 @@ interface(`fs_get_all_fs_quotas',`
## Set the quotas of all filesystems.
##
##
+##
## The type of the domain setting quotas.
+##
##
#
interface(`fs_set_all_quotas',`
@@ -2506,8 +2794,10 @@ interface(`fs_set_all_quotas',`
## Relabelfrom all filesystems.
##
##
+##
## The type of the domain doing the
## getattr on the filesystem.
+##
##
#
interface(`fs_relabelfrom_all_fs',`
@@ -2524,7 +2814,9 @@ interface(`fs_relabelfrom_all_fs',`
## with a filesystem type.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`fs_getattr_all_dirs',`
@@ -2540,7 +2832,9 @@ interface(`fs_getattr_all_dirs',`
## Search all directories with a filesystem type.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`fs_search_all',`
@@ -2556,7 +2850,9 @@ interface(`fs_search_all',`
## List all directories with a filesystem type.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`fs_list_all',`
@@ -2573,7 +2869,9 @@ interface(`fs_list_all',`
## a filesystem type.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`fs_getattr_all_files',`
@@ -2591,7 +2889,9 @@ interface(`fs_getattr_all_files',`
## a filesystem type.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`fs_getattr_all_symlinks',`
@@ -2609,7 +2909,9 @@ interface(`fs_getattr_all_symlinks',`
## a filesystem type.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`fs_getattr_all_pipes',`
@@ -2627,7 +2929,9 @@ interface(`fs_getattr_all_pipes',`
## a filesystem type.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`fs_getattr_all_sockets',`
@@ -2645,7 +2949,9 @@ interface(`fs_getattr_all_sockets',`
## of all files with a filesystem type.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`fs_dontaudit_getattr_all_files',`
@@ -2662,7 +2968,9 @@ interface(`fs_dontaudit_getattr_all_files',`
## of all symbolic links with a filesystem type.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`fs_dontaudit_getattr_all_symlinks',`
@@ -2679,7 +2987,9 @@ interface(`fs_dontaudit_getattr_all_symlinks',`
## of all named pipes with a filesystem type.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`fs_dontaudit_getattr_all_pipes',`
@@ -2696,7 +3006,9 @@ interface(`fs_dontaudit_getattr_all_pipes',`
## of all named sockets with a filesystem type.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`fs_dontaudit_getattr_all_sockets',`
@@ -2712,7 +3024,9 @@ interface(`fs_dontaudit_getattr_all_sockets',`
## Unconfined access to filesystems
##
##
+##
## Domain allowed access.
+##
##
#
interface(`fs_unconfined',`
diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index 680da4c..839d797 100644
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -12,10 +12,14 @@
## by transitioning to the specified domain.
##
##
+##
## The process type entered by kernel.
+##
##
##
+##
## The executable type for the entrypoint.
+##
##
#
interface(`kernel_domtrans_to',`
@@ -41,7 +45,9 @@ interface(`kernel_domtrans_to',`
## the specified directory type.
##
##
+##
## The type of the directory to use as a mountpoint.
+##
##
#
interface(`kernel_rootfs_mountpoint',`
@@ -57,7 +63,9 @@ interface(`kernel_rootfs_mountpoint',`
## Set the process group of kernel threads.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`kernel_setpgid',`
@@ -73,7 +81,9 @@ interface(`kernel_setpgid',`
## Send a SIGCHLD signal to kernel threads.
##
##
+##
## The type of the process sending the signal.
+##
##
#
interface(`kernel_sigchld',`
@@ -89,7 +99,9 @@ interface(`kernel_sigchld',`
## Send a generic signal to kernel threads.
##
##
+##
## The type of the process sending the signal.
+##
##
#
interface(`kernel_signal',`
@@ -106,7 +118,9 @@ interface(`kernel_signal',`
## the caller.
##
##
+##
## The type of the process with which to share state information.
+##
##
#
interface(`kernel_share_state',`
@@ -122,7 +136,9 @@ interface(`kernel_share_state',`
## Permits caller to use kernel file descriptors.
##
##
+##
## The type of the process using the descriptors.
+##
##
#
interface(`kernel_use_fd',`
@@ -139,7 +155,9 @@ interface(`kernel_use_fd',`
## kernel file descriptors.
##
##
+##
## The type of process not to audit.
+##
##
#
interface(`kernel_dontaudit_use_fd',`
@@ -155,7 +173,9 @@ interface(`kernel_dontaudit_use_fd',`
## Read and write kernel unnamed pipes.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`kernel_rw_pipes',`
@@ -171,7 +191,9 @@ interface(`kernel_rw_pipes',`
## Read and write kernel unix datagram sockets.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`kernel_rw_unix_dgram_sockets',`
@@ -187,7 +209,9 @@ interface(`kernel_rw_unix_dgram_sockets',`
## Send messages to kernel unix datagram sockets.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`kernel_dgram_send',`
@@ -203,7 +227,9 @@ interface(`kernel_dgram_send',`
## Receive messages from kernel TCP sockets.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`kernel_tcp_recvfrom',`
@@ -219,7 +245,9 @@ interface(`kernel_tcp_recvfrom',`
## Send UDP network traffic to the kernel.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`kernel_udp_sendto',`
@@ -236,7 +264,9 @@ interface(`kernel_udp_sendto',`
## Receive messages from kernel UDP sockets.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`kernel_udp_recvfrom',`
@@ -252,7 +282,9 @@ interface(`kernel_udp_recvfrom',`
## Allows caller to load kernel modules
##
##
+##
## The process type to allow to load kernel modules.
+##
##
#
interface(`kernel_load_module',`
@@ -269,7 +301,9 @@ interface(`kernel_load_module',`
## Allows caller to read the ring buffer.
##
##
+##
## The process type allowed to read the ring buffer.
+##
##
#
interface(`kernel_read_ring_buffer',`
@@ -285,7 +319,9 @@ interface(`kernel_read_ring_buffer',`
## Do not audit attempts to read the ring buffer.
##
##
+##
## The domain to not audit.
+##
##
#
interface(`kernel_dontaudit_read_ring_buffer',`
@@ -301,7 +337,9 @@ interface(`kernel_dontaudit_read_ring_buffer',`
## Change the level of kernel messages logged to the console.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`kernel_change_ring_buffer_level',`
@@ -317,7 +355,9 @@ interface(`kernel_change_ring_buffer_level',`
## Allows the caller to clear the ring buffer.
##
##
+##
## The process type clearing the buffer.
+##
##
#
interface(`kernel_clear_ring_buffer',`
@@ -333,7 +373,9 @@ interface(`kernel_clear_ring_buffer',`
## Get information on all System V IPC objects.
##
##
+##
##
+##
##
#
interface(`kernel_get_sysvipc_info',`
@@ -349,7 +391,9 @@ interface(`kernel_get_sysvipc_info',`
## Get the attributes of a kernel debugging filesystem.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`kernel_getattr_debugfs',`
@@ -365,7 +409,9 @@ interface(`kernel_getattr_debugfs',`
## Mount a kernel debugging filesystem.
##
##
+##
## The type of the domain mounting the filesystem.
+##
##
#
interface(`kernel_mount_debugfs',`
@@ -381,7 +427,9 @@ interface(`kernel_mount_debugfs',`
## Unmount a kernel debugging filesystem.
##
##
+##
## The type of the domain unmounting the filesystem.
+##
##
#
interface(`kernel_unmount_debugfs',`
@@ -397,7 +445,9 @@ interface(`kernel_unmount_debugfs',`
## Remount a kernel debugging filesystem.
##
##
+##
## The type of the domain remounting the filesystem.
+##
##
#
interface(`kernel_remount_debugfs',`
@@ -413,7 +463,9 @@ interface(`kernel_remount_debugfs',`
## Search the contents of a kernel debugging filesystem.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`kernel_search_debugfs',`
@@ -429,7 +481,9 @@ interface(`kernel_search_debugfs',`
## Read information from the debugging filesystem.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`kernel_read_debugfs',`
@@ -447,7 +501,9 @@ interface(`kernel_read_debugfs',`
## Get the attributes of the proc filesystem.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`kernel_getattr_proc',`
@@ -463,7 +519,9 @@ interface(`kernel_getattr_proc',`
## Search directories in /proc.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`kernel_search_proc',`
@@ -479,7 +537,9 @@ interface(`kernel_search_proc',`
## List the contents of directories in /proc.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`kernel_list_proc',`
@@ -496,7 +556,9 @@ interface(`kernel_list_proc',`
## contents of directories in /proc.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`kernel_dontaudit_list_proc',`
@@ -512,7 +574,9 @@ interface(`kernel_dontaudit_list_proc',`
## Get the attributes of files in /proc.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`kernel_getattr_proc_files',`
@@ -529,7 +593,9 @@ interface(`kernel_getattr_proc_files',`
## Read symbolic links in /proc.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`kernel_read_proc_symlinks',`
@@ -546,7 +612,9 @@ interface(`kernel_read_proc_symlinks',`
## Allows caller to read system state information in proc.
##
##
+##
## The process type reading the system state information.
+##
##
#
interface(`kernel_read_system_state',`
@@ -564,7 +632,9 @@ interface(`kernel_read_system_state',`
## Write to generic proc entries.
##
##
+##
## Domain allowed access.
+##
##
#
# cjp: this should probably go away. any
@@ -586,7 +656,9 @@ interface(`kernel_write_proc_files',`
## read system state information in proc.
##
##
+##
## The process type not to audit.
+##
##
#
interface(`kernel_dontaudit_read_system_state',`
@@ -603,7 +675,9 @@ interface(`kernel_dontaudit_read_system_state',`
## read system state information in proc.
##
##
+##
## The process type not to audit.
+##
##
#
interface(`kernel_dontaudit_read_proc_symlinks',`
@@ -619,7 +693,9 @@ interface(`kernel_dontaudit_read_proc_symlinks',`
## Allow caller to read the state information for software raid.
##
##
+##
## The process type reading software raid state.
+##
##
#
interface(`kernel_read_software_raid_state',`
@@ -636,7 +712,9 @@ interface(`kernel_read_software_raid_state',`
## Allow caller to read and set the state information for software raid.
##
##
+##
## The process type reading software raid state.
+##
##
#
interface(`kernel_rw_software_raid_state',`
@@ -653,7 +731,9 @@ interface(`kernel_rw_software_raid_state',`
## Allows caller to get attribues of core kernel interface.
##
##
+##
## The process type getting the attibutes.
+##
##
#
interface(`kernel_getattr_core_if',`
@@ -671,7 +751,9 @@ interface(`kernel_getattr_core_if',`
## core kernel interfaces.
##
##
+##
## The process type to not audit.
+##
##
#
interface(`kernel_dontaudit_getattr_core_if',`
@@ -688,7 +770,9 @@ interface(`kernel_dontaudit_getattr_core_if',`
## using the /proc/kmsg interface.
##
##
+##
## The process type reading the messages.
+##
##
#
interface(`kernel_read_messages',`
@@ -708,7 +792,9 @@ interface(`kernel_read_messages',`
## interface (/proc/kmsg).
##
##
+##
## The process type getting the attributes.
+##
##
#
interface(`kernel_getattr_message_if',`
@@ -726,7 +812,9 @@ interface(`kernel_getattr_message_if',`
## message interfaces.
##
##
+##
## The process type not to audit.
+##
##
#
interface(`kernel_dontaudit_getattr_message_if',`
@@ -743,7 +831,9 @@ interface(`kernel_dontaudit_getattr_message_if',`
## state directory.
##
##
+##
## The process type reading the state.
+##
##
##
#
@@ -760,7 +850,9 @@ interface(`kernel_dontaudit_search_network_state',`
## Allow searching of network state directory.
##
##
+##
## The process type reading the state.
+##
##
##
#
@@ -777,7 +869,9 @@ interface(`kernel_search_network_state',`
## Allow caller to read the network state information.
##
##
+##
## The process type reading the state.
+##
##
##
#
@@ -797,7 +891,9 @@ interface(`kernel_read_network_state',`
## Allow caller to read the network state symbolic links.
##
##
+##
## The process type reading the state.
+##
##
##
#
@@ -817,7 +913,9 @@ interface(`kernel_read_network_state_symlinks',`
## the base directory of sysctls.
##
##
+##
## The process type not to audit.
+##
##
##
#
@@ -834,7 +932,9 @@ interface(`kernel_dontaudit_search_sysctl',`
## Allow access to read sysctl directories.
##
##
+##
## The process type to allow to read sysctl directories.
+##
##
##
#
@@ -851,7 +951,9 @@ interface(`kernel_read_sysctl',`
## Allow caller to read the device sysctls.
##
##
+##
## The process type to allow to read the device sysctls.
+##
##
#
interface(`kernel_read_device_sysctls',`
@@ -870,7 +972,9 @@ interface(`kernel_read_device_sysctls',`
## Read and write device sysctls.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`kernel_rw_device_sysctls',`
@@ -888,7 +992,9 @@ interface(`kernel_rw_device_sysctls',`
## Allow caller to search virtual memory sysctls.
##
##
+##
## Domain allowed access.
+##
##
##
#
@@ -905,7 +1011,9 @@ interface(`kernel_search_vm_sysctl',`
## Allow caller to read virtual memory sysctls.
##
##
+##
## Domain allowed access.
+##
##
##
#
@@ -924,7 +1032,9 @@ interface(`kernel_read_vm_sysctls',`
## Read and write virtual memory sysctls.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`kernel_rw_vm_sysctls',`
@@ -942,7 +1052,9 @@ interface(`kernel_rw_vm_sysctls',`
## Search network sysctl directories.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`kernel_search_network_sysctl',`
@@ -958,7 +1070,9 @@ interface(`kernel_search_network_sysctl',`
## Do not audit attempts by caller to search network sysctl directories.
##
##
+##
## The process type not to audit.
+##
##
#
interface(`kernel_dontaudit_search_network_sysctl',`
@@ -974,7 +1088,9 @@ interface(`kernel_dontaudit_search_network_sysctl',`
## Allow caller to read network sysctls.
##
##
+##
## Domain allowed access.
+##
##
##
#
@@ -994,7 +1110,9 @@ interface(`kernel_read_net_sysctls',`
## Allow caller to modiry contents of sysctl network files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`kernel_rw_net_sysctls',`
@@ -1014,7 +1132,9 @@ interface(`kernel_rw_net_sysctls',`
## socket sysctls.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`kernel_read_unix_sysctls',`
@@ -1034,7 +1154,9 @@ interface(`kernel_read_unix_sysctls',`
## socket sysctls.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`kernel_rw_unix_sysctls',`
@@ -1053,7 +1175,9 @@ interface(`kernel_rw_unix_sysctls',`
## Read the hotplug sysctl.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`kernel_read_hotplug_sysctls',`
@@ -1072,7 +1196,9 @@ interface(`kernel_read_hotplug_sysctls',`
## Read and write the hotplug sysctl.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`kernel_rw_hotplug_sysctls',`
@@ -1091,7 +1217,9 @@ interface(`kernel_rw_hotplug_sysctls',`
## Read the modprobe sysctl.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`kernel_read_modprobe_sysctls',`
@@ -1110,7 +1238,9 @@ interface(`kernel_read_modprobe_sysctls',`
## Read and write the modprobe sysctl.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`kernel_rw_modprobe_sysctls',`
@@ -1129,7 +1259,9 @@ interface(`kernel_rw_modprobe_sysctls',`
## Do not audit attempts to search generic kernel sysctls.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`kernel_dontaudit_search_kernel_sysctl',`
@@ -1145,7 +1277,9 @@ interface(`kernel_dontaudit_search_kernel_sysctl',`
## Read generic kernel sysctls.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`kernel_read_kernel_sysctls',`
@@ -1164,7 +1298,9 @@ interface(`kernel_read_kernel_sysctls',`
## Do not audit attempts to write generic kernel sysctls.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`kernel_dontaudit_write_kernel_sysctl',`
@@ -1180,7 +1316,9 @@ interface(`kernel_dontaudit_write_kernel_sysctl',`
## Read and write generic kernel sysctls.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`kernel_rw_kernel_sysctl',`
@@ -1199,7 +1337,9 @@ interface(`kernel_rw_kernel_sysctl',`
## Read filesystem sysctls.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`kernel_read_fs_sysctls',`
@@ -1218,7 +1358,9 @@ interface(`kernel_read_fs_sysctls',`
## Read and write fileystem sysctls.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`kernel_rw_fs_sysctls',`
@@ -1237,7 +1379,9 @@ interface(`kernel_rw_fs_sysctls',`
## Read IRQ sysctls.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`kernel_read_irq_sysctls',`
@@ -1255,7 +1399,9 @@ interface(`kernel_read_irq_sysctls',`
## Read and write IRQ sysctls.
##
##
+##
## Domain allowed access.
+##
##
##
#
@@ -1304,7 +1450,9 @@ interface(`kernel_rw_rpc_sysctls',`
## Allow caller to read all sysctls.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`kernel_read_all_sysctls',`
@@ -1325,7 +1473,9 @@ interface(`kernel_read_all_sysctls',`
## Read and write all sysctls.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`kernel_rw_all_sysctls',`
@@ -1346,7 +1496,9 @@ interface(`kernel_rw_all_sysctls',`
## Send a kill signal to unlabeled processes.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`kernel_kill_unlabeled',`
@@ -1362,7 +1514,9 @@ interface(`kernel_kill_unlabeled',`
## Send general signals to unlabeled processes.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`kernel_signal_unlabeled',`
@@ -1378,7 +1532,9 @@ interface(`kernel_signal_unlabeled',`
## Send a null signal to unlabeled processes.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`kernel_signull_unlabeled',`
@@ -1394,7 +1550,9 @@ interface(`kernel_signull_unlabeled',`
## Send a stop signal to unlabeled processes.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`kernel_sigstop_unlabeled',`
@@ -1410,7 +1568,9 @@ interface(`kernel_sigstop_unlabeled',`
## Send a child terminated signal to unlabeled processes.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`kernel_sigchld_unlabeled',`
@@ -1426,7 +1586,9 @@ interface(`kernel_sigchld_unlabeled',`
## List unlabeled directories.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`kernel_list_unlabeled',`
@@ -1442,7 +1604,9 @@ interface(`kernel_list_unlabeled',`
## Do not audit attempts to list unlabeled directories.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`kernel_dontaudit_list_unlabeled',`
@@ -1458,7 +1622,9 @@ interface(`kernel_dontaudit_list_unlabeled',`
## Read and write unlabeled directories.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`kernel_rw_unlabeled_dirs',`
@@ -1475,7 +1641,9 @@ interface(`kernel_rw_unlabeled_dirs',`
## attributes of an unlabeled file.
##
##
+##
## The process type not to audit.
+##
##
#
interface(`kernel_dontaudit_getattr_unlabeled_files',`
@@ -1492,7 +1660,9 @@ interface(`kernel_dontaudit_getattr_unlabeled_files',`
## read an unlabeled file.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`kernel_dontaudit_read_unlabeled_files',`
@@ -1509,7 +1679,9 @@ interface(`kernel_dontaudit_read_unlabeled_files',`
## attributes of unlabeled symbolic links.
##
##
+##
## The process type not to audit.
+##
##
#
interface(`kernel_dontaudit_getattr_unlabeled_symlinks',`
@@ -1526,7 +1698,9 @@ interface(`kernel_dontaudit_getattr_unlabeled_symlinks',`
## attributes of unlabeled named pipes.
##
##
+##
## The process type not to audit.
+##
##
#
interface(`kernel_dontaudit_getattr_unlabeled_pipes',`
@@ -1543,7 +1717,9 @@ interface(`kernel_dontaudit_getattr_unlabeled_pipes',`
## attributes of unlabeled named sockets.
##
##
+##
## The process type not to audit.
+##
##
#
interface(`kernel_dontaudit_getattr_unlabeled_sockets',`
@@ -1560,7 +1736,9 @@ interface(`kernel_dontaudit_getattr_unlabeled_sockets',`
## unlabeled block devices.
##
##
+##
## The process type not to audit.
+##
##
#
interface(`kernel_dontaudit_getattr_unlabeled_blk_files',`
@@ -1576,7 +1754,9 @@ interface(`kernel_dontaudit_getattr_unlabeled_blk_files',`
## Read and write unlabeled block device nodes.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`kernel_rw_unlabeled_blk_files',`
@@ -1593,7 +1773,9 @@ interface(`kernel_rw_unlabeled_blk_files',`
## unlabeled character devices.
##
##
+##
## The process type not to audit.
+##
##
#
interface(`kernel_dontaudit_getattr_unlabeled_chr_files',`
@@ -1609,7 +1791,9 @@ interface(`kernel_dontaudit_getattr_unlabeled_chr_files',`
## Allow caller to relabel unlabeled directories.
##
##
+##
## The process type relabeling the objects.
+##
##
#
interface(`kernel_relabelfrom_unlabeled_dirs',`
@@ -1625,7 +1809,9 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
## Allow caller to relabel unlabeled files.
##
##
+##
## The process type relabeling the objects.
+##
##
#
interface(`kernel_relabelfrom_unlabeled_files',`
@@ -1642,7 +1828,9 @@ interface(`kernel_relabelfrom_unlabeled_files',`
## Allow caller to relabel unlabeled symbolic links.
##
##
+##
## The process type relabeling the objects.
+##
##
#
interface(`kernel_relabelfrom_unlabeled_symlinks',`
@@ -1659,7 +1847,9 @@ interface(`kernel_relabelfrom_unlabeled_symlinks',`
## Allow caller to relabel unlabeled named pipes.
##
##
+##
## The process type relabeling the objects.
+##
##
#
interface(`kernel_relabelfrom_unlabeled_pipes',`
@@ -1676,7 +1866,9 @@ interface(`kernel_relabelfrom_unlabeled_pipes',`
## Allow caller to relabel unlabeled named sockets.
##
##
+##
## The process type relabeling the objects.
+##
##
#
interface(`kernel_relabelfrom_unlabeled_sockets',`
@@ -1708,7 +1900,9 @@ interface(`kernel_relabelfrom_unlabeled_sockets',`
##
##
##
+##
## Domain allowed access.
+##
##
#
interface(`kernel_sendrecv_unlabeled_association',`
@@ -1724,7 +1918,9 @@ interface(`kernel_sendrecv_unlabeled_association',`
## Unconfined access to kernel module resources.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`kernel_unconfined',`
diff --git a/refpolicy/policy/modules/kernel/mls.if b/refpolicy/policy/modules/kernel/mls.if
index d875dde..850ae8e 100644
--- a/refpolicy/policy/modules/kernel/mls.if
+++ b/refpolicy/policy/modules/kernel/mls.if
@@ -17,7 +17,9 @@
## for reading from files at higher levels.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`mls_file_read_up',`
@@ -34,7 +36,9 @@ interface(`mls_file_read_up',`
## for writing to files at lower levels.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`mls_file_write_down',`
@@ -51,7 +55,9 @@ interface(`mls_file_write_down',`
## for raising the level of files.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`mls_file_upgrade',`
@@ -68,7 +74,9 @@ interface(`mls_file_upgrade',`
## for lowering the level of files.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`mls_file_downgrade',`
@@ -86,7 +94,9 @@ interface(`mls_file_downgrade',`
## the current level.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`mls_rangetrans_source',`
@@ -104,7 +114,9 @@ interface(`mls_rangetrans_source',`
## the current level.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`mls_rangetrans_target',`
@@ -121,7 +133,9 @@ interface(`mls_rangetrans_target',`
## for reading from processes at higher levels.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`mls_process_read_up',`
@@ -138,7 +152,9 @@ interface(`mls_process_read_up',`
## for writing to processes at lower levels.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`mls_process_write_down',`
@@ -156,7 +172,9 @@ interface(`mls_process_write_down',`
## it executes.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`mls_process_set_level',`
@@ -184,7 +202,9 @@ interface(`mls_process_set_level',`
##
##
##
+##
## The type of the object.
+##
##
#
interface(`mls_trusted_object',`
diff --git a/refpolicy/policy/modules/kernel/selinux.if b/refpolicy/policy/modules/kernel/selinux.if
index 2179d7f..3a64fca 100644
--- a/refpolicy/policy/modules/kernel/selinux.if
+++ b/refpolicy/policy/modules/kernel/selinux.if
@@ -10,7 +10,9 @@
## Gets the caller the mountpoint of the selinuxfs filesystem.
##
##
+##
## The process type requesting the selinuxfs mountpoint.
+##
##
#
interface(`selinux_get_fs_mount',`
@@ -25,7 +27,9 @@ interface(`selinux_get_fs_mount',`
## attributes of the selinuxfs directory.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`selinux_dontaudit_getattr_dir',`
@@ -41,7 +45,9 @@ interface(`selinux_dontaudit_getattr_dir',`
## Search selinuxfs.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`selinux_search_fs',`
@@ -57,7 +63,9 @@ interface(`selinux_search_fs',`
## Do not audit attempts to search selinuxfs.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`selinux_dontaudit_search_fs',`
@@ -74,7 +82,9 @@ interface(`selinux_dontaudit_search_fs',`
## generic selinuxfs entries
##
##
+##
## Domain to not audit.
+##
##
#
interface(`selinux_dontaudit_read_fs',`
@@ -92,7 +102,9 @@ interface(`selinux_dontaudit_read_fs',`
## (enforcing or permissive mode).
##
##
+##
## The process type to allow to get the enforcing mode.
+##
##
#
interface(`selinux_get_enforce_mode',`
@@ -120,7 +132,9 @@ interface(`selinux_get_enforce_mode',`
##
##
##
+##
## The process type to allow to set the enforcement mode.
+##
##
#
interface(`selinux_set_enforce_mode',`
@@ -145,7 +159,9 @@ interface(`selinux_set_enforce_mode',`
## Allow caller to load the policy into the kernel.
##
##
+##
## The process type that will load the policy.
+##
##
#
interface(`selinux_load_policy',`
@@ -181,7 +197,9 @@ interface(`selinux_load_policy',`
##
##
##
+##
## The process type allowed to set the Boolean.
+##
##
#
interface(`selinux_set_boolean',`
@@ -216,7 +234,9 @@ interface(`selinux_set_boolean',`
##
##
##
+##
## The process type to allow to set security parameters.
+##
##
#
interface(`selinux_set_parameters',`
@@ -237,7 +257,9 @@ interface(`selinux_set_parameters',`
## Allows caller to validate security contexts.
##
##
+##
## The process type permitted to validate contexts.
+##
##
#
interface(`selinux_validate_context',`
@@ -255,7 +277,9 @@ interface(`selinux_validate_context',`
## Allows caller to compute an access vector.
##
##
+##
## The process type allowed to compute an access vector.
+##
##
#
interface(`selinux_compute_access_vector',`
@@ -273,7 +297,9 @@ interface(`selinux_compute_access_vector',`
## Calculate the default type for object creation.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`selinux_compute_create_context',`
@@ -292,7 +318,9 @@ interface(`selinux_compute_create_context',`
## directory members.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`selinux_compute_member',`
@@ -319,7 +347,9 @@ interface(`selinux_compute_member',`
##
##
##
+##
## Domain allowed access.
+##
##
#
interface(`selinux_compute_relabel_context',`
@@ -337,7 +367,9 @@ interface(`selinux_compute_relabel_context',`
## Allows caller to compute possible contexts for a user.
##
##
+##
## The process type allowed to compute user contexts.
+##
##
#
interface(`selinux_compute_user_contexts',`
@@ -355,7 +387,9 @@ interface(`selinux_compute_user_contexts',`
## Unconfined access to the SELinux kernel security server.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`selinux_unconfined',`
diff --git a/refpolicy/policy/modules/kernel/storage.if b/refpolicy/policy/modules/kernel/storage.if
index 2fd6bf0..020b6cc 100644
--- a/refpolicy/policy/modules/kernel/storage.if
+++ b/refpolicy/policy/modules/kernel/storage.if
@@ -6,7 +6,9 @@
## device nodes.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`storage_getattr_fixed_disk_dev',`
@@ -24,7 +26,9 @@ interface(`storage_getattr_fixed_disk_dev',`
## the attributes of fixed disk device nodes.
##
##
+##
## The type of the process to not audit.
+##
##
#
interface(`storage_dontaudit_getattr_fixed_disk_dev',`
@@ -41,7 +45,9 @@ interface(`storage_dontaudit_getattr_fixed_disk_dev',`
## device nodes.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`storage_setattr_fixed_disk_dev',`
@@ -59,7 +65,9 @@ interface(`storage_setattr_fixed_disk_dev',`
## the attributes of fixed disk device nodes.
##
##
+##
## The type of the process to not audit.
+##
##
#
interface(`storage_dontaudit_setattr_fixed_disk_dev',`
@@ -78,7 +86,9 @@ interface(`storage_dontaudit_setattr_fixed_disk_dev',`
## should only be used by trusted domains.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`storage_raw_read_fixed_disk',`
@@ -98,7 +108,9 @@ interface(`storage_raw_read_fixed_disk',`
## fixed disk device nodes.
##
##
+##
## The type of the process to not audit.
+##
##
#
interface(`storage_dontaudit_read_fixed_disk',`
@@ -118,7 +130,9 @@ interface(`storage_dontaudit_read_fixed_disk',`
## should only be used by trusted domains.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`storage_raw_write_fixed_disk',`
@@ -138,7 +152,9 @@ interface(`storage_raw_write_fixed_disk',`
## fixed disk device nodes.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`storage_dontaudit_write_fixed_disk',`
@@ -155,7 +171,9 @@ interface(`storage_dontaudit_write_fixed_disk',`
## Create block devices in /dev with the fixed disk type.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`storage_create_fixed_disk',`
@@ -174,7 +192,9 @@ interface(`storage_create_fixed_disk',`
## Create, read, write, and delete fixed disk device nodes.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`storage_manage_fixed_disk',`
@@ -193,7 +213,9 @@ interface(`storage_manage_fixed_disk',`
## Create fixed disk device nodes on a tmpfs filesystem.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`storage_create_fixed_disk_tmpfs',`
@@ -213,7 +235,9 @@ interface(`storage_create_fixed_disk_tmpfs',`
## Relabel fixed disk device nodes.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`storage_relabel_fixed_disk',`
@@ -230,7 +254,9 @@ interface(`storage_relabel_fixed_disk',`
## Enable a fixed disk device as swap space
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`storage_swapon_fixed_disk',`
@@ -248,7 +274,9 @@ interface(`storage_swapon_fixed_disk',`
## the generic SCSI interface device nodes.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`storage_getattr_scsi_generic_dev',`
@@ -266,7 +294,9 @@ interface(`storage_getattr_scsi_generic_dev',`
## the generic SCSI interface device nodes.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`storage_setattr_scsi_generic_dev',`
@@ -287,7 +317,9 @@ interface(`storage_setattr_scsi_generic_dev',`
## should only be used by trusted domains.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`storage_read_scsi_generic',`
@@ -310,7 +342,9 @@ interface(`storage_read_scsi_generic',`
## should only be used by trusted domains.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`storage_write_scsi_generic',`
@@ -330,7 +364,9 @@ interface(`storage_write_scsi_generic',`
## for the SCSI generic inerface.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`storage_setattr_scsi_generic_dev_dev',`
@@ -348,7 +384,9 @@ interface(`storage_setattr_scsi_generic_dev_dev',`
## SCSI generic device interfaces.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`storage_dontaudit_rw_scsi_generic',`
@@ -365,7 +403,9 @@ interface(`storage_dontaudit_rw_scsi_generic',`
## devices device nodes.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`storage_getattr_removable_dev',`
@@ -383,7 +423,9 @@ interface(`storage_getattr_removable_dev',`
## the attributes of removable devices device nodes.
##
##
+##
## The type of the process to not audit.
+##
##
#
interface(`storage_dontaudit_getattr_removable_dev',`
@@ -400,7 +442,9 @@ interface(`storage_dontaudit_getattr_removable_dev',`
## removable devices device nodes.
##
##
+##
## The type of the process to not audit.
+##
##
#
interface(`storage_dontaudit_read_removable_device',`
@@ -418,7 +462,9 @@ interface(`storage_dontaudit_read_removable_device',`
## devices device nodes.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`storage_setattr_removable_dev',`
@@ -436,7 +482,9 @@ interface(`storage_setattr_removable_dev',`
## the attributes of removable devices device nodes.
##
##
+##
## The type of the process to not audit.
+##
##
#
interface(`storage_dontaudit_setattr_removable_dev',`
@@ -456,7 +504,9 @@ interface(`storage_dontaudit_setattr_removable_dev',`
## should only be used by trusted domains.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`storage_raw_read_removable_device',`
@@ -473,7 +523,9 @@ interface(`storage_raw_read_removable_device',`
## Do not audit attempts to directly read removable devices.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`storage_dontaudit_raw_read_removable_device',`
@@ -493,7 +545,9 @@ interface(`storage_dontaudit_raw_read_removable_device',`
## should only be used by trusted domains.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`storage_raw_write_removable_device',`
@@ -510,7 +564,9 @@ interface(`storage_raw_write_removable_device',`
## Do not audit attempts to directly write removable devices.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`storage_dontaudit_raw_write_removable_device',`
@@ -527,7 +583,9 @@ interface(`storage_dontaudit_raw_write_removable_device',`
## a tape device.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`storage_read_tape',`
@@ -545,7 +603,9 @@ interface(`storage_read_tape',`
## a tape device.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`storage_write_tape',`
@@ -563,7 +623,9 @@ interface(`storage_write_tape',`
## of device nodes of tape devices.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`storage_getattr_tape_dev',`
@@ -581,7 +643,9 @@ interface(`storage_getattr_tape_dev',`
## of device nodes of tape devices.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`storage_setattr_tape_dev',`
@@ -598,7 +662,9 @@ interface(`storage_setattr_tape_dev',`
## Unconfined access to storage devices.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`storage_unconfined',`
diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if
index c11e56f..bd890a6 100644
--- a/refpolicy/policy/modules/kernel/terminal.if
+++ b/refpolicy/policy/modules/kernel/terminal.if
@@ -8,7 +8,9 @@
## Transform specified type into a pty type.
##
##
+##
## An object type that will applied to a pty.
+##
##
#
interface(`term_pty',`
@@ -29,11 +31,15 @@ interface(`term_pty',`
## type change by login programs such as ssh.
##
##
+##
## The type of the user domain associated with
## this pty.
+##
##
##
+##
## An object type that will applied to a pty.
+##
##
#
interface(`term_user_pty',`
@@ -51,7 +57,9 @@ interface(`term_user_pty',`
## used by login programs, such as sshd.
##
##
+##
## An object type that will applied to a pty.
+##
##
#
interface(`term_login_pty',`
@@ -68,7 +76,9 @@ interface(`term_login_pty',`
## Transform specified type into a tty type.
##
##
+##
## An object type that will applied to a tty.
+##
##
#
interface(`term_tty',`
@@ -102,10 +112,14 @@ interface(`term_tty',`
## Create a pty in the /dev/pts directory.
##
##
+##
## The type of the process creating the pty.
+##
##
##
+##
## The type of the pty.
+##
##
#
interface(`term_create_pty',`
@@ -128,7 +142,9 @@ interface(`term_create_pty',`
## ttys and all ptys.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`term_use_all_terms',`
@@ -147,7 +163,9 @@ interface(`term_use_all_terms',`
## Write to the console.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`term_write_console',`
@@ -164,7 +182,9 @@ interface(`term_write_console',`
## Read from the console.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`term_read_console',`
@@ -181,7 +201,9 @@ interface(`term_read_console',`
## Read from and write to the console.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`term_use_console',`
@@ -199,7 +221,9 @@ interface(`term_use_console',`
## or write to the console.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`term_dontaudit_use_console',`
@@ -216,7 +240,9 @@ interface(`term_dontaudit_use_console',`
## device node.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`term_setattr_console',`
@@ -234,7 +260,9 @@ interface(`term_setattr_console',`
## attributes of the /dev/pts directory.
##
##
+##
## The type of the process to not audit.
+##
##
#
interface(`term_dontaudit_getattr_pty_dirs',`
@@ -250,7 +278,9 @@ interface(`term_dontaudit_getattr_pty_dirs',`
## Search the contents of the /dev/pts directory.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`term_search_ptys',`
@@ -268,7 +298,9 @@ interface(`term_search_ptys',`
## contents of the /dev/pts directory.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`term_dontaudit_search_ptys',`
@@ -286,7 +318,9 @@ interface(`term_dontaudit_search_ptys',`
## list all ptys.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`term_list_ptys',`
@@ -304,7 +338,9 @@ interface(`term_list_ptys',`
## /dev/pts directory.
##
##
+##
## The type of the process to not audit.
+##
##
#
interface(`term_dontaudit_list_ptys',`
@@ -321,7 +357,9 @@ interface(`term_dontaudit_list_ptys',`
## write, or delete the /dev/pts directory.
##
##
+##
## The type of the process to not audit.
+##
##
#
interface(`term_dontaudit_manage_pty_dirs',`
@@ -337,7 +375,9 @@ interface(`term_dontaudit_manage_pty_dirs',`
## ioctl of generic pty types.
##
##
+##
## Domain allowed access.
+##
##
#
# cjp: added for ppp
@@ -358,7 +398,9 @@ interface(`term_ioctl_generic_ptys',`
## the targeted policy.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`term_use_generic_ptys',`
@@ -378,7 +420,9 @@ interface(`term_use_generic_ptys',`
## generally only used in the targeted policy.
##
##
+##
## The type of the process to not audit.
+##
##
#
interface(`term_dontaudit_use_generic_ptys',`
@@ -395,7 +439,9 @@ interface(`term_dontaudit_use_generic_ptys',`
## terminal (/dev/tty).
##
##
+##
## Domain allowed access.
+##
##
#
interface(`term_use_controlling_term',`
@@ -412,7 +458,9 @@ interface(`term_use_controlling_term',`
## Read and write the pty multiplexor (/dev/ptmx).
##
##
+##
## The type of the process to allow access.
+##
##
#
interface(`term_use_ptmx',`
@@ -429,7 +477,9 @@ interface(`term_use_ptmx',`
## write the pty multiplexor (/dev/ptmx).
##
##
+##
## The type of the process to not audit.
+##
##
#
interface(`term_dontaudit_use_ptmx',`
@@ -446,7 +496,9 @@ interface(`term_dontaudit_use_ptmx',`
## pty device nodes.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`term_getattr_all_user_ptys',`
@@ -466,7 +518,9 @@ interface(`term_getattr_all_user_ptys',`
## device nodes.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`term_dontaudit_getattr_all_user_ptys',`
@@ -485,7 +539,9 @@ interface(`term_dontaudit_getattr_all_user_ptys',`
## pty device nodes.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`term_setattr_all_user_ptys',`
@@ -503,7 +559,9 @@ interface(`term_setattr_all_user_ptys',`
## Relabel to all user ptys.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`term_relabelto_all_user_ptys',`
@@ -519,7 +577,9 @@ interface(`term_relabelto_all_user_ptys',`
## Read and write all user ptys.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`term_use_all_user_ptys',`
@@ -539,7 +599,9 @@ interface(`term_use_all_user_ptys',`
## user ptys.
##
##
+##
## The type of the process to not audit.
+##
##
#
interface(`term_dontaudit_use_all_user_ptys',`
@@ -556,7 +618,9 @@ interface(`term_dontaudit_use_all_user_ptys',`
## user pty device nodes.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`term_relabel_all_user_ptys',`
@@ -576,7 +640,9 @@ interface(`term_relabel_all_user_ptys',`
## tty device nodes.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`term_getattr_unallocated_ttys',`
@@ -594,7 +660,9 @@ interface(`term_getattr_unallocated_ttys',`
## of all unallocated tty device nodes.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`term_dontaudit_getattr_unallocated_ttys',`
@@ -611,7 +679,9 @@ interface(`term_dontaudit_getattr_unallocated_ttys',`
## tty device nodes.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`term_setattr_unallocated_ttys',`
@@ -629,7 +699,9 @@ interface(`term_setattr_unallocated_ttys',`
## unallocated tty device nodes.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`term_dontaudit_ioctl_unallocated_ttys',`
@@ -646,7 +718,9 @@ interface(`term_dontaudit_ioctl_unallocated_ttys',`
## tty type.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`term_relabel_unallocated_ttys',`
@@ -664,7 +738,9 @@ interface(`term_relabel_unallocated_ttys',`
## the unallocated tty type.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`term_reset_tty_labels',`
@@ -683,7 +759,9 @@ interface(`term_reset_tty_labels',`
## Write to unallocated ttys.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`term_write_unallocated_ttys',`
@@ -700,7 +778,9 @@ interface(`term_write_unallocated_ttys',`
## Read and write unallocated ttys.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`term_use_unallocated_ttys',`
@@ -718,7 +798,9 @@ interface(`term_use_unallocated_ttys',`
## write unallocated ttys.
##
##
+##
## The type of the process to not audit.
+##
##
#
interface(`term_dontaudit_use_unallocated_ttys',`
@@ -735,7 +817,9 @@ interface(`term_dontaudit_use_unallocated_ttys',`
## device nodes.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`term_getattr_all_user_ttys',`
@@ -754,7 +838,9 @@ interface(`term_getattr_all_user_ttys',`
## device nodes.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`term_dontaudit_getattr_all_user_ttys',`
@@ -772,7 +858,9 @@ interface(`term_dontaudit_getattr_all_user_ttys',`
## device nodes.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`term_setattr_all_user_ttys',`
@@ -790,7 +878,9 @@ interface(`term_setattr_all_user_ttys',`
## user tty device nodes.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`term_relabel_all_user_ttys',`
@@ -807,7 +897,9 @@ interface(`term_relabel_all_user_ttys',`
## Write to all user ttys.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`term_write_all_user_ttys',`
@@ -824,7 +916,9 @@ interface(`term_write_all_user_ttys',`
## Read and write all user to all user ttys.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`term_use_all_user_ttys',`
@@ -842,7 +936,9 @@ interface(`term_use_all_user_ttys',`
## any user ttys.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`term_dontaudit_use_all_user_ttys',`
diff --git a/refpolicy/policy/modules/services/apache.if b/refpolicy/policy/modules/services/apache.if
index fbae511..2280a15 100644
--- a/refpolicy/policy/modules/services/apache.if
+++ b/refpolicy/policy/modules/services/apache.if
@@ -6,7 +6,9 @@
## web content.
##
##
+##
## The prefix to be used for deriving type names.
+##
##
#
template(`apache_content_template',`
@@ -246,14 +248,20 @@ template(`apache_content_template',`
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## The type of the user domain.
+##
##
##
+##
## The role associated with the user domain.
+##
##
#
template(`apache_per_userdomain_template', `
@@ -326,7 +334,9 @@ template(`apache_per_userdomain_template', `
## Transition to apache.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`apache_domtrans',`
@@ -348,7 +358,9 @@ interface(`apache_domtrans',`
## Send a null signal to apache.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`apache_signull',`
@@ -364,7 +376,9 @@ interface(`apache_signull',`
## Send a SIGCHLD signal to apache.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`apache_sigchld',`
@@ -380,7 +394,9 @@ interface(`apache_sigchld',`
## Inherit and use file descriptors from Apache.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`apache_use_fd',`
@@ -397,7 +413,9 @@ interface(`apache_use_fd',`
## unix domain stream sockets.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`apache_dontaudit_rw_stream_sockets',`
@@ -414,7 +432,9 @@ interface(`apache_dontaudit_rw_stream_sockets',`
## TCP sockets.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`apache_dontaudit_rw_tcp_sockets',`
@@ -431,7 +451,9 @@ interface(`apache_dontaudit_rw_tcp_sockets',`
## apache configuration files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`apache_read_config',`
@@ -451,7 +473,9 @@ interface(`apache_read_config',`
## a domain transition.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`apache_domtrans_helper',`
@@ -475,13 +499,19 @@ interface(`apache_domtrans_helper',`
## specified role the dmidecode domain.
##
##
+##
## Domain allowed access.
+##
##
##
+##
## The role to be allowed the dmidecode domain.
+##
##
##
+##
## The type of the terminal allow the dmidecode domain to use.
+##
##
#
interface(`apache_run_helper',`
@@ -500,7 +530,9 @@ interface(`apache_run_helper',`
## apache log files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`apache_read_log',`
@@ -520,7 +552,9 @@ interface(`apache_read_log',`
## Apache logs.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`apache_dontaudit_append_log',`
@@ -537,7 +571,9 @@ interface(`apache_dontaudit_append_log',`
## module directories.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`apache_dontaudit_search_modules',`
@@ -555,7 +591,9 @@ interface(`apache_dontaudit_search_modules',`
## directory.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`apache_list_modules',`
@@ -572,7 +610,9 @@ interface(`apache_list_modules',`
## apache modules.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`apache_exec_modules',`
@@ -591,7 +631,9 @@ interface(`apache_exec_modules',`
## apache system content files.
##
##
+##
## Domain allowed access.
+##
##
#
# Note that httpd_sys_content_t is found in /var, /etc, /srv and /usr
@@ -612,7 +654,9 @@ interface(`apache_manage_sys_content',`
## script domain.
##
##
+##
## Domain allowed access.
+##
##
#
# cjp: this interface specifically added to allow
@@ -639,7 +683,9 @@ interface(`apache_domtrans_sys_script',`
## system script unix domain stream sockets.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`apache_dontaudit_rw_sys_script_stream_sockets',`
@@ -656,7 +702,9 @@ interface(`apache_dontaudit_rw_sys_script_stream_sockets',`
## script domain.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`apache_domtrans_all_scripts',`
@@ -674,10 +722,14 @@ interface(`apache_domtrans_all_scripts',`
## to the specified role.
##
##
+##
## Domain allowed access.
+##
##
##
+##
## The role to be allowed the script domains.
+##
##
#
# cjp: this is missing the terminal since scripts
@@ -697,7 +749,9 @@ interface(`apache_run_all_scripts',`
## apache squirrelmail data.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`apache_read_squirrelmail_data',`
@@ -714,7 +768,9 @@ interface(`apache_read_squirrelmail_data',`
## apache squirrelmail data.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`apache_append_squirrelmail_data',`
@@ -730,7 +786,9 @@ interface(`apache_append_squirrelmail_data',`
## Search system script state directory.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`apache_search_sys_script_state',`
diff --git a/refpolicy/policy/modules/services/apm.if b/refpolicy/policy/modules/services/apm.if
index e4fb61a..60a56f6 100644
--- a/refpolicy/policy/modules/services/apm.if
+++ b/refpolicy/policy/modules/services/apm.if
@@ -5,7 +5,9 @@
## Execute APM in the apm domain.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`apm_domtrans_client',`
@@ -27,7 +29,9 @@ interface(`apm_domtrans_client',`
## Use file descriptors for apmd.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`apm_use_fd',`
@@ -43,7 +47,9 @@ interface(`apm_use_fd',`
## Write to apmd unnamed pipes.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`apm_write_pipes',`
@@ -59,7 +65,9 @@ interface(`apm_write_pipes',`
## Read and write to an apm unix stream socket.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`apm_rw_stream_sockets',`
@@ -75,7 +83,9 @@ interface(`apm_rw_stream_sockets',`
## Append to apm's log file.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`apm_append_log',`
@@ -92,7 +102,9 @@ interface(`apm_append_log',`
## Connect to apmd over an unix stream socket.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`apm_stream_connect',`
diff --git a/refpolicy/policy/modules/services/arpwatch.if b/refpolicy/policy/modules/services/arpwatch.if
index 95cac1d..f354902 100644
--- a/refpolicy/policy/modules/services/arpwatch.if
+++ b/refpolicy/policy/modules/services/arpwatch.if
@@ -5,7 +5,9 @@
## Search arpwatch's data file directories.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`arpwatch_search_data',`
@@ -21,7 +23,9 @@ interface(`arpwatch_search_data',`
## Create arpwatch data files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`arpwatch_manage_data_files',`
@@ -38,7 +42,9 @@ interface(`arpwatch_manage_data_files',`
## Read and write arpwatch temporary files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`arpwatch_rw_tmp_files',`
@@ -54,7 +60,9 @@ interface(`arpwatch_rw_tmp_files',`
## Read and write arpwatch temporary files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`arpwatch_manage_tmp_files',`
@@ -71,7 +79,9 @@ interface(`arpwatch_manage_tmp_files',`
## arpwatch packet sockets.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`arpwatch_dontaudit_rw_packet_sockets',`
diff --git a/refpolicy/policy/modules/services/automount.if b/refpolicy/policy/modules/services/automount.if
index c6e04cc..cf9b87a 100644
--- a/refpolicy/policy/modules/services/automount.if
+++ b/refpolicy/policy/modules/services/automount.if
@@ -5,7 +5,9 @@
## Execute automount in the automount domain.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`automount_domtrans',`
@@ -28,7 +30,9 @@ interface(`automount_domtrans',`
## Execute automount in the caller domain.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`automount_exec_config',`
diff --git a/refpolicy/policy/modules/services/avahi.if b/refpolicy/policy/modules/services/avahi.if
index 15b762f..c82289b 100644
--- a/refpolicy/policy/modules/services/avahi.if
+++ b/refpolicy/policy/modules/services/avahi.if
@@ -6,7 +6,9 @@
## avahi over dbus.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`avahi_dbus_chat',`
diff --git a/refpolicy/policy/modules/services/bind.if b/refpolicy/policy/modules/services/bind.if
index ade4664..7de201b 100644
--- a/refpolicy/policy/modules/services/bind.if
+++ b/refpolicy/policy/modules/services/bind.if
@@ -5,7 +5,9 @@
## Execute ndc in the ndc domain.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`bind_domtrans_ndc',`
@@ -26,7 +28,9 @@ interface(`bind_domtrans_ndc',`
## Send generic signals to BIND.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`bind_signal',`
@@ -43,13 +47,19 @@ interface(`bind_signal',`
## allow the specified role the ndc domain.
##
##
+##
## Domain allowed access.
+##
##
##
+##
## The role to be allowed the bind domain.
+##
##
##
+##
## The type of the terminal allow the bind domain to use.
+##
##
#
interface(`bind_run_ndc',`
@@ -67,7 +77,9 @@ interface(`bind_run_ndc',`
## Execute bind in the named domain.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`bind_domtrans',`
@@ -88,7 +100,9 @@ interface(`bind_domtrans',`
## Read DNSSEC keys.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`bind_read_dnssec_keys',`
@@ -105,7 +119,9 @@ interface(`bind_read_dnssec_keys',`
## Read BIND named configuration files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`bind_read_config',`
@@ -122,7 +138,9 @@ interface(`bind_read_config',`
## Write BIND named configuration files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`bind_write_config',`
@@ -140,7 +158,9 @@ interface(`bind_write_config',`
## BIND configuration directories.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`bind_manage_config_dirs',`
@@ -156,7 +176,9 @@ interface(`bind_manage_config_dirs',`
## Search the BIND cache directory.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`bind_search_cache',`
@@ -176,7 +198,9 @@ interface(`bind_search_cache',`
## BIND cache files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`bind_manage_cache',`
@@ -197,7 +221,9 @@ interface(`bind_manage_cache',`
## of the BIND pid directory.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`bind_setattr_pid_dirs',`
@@ -213,7 +239,9 @@ interface(`bind_setattr_pid_dirs',`
## Read BIND zone files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`bind_read_zone',`
diff --git a/refpolicy/policy/modules/services/bluetooth.if b/refpolicy/policy/modules/services/bluetooth.if
index d130b38..0b67fac 100644
--- a/refpolicy/policy/modules/services/bluetooth.if
+++ b/refpolicy/policy/modules/services/bluetooth.if
@@ -5,7 +5,9 @@
## Read bluetooth daemon configuration.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`bluetooth_read_config',`
@@ -21,7 +23,9 @@ interface(`bluetooth_read_config',`
## Execute bluetooth_helper in the bluetooth_helper domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`bluetooth_domtrans_helper',`
@@ -43,7 +47,9 @@ interface(`bluetooth_domtrans_helper',`
## bluetooth over dbus.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`bluetooth_dbus_chat',`
@@ -62,13 +68,19 @@ interface(`bluetooth_dbus_chat',`
## allow the specified role the bluetooth_helper domain.
##
##
+##
## The type of the process performing this action.
+##
##
##
+##
## The role to be allowed the bluetooth_helper domain.
+##
##
##
+##
## The type of the terminal allow the bluetooth_helper domain to use.
+##
##
#
interface(`bluetooth_run_helper',`
@@ -86,7 +98,9 @@ interface(`bluetooth_run_helper',`
## Read bluetooth helper files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`bluetooth_dontaudit_read_helper_files',`
diff --git a/refpolicy/policy/modules/services/canna.if b/refpolicy/policy/modules/services/canna.if
index ee1e298..c3f5b1d 100644
--- a/refpolicy/policy/modules/services/canna.if
+++ b/refpolicy/policy/modules/services/canna.if
@@ -5,7 +5,9 @@
## Connect to Canna using a unix domain stream socket.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`canna_stream_connect',`
diff --git a/refpolicy/policy/modules/services/cpucontrol.if b/refpolicy/policy/modules/services/cpucontrol.if
index e07e04f..a827592 100644
--- a/refpolicy/policy/modules/services/cpucontrol.if
+++ b/refpolicy/policy/modules/services/cpucontrol.if
@@ -5,7 +5,9 @@
## CPUcontrol stub interface. No access allowed.
##
##
+##
## N/A
+##
##
#
interface(`cpucontrol_stub',`
diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if
index fa0d30c..ab56c3b 100644
--- a/refpolicy/policy/modules/services/cron.if
+++ b/refpolicy/policy/modules/services/cron.if
@@ -17,14 +17,20 @@
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## The type of the user domain.
+##
##
##
+##
## The role associated with the user domain.
+##
##
#
template(`cron_per_userdomain_template',`
@@ -267,8 +273,10 @@ template(`cron_per_userdomain_template',`
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
#
template(`cron_admin_template',`
@@ -304,10 +312,14 @@ template(`cron_admin_template',`
## from the system cron jobs.
##
##
+##
## The type of the process to transition to.
+##
##
##
+##
## The type of the file used as an entrypoint to this domain.
+##
##
#
interface(`cron_system_entry',`
@@ -335,7 +347,9 @@ interface(`cron_system_entry',`
## from the cron daemon.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`cron_use_fd',`
@@ -351,7 +365,9 @@ interface(`cron_use_fd',`
## Send a SIGCHLD signal to the cron daemon.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`cron_sigchld',`
@@ -367,7 +383,9 @@ interface(`cron_sigchld',`
## Read a cron daemon unnamed pipe.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`cron_read_pipes',`
@@ -383,7 +401,9 @@ interface(`cron_read_pipes',`
## Do not audit attempts to write cron daemon unnamed pipes.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`cron_dontaudit_write_pipes',`
@@ -399,7 +419,9 @@ interface(`cron_dontaudit_write_pipes',`
## Read and write a cron daemon unnamed pipe.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`cron_rw_pipes',`
@@ -415,7 +437,9 @@ interface(`cron_rw_pipes',`
## Create, read, and write a cron daemon TCP socket.
##
##
+##
## Domain allowed access.
+##
##
#
# cjp: need to fix this name
@@ -432,7 +456,9 @@ interface(`cron_crw_tcp_socket',`
## Search the directory containing user cron tables.
##
##
+##
## The type of the process to performing this action.
+##
##
#
interface(`cron_search_spool',`
@@ -449,7 +475,9 @@ interface(`cron_search_spool',`
## Execute APM in the apm domain.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`cron_anacron_domtrans_system_job',`
@@ -471,7 +499,9 @@ interface(`cron_anacron_domtrans_system_job',`
## from system cron jobs.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`cron_use_system_job_fd',`
@@ -487,7 +517,9 @@ interface(`cron_use_system_job_fd',`
## Write a system cron job unnamed pipe.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`cron_write_system_job_pipes',`
@@ -503,7 +535,9 @@ interface(`cron_write_system_job_pipes',`
## Read and write a system cron job unnamed pipe.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`cron_rw_system_job_pipes',`
@@ -519,7 +553,9 @@ interface(`cron_rw_system_job_pipes',`
## Read temporary files from the system cron jobs.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`cron_read_system_job_tmp_files',`
@@ -537,7 +573,9 @@ interface(`cron_read_system_job_tmp_files',`
## files from the system cron jobs.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`cron_dontaudit_append_system_job_tmp_files',`
diff --git a/refpolicy/policy/modules/services/cups.if b/refpolicy/policy/modules/services/cups.if
index 5fbe658..4c63008 100644
--- a/refpolicy/policy/modules/services/cups.if
+++ b/refpolicy/policy/modules/services/cups.if
@@ -5,7 +5,9 @@
## Execute cups in the cups domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`cups_domtrans',`
@@ -27,7 +29,9 @@ interface(`cups_domtrans',`
## cups over dbus.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`cups_dbus_chat',`
@@ -45,7 +49,9 @@ interface(`cups_dbus_chat',`
## Execute cups_config in the cups_config domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`cups_domtrans_config',`
@@ -67,7 +73,9 @@ interface(`cups_domtrans_config',`
## configuration daemon.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`cups_signal_config',`
@@ -84,7 +92,9 @@ interface(`cups_signal_config',`
## cupsd_config over dbus.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`cups_dbus_chat_config',`
@@ -102,7 +112,9 @@ interface(`cups_dbus_chat_config',`
## Read cups configuration files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`cups_read_config',`
@@ -121,7 +133,9 @@ interface(`cups_read_config',`
## Read cups-writable configuration files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`cups_read_rw_config',`
@@ -139,7 +153,9 @@ interface(`cups_read_rw_config',`
## Read cups log files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`cups_read_log',`
@@ -156,7 +172,9 @@ interface(`cups_read_log',`
## Connect to ptal over an unix domain stream socket.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`cups_stream_connect_ptal',`
@@ -175,7 +193,9 @@ interface(`cups_stream_connect_ptal',`
## Connect to cups over TCP.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`cups_tcp_connect',`
diff --git a/refpolicy/policy/modules/services/cvs.if b/refpolicy/policy/modules/services/cvs.if
index bddf757..bdb19b4 100644
--- a/refpolicy/policy/modules/services/cvs.if
+++ b/refpolicy/policy/modules/services/cvs.if
@@ -5,7 +5,9 @@
## Read the CVS data and metadata.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`cvs_read_data',`
diff --git a/refpolicy/policy/modules/services/cyrus.if b/refpolicy/policy/modules/services/cyrus.if
index ec53160..49647a4 100644
--- a/refpolicy/policy/modules/services/cyrus.if
+++ b/refpolicy/policy/modules/services/cyrus.if
@@ -6,7 +6,9 @@
## and delete cyrus data files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`cyrus_manage_data',`
diff --git a/refpolicy/policy/modules/services/dbus.if b/refpolicy/policy/modules/services/dbus.if
index 30a0bad..6c5f397 100644
--- a/refpolicy/policy/modules/services/dbus.if
+++ b/refpolicy/policy/modules/services/dbus.if
@@ -5,7 +5,9 @@
## DBUS stub interface. No access allowed.
##
##
+##
## N/A
+##
##
#
interface(`dbus_stub',`
@@ -30,14 +32,20 @@ interface(`dbus_stub',`
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## The type of the user domain.
+##
##
##
+##
## The role associated with the user domain.
+##
##
#
template(`dbus_per_userdomain_template',`
@@ -177,11 +185,15 @@ template(`dbus_per_userdomain_template',`
## the system DBUS.
##
##
+##
## The prefix of the domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## The type of the domain.
+##
##
#
template(`dbus_system_bus_client_template',`
@@ -209,7 +221,9 @@ template(`dbus_system_bus_client_template',`
## Read dbus configuration.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dbus_read_config',`
@@ -226,7 +240,9 @@ interface(`dbus_read_config',`
## for service (acquire_svc).
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dbus_connect_system_bus',`
@@ -243,7 +259,9 @@ interface(`dbus_connect_system_bus',`
## Send a message on the system DBUS.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dbus_send_system_bus',`
@@ -260,7 +278,9 @@ interface(`dbus_send_system_bus',`
## Allow unconfined access to the system DBUS.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dbus_system_bus_unconfined',`
diff --git a/refpolicy/policy/modules/services/dhcp.if b/refpolicy/policy/modules/services/dhcp.if
index 003671d..349b35d 100644
--- a/refpolicy/policy/modules/services/dhcp.if
+++ b/refpolicy/policy/modules/services/dhcp.if
@@ -6,7 +6,9 @@
## server state files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dhcpd_setattr_state_files',`
diff --git a/refpolicy/policy/modules/services/dictd.if b/refpolicy/policy/modules/services/dictd.if
index d5b5adc..5addaa1 100644
--- a/refpolicy/policy/modules/services/dictd.if
+++ b/refpolicy/policy/modules/services/dictd.if
@@ -6,7 +6,9 @@
## over TCP.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dictd_tcp_connect',`
diff --git a/refpolicy/policy/modules/services/djbdns.if b/refpolicy/policy/modules/services/djbdns.if
index 50f601e..9b16ddd 100644
--- a/refpolicy/policy/modules/services/djbdns.if
+++ b/refpolicy/policy/modules/services/djbdns.if
@@ -6,7 +6,9 @@
## components that are directly supervised by daemontools.
##
##
+##
## The prefix to be used for deriving type names.
+##
##
#
template(`djbdns_daemontools_domain_template',`
diff --git a/refpolicy/policy/modules/services/dovecot.if b/refpolicy/policy/modules/services/dovecot.if
index a14c5b9..ba714cc 100644
--- a/refpolicy/policy/modules/services/dovecot.if
+++ b/refpolicy/policy/modules/services/dovecot.if
@@ -5,7 +5,9 @@
## Create, read, write, and delete the dovecot spool files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`dovecot_manage_spool',`
diff --git a/refpolicy/policy/modules/services/finger.if b/refpolicy/policy/modules/services/finger.if
index 41fbe1f..22d4824 100644
--- a/refpolicy/policy/modules/services/finger.if
+++ b/refpolicy/policy/modules/services/finger.if
@@ -5,7 +5,9 @@
## Execute fingerd in the fingerd domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`finger_domtrans',`
@@ -26,7 +28,9 @@ interface(`finger_domtrans',`
## Allow the specified domain to connect to fingerd with a tcp socket.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`finger_tcp_connect',`
diff --git a/refpolicy/policy/modules/services/ftp.if b/refpolicy/policy/modules/services/ftp.if
index ccd4b4d..8b9b937 100644
--- a/refpolicy/policy/modules/services/ftp.if
+++ b/refpolicy/policy/modules/services/ftp.if
@@ -17,8 +17,10 @@
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
#
template(`ftp_per_userdomain_template',`
@@ -36,7 +38,9 @@ template(`ftp_per_userdomain_template',`
## Use ftp by connecting over TCP.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`ftp_tcp_connect',`
@@ -54,7 +58,9 @@ interface(`ftp_tcp_connect',`
## Read ftpd etc files
##
##
+##
## Domain allowed access.
+##
##
#
interface(`ftp_read_config',`
@@ -71,7 +77,9 @@ interface(`ftp_read_config',`
## Execute FTP daemon entry point programs.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`ftp_check_exec',`
@@ -88,7 +96,9 @@ interface(`ftp_check_exec',`
## Read FTP transfer logs
##
##
+##
## Domain allowed access.
+##
##
#
interface(`ftp_read_log',`
diff --git a/refpolicy/policy/modules/services/gpm.if b/refpolicy/policy/modules/services/gpm.if
index 7e0a886..2890beb 100644
--- a/refpolicy/policy/modules/services/gpm.if
+++ b/refpolicy/policy/modules/services/gpm.if
@@ -6,7 +6,9 @@
## stream socket.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`gpm_stream_connect',`
@@ -24,7 +26,9 @@ interface(`gpm_stream_connect',`
## control channel named socket.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`gpm_getattr_gpmctl',`
@@ -43,7 +47,9 @@ interface(`gpm_getattr_gpmctl',`
## named socket.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`gpm_dontaudit_getattr_gpmctl',`
@@ -60,7 +66,9 @@ interface(`gpm_dontaudit_getattr_gpmctl',`
## control channel named socket.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`gpm_setattr_gpmctl',`
diff --git a/refpolicy/policy/modules/services/hal.if b/refpolicy/policy/modules/services/hal.if
index 6bb4483..f4ee962 100644
--- a/refpolicy/policy/modules/services/hal.if
+++ b/refpolicy/policy/modules/services/hal.if
@@ -5,7 +5,9 @@
## Execute hal in the hal domain.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`hal_domtrans',`
@@ -27,7 +29,9 @@ interface(`hal_domtrans',`
## datagram socket.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`hal_dgram_sendto',`
@@ -44,7 +48,9 @@ interface(`hal_dgram_sendto',`
## stream socket.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`hal_stream_connect',`
@@ -60,7 +66,9 @@ interface(`hal_stream_connect',`
## Send a dbus message to hal.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`hal_dbus_send',`
@@ -78,7 +86,9 @@ interface(`hal_dbus_send',`
## hal over dbus.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`hal_dbus_chat',`
diff --git a/refpolicy/policy/modules/services/howl.if b/refpolicy/policy/modules/services/howl.if
index 5b0900e..9164dd2 100644
--- a/refpolicy/policy/modules/services/howl.if
+++ b/refpolicy/policy/modules/services/howl.if
@@ -5,7 +5,9 @@
## Send generic signals to howl.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`howl_signal',`
diff --git a/refpolicy/policy/modules/services/i18n_input.if b/refpolicy/policy/modules/services/i18n_input.if
index a65ca50..9a9f0f7 100644
--- a/refpolicy/policy/modules/services/i18n_input.if
+++ b/refpolicy/policy/modules/services/i18n_input.if
@@ -5,7 +5,9 @@
## Use i18n_input over a TCP connection.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`i18n_use',`
diff --git a/refpolicy/policy/modules/services/inetd.if b/refpolicy/policy/modules/services/inetd.if
index cd20c23..9c0b1dd 100644
--- a/refpolicy/policy/modules/services/inetd.if
+++ b/refpolicy/policy/modules/services/inetd.if
@@ -14,10 +14,14 @@
##
##
##
+##
## The type associated with the inetd service process.
+##
##
##
+##
## The type associated with the process program.
+##
##
#
interface(`inetd_core_service_domain',`
@@ -79,10 +83,14 @@ interface(`inetd_core_service_domain',`
## Define the specified domain as a TCP inetd service.
##
##
+##
## The type associated with the inetd service process.
+##
##
##
+##
## The type associated with the process program.
+##
##
#
interface(`inetd_tcp_service_domain',`
@@ -101,10 +109,14 @@ interface(`inetd_tcp_service_domain',`
## Define the specified domain as a UDP inetd service.
##
##
+##
## The type associated with the inetd service process.
+##
##
##
+##
## The type associated with the process program.
+##
##
#
interface(`inetd_udp_service_domain',`
@@ -122,10 +134,14 @@ interface(`inetd_udp_service_domain',`
## Define the specified domain as a TCP and UDP inetd service.
##
##
+##
## The type associated with the inetd service process.
+##
##
##
+##
## The type associated with the process program.
+##
##
#
interface(`inetd_service_domain',`
@@ -144,7 +160,9 @@ interface(`inetd_service_domain',`
## Inherit and use file descriptors from inetd.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`inetd_use_fd',`
@@ -160,7 +178,9 @@ interface(`inetd_use_fd',`
## Connect to the inetd service using a TCP connection.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`inetd_tcp_connect',`
@@ -178,7 +198,9 @@ interface(`inetd_tcp_connect',`
## Run inetd child process in the inet child domain
##
##
+##
## Domain allowed access.
+##
##
#
interface(`inetd_domtrans_child',`
@@ -200,7 +222,9 @@ interface(`inetd_domtrans_child',`
## Send UDP network traffic to inetd.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`inetd_udp_sendto',`
@@ -217,7 +241,9 @@ interface(`inetd_udp_sendto',`
## Read and write inetd TCP sockets.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`inetd_rw_tcp_sockets',`
diff --git a/refpolicy/policy/modules/services/inn.if b/refpolicy/policy/modules/services/inn.if
index 2fbc7d7..56cf211 100644
--- a/refpolicy/policy/modules/services/inn.if
+++ b/refpolicy/policy/modules/services/inn.if
@@ -6,7 +6,9 @@
## in the caller domain.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`inn_exec',`
@@ -23,7 +25,9 @@ interface(`inn_exec',`
## inn configuration files in /etc.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`inn_exec_config',`
@@ -39,7 +43,9 @@ interface(`inn_exec_config',`
## Create, read, write, and delete the innd log.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`inn_manage_log',`
@@ -57,7 +63,9 @@ interface(`inn_manage_log',`
## Create, read, write, and delete the innd pid files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`inn_manage_pid',`
@@ -76,7 +84,9 @@ interface(`inn_manage_pid',`
## Read innd configuration files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`inn_read_config',`
@@ -94,7 +104,9 @@ interface(`inn_read_config',`
## Read innd news library files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`inn_read_news_lib',`
@@ -112,7 +124,9 @@ interface(`inn_read_news_lib',`
## Read innd news library files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`inn_read_news_spool',`
@@ -130,7 +144,9 @@ interface(`inn_read_news_spool',`
## Send to a innd unix dgram socket.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`inn_dgram_send',`
diff --git a/refpolicy/policy/modules/services/kerberos.if b/refpolicy/policy/modules/services/kerberos.if
index 153fd02..5d74414 100644
--- a/refpolicy/policy/modules/services/kerberos.if
+++ b/refpolicy/policy/modules/services/kerberos.if
@@ -26,7 +26,9 @@
## Use kerberos services
##
##
+##
## Domain allowed access.
+##
##
#
interface(`kerberos_use',`
@@ -63,7 +65,9 @@ interface(`kerberos_use',`
## Read the kerberos configuration file (/etc/krb5.conf).
##
##
+##
## Domain allowed access.
+##
##
#
interface(`kerberos_read_config',`
@@ -81,7 +85,9 @@ interface(`kerberos_read_config',`
## configuration file (/etc/krb5.conf).
##
##
+##
## Domain to not audit.
+##
##
#
interface(`kerberos_dontaudit_write_config',`
@@ -97,7 +103,9 @@ interface(`kerberos_dontaudit_write_config',`
## Read and write the kerberos configuration file (/etc/krb5.conf).
##
##
+##
## Domain allowed access.
+##
##
#
interface(`kerberos_rw_config',`
@@ -114,7 +122,9 @@ interface(`kerberos_rw_config',`
## Read the kerberos key table.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`kerberos_read_keytab',`
diff --git a/refpolicy/policy/modules/services/ldap.if b/refpolicy/policy/modules/services/ldap.if
index fba1456..45b3bd9 100644
--- a/refpolicy/policy/modules/services/ldap.if
+++ b/refpolicy/policy/modules/services/ldap.if
@@ -6,7 +6,9 @@
## database directories.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`ldap_list_db',`
@@ -22,7 +24,9 @@ interface(`ldap_list_db',`
## Read the OpenLDAP configuration files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`ldap_read_config',`
@@ -39,7 +43,9 @@ interface(`ldap_read_config',`
## Use LDAP over TCP connection.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`ldap_use',`
diff --git a/refpolicy/policy/modules/services/lpd.if b/refpolicy/policy/modules/services/lpd.if
index 5a3ce19..7dbb55d 100644
--- a/refpolicy/policy/modules/services/lpd.if
+++ b/refpolicy/policy/modules/services/lpd.if
@@ -16,14 +16,20 @@
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## The type of the user domain.
+##
##
##
+##
## The role associated with the user domain.
+##
##
#
template(`lpd_per_userdomain_template',`
@@ -217,8 +223,10 @@ template(`lpd_per_userdomain_template',`
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
#
template(`lpr_admin_template',`
@@ -240,7 +248,9 @@ template(`lpr_admin_template',`
## Execute lpd in the lpd domain.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`lpd_domtrans_checkpc',`
@@ -262,13 +272,19 @@ interface(`lpd_domtrans_checkpc',`
## allow the specified role the lpd domain.
##
##
+##
## Domain allowed access.
+##
##
##
+##
## The role to be allowed the lpd domain.
+##
##
##
+##
## The type of the terminal allow the lpd domain to use.
+##
##
#
interface(`lpd_run_checkpc',`
@@ -286,7 +302,9 @@ interface(`lpd_run_checkpc',`
## List the contents of the printer spool directories.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`lpd_list_spool',`
@@ -303,7 +321,9 @@ interface(`lpd_list_spool',`
## Create, read, write, and delete printer spool files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`lpd_manage_spool',`
@@ -323,7 +343,9 @@ interface(`lpd_manage_spool',`
## List the contents of the printer spool directories.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`lpd_read_config',`
diff --git a/refpolicy/policy/modules/services/mailman.if b/refpolicy/policy/modules/services/mailman.if
index 372e84b..38f683a 100644
--- a/refpolicy/policy/modules/services/mailman.if
+++ b/refpolicy/policy/modules/services/mailman.if
@@ -11,7 +11,9 @@
##
##
##
+##
## The type of daemon to be used eg, cgi would give mailman_cgi_
+##
##
#
template(`mailman_domain_template', `
@@ -100,7 +102,9 @@ template(`mailman_domain_template', `
## Execute mailman in the mailman domain.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`mailman_domtrans',`
@@ -122,7 +126,9 @@ interface(`mailman_domtrans',`
## mailman CGI domain.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`mailman_domtrans_cgi',`
@@ -143,7 +149,9 @@ interface(`mailman_domtrans_cgi',`
## Execute mailman in the caller domain.
##
##
+##
## Domain allowd access.
+##
##
#
interface(`mailman_exec',`
@@ -159,7 +167,9 @@ interface(`mailman_exec',`
## Send generic signals to the mailman cgi domain.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`mailman_signal_cgi',`
@@ -175,7 +185,9 @@ interface(`mailman_signal_cgi',`
## Allow domain to search data directories.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`mailman_search_data',`
@@ -191,7 +203,9 @@ interface(`mailman_search_data',`
## List the contents of mailman data directories.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`mailman_list_data',`
@@ -207,7 +221,9 @@ interface(`mailman_list_data',`
## Allow read acces to mailman data symbolic links.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`mailman_read_data_symlinks',`
@@ -225,7 +241,9 @@ interface(`mailman_read_data_symlinks',`
## mailman logs.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`mailman_manage_log',`
@@ -243,7 +261,9 @@ interface(`mailman_manage_log',`
## Allow domain to read mailman archive files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`mailman_read_archive',`
diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if
index 1b0eeaa..67198fe 100644
--- a/refpolicy/policy/modules/services/mta.if
+++ b/refpolicy/policy/modules/services/mta.if
@@ -5,7 +5,9 @@
## MTA stub interface. No access allowed.
##
##
+##
## N/A
+##
##
#
interface(`mta_stub',`
@@ -30,8 +32,10 @@ interface(`mta_stub',`
##
##
##
+##
## The prefix of the domain (e.g., user
## is the prefix for user_t).
+##
##
#
template(`mta_base_mail_template',`
@@ -159,14 +163,20 @@ template(`mta_base_mail_template',`
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## The type of the user domain.
+##
##
##
+##
## The role associated with the user domain.
+##
##
#
template(`mta_per_userdomain_template',`
@@ -249,11 +259,15 @@ template(`mta_per_userdomain_template',`
## mail domain.
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## The type of the user domain.
+##
##
#
template(`mta_admin_template',`
@@ -329,10 +343,14 @@ interface(`mta_mailserver',`
##
##
##
+##
## The type to be used for the mail server.
+##
##
##
+##
## The type to be used for the domain entry point program.
+##
##
interface(`mta_sendmail_mailserver',`
gen_require(`
@@ -353,7 +371,9 @@ interface(`mta_sendmail_mailserver',`
## for sending mail.
##
##
+##
## Mail server domain type used for sending mail.
+##
##
#
interface(`mta_mailserver_sender',`
@@ -370,7 +390,9 @@ interface(`mta_mailserver_sender',`
## for delivering mail to local users.
##
##
+##
## Mail server domain type used for delivering mail.
+##
##
#
interface(`mta_mailserver_delivery',`
@@ -405,7 +427,9 @@ interface(`mta_mailserver_delivery',`
## users to the local mail spool.
##
##
+##
## Mail server domain type used for sending local mail.
+##
##
#
interface(`mta_mailserver_user_agent',`
@@ -462,7 +486,9 @@ interface(`mta_exec',`
## Read mail server configuration.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`mta_read_config',`
@@ -481,7 +507,9 @@ interface(`mta_read_config',`
## Read mail address aliases.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`mta_read_aliases',`
@@ -499,7 +527,9 @@ interface(`mta_read_aliases',`
## to the mail address aliases type.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`mta_filetrans_aliases',`
@@ -529,7 +559,9 @@ interface(`mta_rw_aliases',`
## sockets of mail delivery domains.
##
##
+##
## Mail server domain.
+##
##
#
interface(`mta_dontaudit_rw_delivery_tcp_sockets',`
@@ -545,7 +577,9 @@ interface(`mta_dontaudit_rw_delivery_tcp_sockets',`
## Connect to all mail servers over TCP.
##
##
+##
## Mail server domain.
+##
##
#
interface(`mta_tcp_connect_all_mailservers',`
@@ -564,7 +598,9 @@ interface(`mta_tcp_connect_all_mailservers',`
## in the mail spool.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`mta_dontaudit_read_spool_symlinks',`
@@ -607,14 +643,20 @@ interface(`mta_dontaudit_getattr_spool_files',`
## mail spool directory.
##
##
+##
## Domain allowed access.
+##
##
##
+##
## The type of the object to be created.
+##
##
##
+##
## The object class of the object being created. If
## no class is specified, file will be used.
+##
##
#
interface(`mta_filetrans_spool',`
@@ -652,7 +694,9 @@ interface(`mta_rw_spool',`
## Create, read, and write the mail spool.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`mta_append_spool',`
@@ -671,7 +715,9 @@ interface(`mta_append_spool',`
## Delete from the mail spool.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`mta_delete_spool',`
@@ -705,7 +751,9 @@ interface(`mta_manage_spool',`
## write the mail queue.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`mta_dontaudit_rw_queue',`
@@ -735,7 +783,9 @@ interface(`mta_manage_queue',`
## Read sendmail binary.
##
##
+##
## Domain allowed access.
+##
##
#
# cjp: added for postfix
@@ -753,7 +803,9 @@ interface(`mta_read_sendmail_bin',`
## of user mail domains.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`mta_rw_user_mail_stream_sockets',`
diff --git a/refpolicy/policy/modules/services/mysql.if b/refpolicy/policy/modules/services/mysql.if
index 43b0ed7..9fe9237 100644
--- a/refpolicy/policy/modules/services/mysql.if
+++ b/refpolicy/policy/modules/services/mysql.if
@@ -5,7 +5,9 @@
## Send a generic signal to MySQL.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`mysql_signal',`
@@ -21,7 +23,9 @@ interface(`mysql_signal',`
## Connect to MySQL using a unix domain stream socket.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`mysql_stream_connect',`
@@ -39,7 +43,9 @@ interface(`mysql_stream_connect',`
## Read MySQL configuration files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`mysql_read_config',`
@@ -58,7 +64,9 @@ interface(`mysql_read_config',`
## database storage.
##
##
+##
## Domain allowed access.
+##
##
#
# cjp: "_dir" in the name is added to clarify that this
@@ -77,7 +85,9 @@ interface(`mysql_search_db',`
## Read and write to the MySQL database directory.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`mysql_rw_db_dirs',`
@@ -94,7 +104,9 @@ interface(`mysql_rw_db_dirs',`
## Create, read, write, and delete MySQL database directories.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`mysql_manage_db_dirs',`
@@ -112,7 +124,9 @@ interface(`mysql_manage_db_dirs',`
## named socket.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`mysql_rw_db_sockets',`
@@ -130,7 +144,9 @@ interface(`mysql_rw_db_sockets',`
## Write to the MySQL log.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`mysql_write_log',`
diff --git a/refpolicy/policy/modules/services/networkmanager.if b/refpolicy/policy/modules/services/networkmanager.if
index 0b9371b..5aa9107 100644
--- a/refpolicy/policy/modules/services/networkmanager.if
+++ b/refpolicy/policy/modules/services/networkmanager.if
@@ -5,7 +5,9 @@
## Read and write NetworkManager UDP sockets.
##
##
+##
## Domain allowed access.
+##
##
#
# cjp: added for named.
@@ -22,7 +24,9 @@ interface(`networkmanager_rw_udp_sockets',`
## Read and write NetworkManager packet sockets.
##
##
+##
## Domain allowed access.
+##
##
#
# cjp: added for named.
@@ -40,7 +44,9 @@ interface(`networkmanager_rw_packet_sockets',`
## routing sockets.
##
##
+##
## Domain allowed access.
+##
##
#
# cjp: added for named.
@@ -58,7 +64,9 @@ interface(`networkmanager_rw_routing_sockets',`
## NetworkManager over dbus.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`networkmanager_dbus_chat',`
diff --git a/refpolicy/policy/modules/services/nis.if b/refpolicy/policy/modules/services/nis.if
index 63b0e3c..162d5db 100644
--- a/refpolicy/policy/modules/services/nis.if
+++ b/refpolicy/policy/modules/services/nis.if
@@ -18,7 +18,9 @@
##
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`nis_use_ypbind_uncond',`
@@ -65,7 +67,9 @@ interface(`nis_use_ypbind_uncond',`
## Use the ypbind service to access NIS services.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`nis_use_ypbind',`
@@ -122,7 +126,9 @@ interface(`nis_use_ypbind',`
## Execute ypbind in the ypbind domain.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`nis_domtrans_ypbind',`
@@ -144,7 +150,9 @@ interface(`nis_domtrans_ypbind',`
## Send generic signals to ypbind.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`nis_signal_ypbind',`
@@ -160,7 +168,9 @@ interface(`nis_signal_ypbind',`
## List the contents of the NIS data directory.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`nis_list_var_yp',`
@@ -177,7 +187,9 @@ interface(`nis_list_var_yp',`
## Send UDP network traffic to NIS clients.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`nis_udp_send_ypbind',`
@@ -194,7 +206,9 @@ interface(`nis_udp_send_ypbind',`
## Connect to ypbind over TCP.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`nis_tcp_connect_ypbind',`
@@ -212,7 +226,9 @@ interface(`nis_tcp_connect_ypbind',`
## Read ypbind pid files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`nis_read_ypbind_pid',`
@@ -229,7 +245,9 @@ interface(`nis_read_ypbind_pid',`
## Delete ypbind pid files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`nis_delete_ypbind_pid',`
@@ -246,7 +264,9 @@ interface(`nis_delete_ypbind_pid',`
## Read ypserv configuration files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`nis_read_ypserv_config',`
diff --git a/refpolicy/policy/modules/services/nscd.if b/refpolicy/policy/modules/services/nscd.if
index e35536c..df190b2 100644
--- a/refpolicy/policy/modules/services/nscd.if
+++ b/refpolicy/policy/modules/services/nscd.if
@@ -5,7 +5,9 @@
## Execute NSCD in the nscd domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`nscd_domtrans',`
@@ -28,7 +30,9 @@ interface(`nscd_domtrans',`
## a unix stream socket.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`nscd_socket_use',`
@@ -56,7 +60,9 @@ interface(`nscd_socket_use',`
## an inherited NSCD file descriptor.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`nscd_shm_use',`
@@ -87,7 +93,9 @@ interface(`nscd_shm_use',`
## Read NSCD pid file.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`nscd_read_pid',`
@@ -105,7 +113,9 @@ interface(`nscd_read_pid',`
## Unconfined access to NSCD services.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`nscd_unconfined',`
diff --git a/refpolicy/policy/modules/services/ntp.if b/refpolicy/policy/modules/services/ntp.if
index d47c47e..bbae8f8 100644
--- a/refpolicy/policy/modules/services/ntp.if
+++ b/refpolicy/policy/modules/services/ntp.if
@@ -5,7 +5,9 @@
## NTP stub interface. No access allowed.
##
##
+##
## N/A
+##
##
#
interface(`ntp_stub',`
@@ -19,7 +21,9 @@ interface(`ntp_stub',`
## Execute ntp server in the ntpd domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`ntp_domtrans',`
@@ -41,7 +45,9 @@ interface(`ntp_domtrans',`
## Execute ntp server in the ntpd domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`ntp_domtrans_ntpdate',`
diff --git a/refpolicy/policy/modules/services/portmap.if b/refpolicy/policy/modules/services/portmap.if
index 55d72b7..430138c 100644
--- a/refpolicy/policy/modules/services/portmap.if
+++ b/refpolicy/policy/modules/services/portmap.if
@@ -5,7 +5,9 @@
## Execute portmap_helper in the helper domain.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`portmap_domtrans_helper',`
@@ -29,13 +31,19 @@ interface(`portmap_domtrans_helper',`
## Communicate with portmap.
##
##
+##
## Domain allowed access.
+##
##
##
+##
## The role to be allowed the portmap domain.
+##
##
##
+##
## The type of the terminal allow the portmap domain to use.
+##
##
#
interface(`portmap_run_helper',`
@@ -61,7 +69,9 @@ interface(`portmap_run_helper',`
## Send UDP network traffic to portmap.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`portmap_udp_send',`
@@ -78,7 +88,9 @@ interface(`portmap_udp_send',`
## Send and receive UDP network traffic from portmap.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`portmap_udp_chat',`
@@ -97,7 +109,9 @@ interface(`portmap_udp_chat',`
## Connect to portmap over a TCP socket
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`portmap_tcp_connect',`
diff --git a/refpolicy/policy/modules/services/postfix.if b/refpolicy/policy/modules/services/postfix.if
index 807b5ab..dab0922 100644
--- a/refpolicy/policy/modules/services/postfix.if
+++ b/refpolicy/policy/modules/services/postfix.if
@@ -5,7 +5,9 @@
## Postfix stub interface. No access allowed.
##
##
+##
## N/A
+##
##
#
interface(`postfix_stub',`
@@ -177,7 +179,9 @@ template(`postfix_public_domain_template',`
## Read postfix configuration files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`postfix_read_config',`
@@ -197,14 +201,20 @@ interface(`postfix_read_config',`
## the postfix configuration directories.
##
##
+##
## Domain allowed access.
+##
##
##
+##
## The type of the object to be created.
+##
##
##
+##
## The object class of the object being created. If
## no class is specified, file will be used.
+##
##
#
interface(`postfix_filetrans_config',`
@@ -229,7 +239,9 @@ interface(`postfix_filetrans_config',`
## TCP sockets.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`postfix_dontaudit_rw_local_tcp_sockets',`
@@ -247,7 +259,9 @@ interface(`postfix_dontaudit_rw_local_tcp_sockets',`
## file descriptors.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`postfix_dontaudit_use_fd',`
@@ -263,7 +277,9 @@ interface(`postfix_dontaudit_use_fd',`
## Execute postfix_map in the postfix_map domain.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`postfix_domtrans_map',`
@@ -285,13 +301,19 @@ interface(`postfix_domtrans_map',`
## allow the specified role the postfix_map domain.
##
##
+##
## Domain allowed access.
+##
##
##
+##
## The role to be allowed the postfix_map domain.
+##
##
##
+##
## The type of the terminal allow the postfix_map domain to use.
+##
##
#
interface(`postfix_run_map',`
@@ -310,7 +332,9 @@ interface(`postfix_run_map',`
## postfix_master domain.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`postfix_domtrans_master',`
@@ -332,7 +356,9 @@ interface(`postfix_domtrans_master',`
## caller domain.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`postfix_exec_master',`
@@ -348,7 +374,9 @@ interface(`postfix_exec_master',`
## Search postfix mail spool directories.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`postfix_search_spool',`
@@ -365,7 +393,9 @@ interface(`postfix_search_spool',`
## List postfix mail spool directories.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`postfix_list_spool',`
@@ -383,7 +413,9 @@ interface(`postfix_list_spool',`
## in their respective domains.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`postfix_domtrans_user_mail_handler',`
diff --git a/refpolicy/policy/modules/services/postgresql.if b/refpolicy/policy/modules/services/postgresql.if
index bcba99c..e030d16 100644
--- a/refpolicy/policy/modules/services/postgresql.if
+++ b/refpolicy/policy/modules/services/postgresql.if
@@ -5,7 +5,9 @@
## Allow the specified domain to search postgresql's database directory.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`postgresql_search_db',`
@@ -21,7 +23,9 @@ interface(`postgresql_search_db',`
## Allow the specified domain to manage postgresql's database.
##
##
+##
## Domain allowed access.
+##
##
interface(`postgresql_manage_db',`
gen_require(`
@@ -38,7 +42,9 @@ interface(`postgresql_manage_db',`
## Execute postgresql in the postgresql domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`postgresql_domtrans',`
@@ -59,7 +65,9 @@ interface(`postgresql_domtrans',`
## Allow the specified domain to read postgresql's etc.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`postgresql_read_config',`
@@ -78,7 +86,9 @@ interface(`postgresql_read_config',`
## Allow the specified domain to connect to postgresql with a tcp socket.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`postgresql_tcp_connect',`
@@ -96,7 +106,9 @@ interface(`postgresql_tcp_connect',`
## Allow the specified domain to connect to postgresql with a unix socket.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`postgresql_stream_connect',`
diff --git a/refpolicy/policy/modules/services/ppp.if b/refpolicy/policy/modules/services/ppp.if
index b73fe4e..76a4fe4 100644
--- a/refpolicy/policy/modules/services/ppp.if
+++ b/refpolicy/policy/modules/services/ppp.if
@@ -5,7 +5,9 @@
## Use PPP file discriptors.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`ppp_use_fd',`
@@ -22,7 +24,9 @@ interface(`ppp_use_fd',`
## and use PPP file discriptors.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`ppp_dontaudit_use_fd',`
@@ -38,7 +42,9 @@ interface(`ppp_dontaudit_use_fd',`
## Send a SIGCHLD signal to PPP.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`ppp_sigchld',`
@@ -55,7 +61,9 @@ interface(`ppp_sigchld',`
## Send a generic signal to PPP.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`ppp_signal',`
@@ -71,7 +79,9 @@ interface(`ppp_signal',`
## Execute domain in the ppp domain.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`ppp_domtrans',`
@@ -93,7 +103,9 @@ interface(`ppp_domtrans',`
## Conditionally execute ppp daemon on behalf of a user or staff type.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`ppp_run_cond',`
@@ -114,7 +126,9 @@ interface(`ppp_run_cond',`
## Unconditionally execute ppp daemon on behalf of a user or staff type.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`ppp_run',`
diff --git a/refpolicy/policy/modules/services/procmail.if b/refpolicy/policy/modules/services/procmail.if
index 7ef5d71..078fca3 100644
--- a/refpolicy/policy/modules/services/procmail.if
+++ b/refpolicy/policy/modules/services/procmail.if
@@ -5,7 +5,9 @@
## Execute procmail with a domain transition.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`procmail_domtrans',`
@@ -28,7 +30,9 @@ interface(`procmail_domtrans',`
## Execute procmail in the caller domain.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`procmail_exec',`
diff --git a/refpolicy/policy/modules/services/radius.if b/refpolicy/policy/modules/services/radius.if
index 33cd1ed..59963cb 100644
--- a/refpolicy/policy/modules/services/radius.if
+++ b/refpolicy/policy/modules/services/radius.if
@@ -5,7 +5,9 @@
## Use radius over a UDP connection.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`radius_use',`
diff --git a/refpolicy/policy/modules/services/remotelogin.if b/refpolicy/policy/modules/services/remotelogin.if
index 55a519f..3b86750 100644
--- a/refpolicy/policy/modules/services/remotelogin.if
+++ b/refpolicy/policy/modules/services/remotelogin.if
@@ -5,7 +5,9 @@
## Domain transition to the remote login domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`remotelogin_domtrans',`
diff --git a/refpolicy/policy/modules/services/rlogin.if b/refpolicy/policy/modules/services/rlogin.if
index 42f4f84..9326e5a 100644
--- a/refpolicy/policy/modules/services/rlogin.if
+++ b/refpolicy/policy/modules/services/rlogin.if
@@ -5,7 +5,9 @@
## Execute rlogind in the rlogin domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`rlogin_domtrans',`
diff --git a/refpolicy/policy/modules/services/rpc.if b/refpolicy/policy/modules/services/rpc.if
index 3e17634..5aa7fb8 100644
--- a/refpolicy/policy/modules/services/rpc.if
+++ b/refpolicy/policy/modules/services/rpc.if
@@ -11,7 +11,9 @@
##
##
##
+##
## The type of daemon to be used.
+##
##
#
template(`rpc_domain_template', `
@@ -121,7 +123,9 @@ template(`rpc_domain_template', `
## Send UDP network traffic to rpc and recieve UDP traffic from rpc.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`rpc_udp_send',`
@@ -139,7 +143,9 @@ interface(`rpc_udp_send',`
## of the NFS export file.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`rpc_dontaudit_getattr_exports',`
@@ -155,7 +161,9 @@ interface(`rpc_dontaudit_getattr_exports',`
## Allow read access to exports.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`rpc_read_exports',`
@@ -171,7 +179,9 @@ interface(`rpc_read_exports',`
## Allow write access to exports.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`rpc_write_exports',`
@@ -187,7 +197,9 @@ interface(`rpc_write_exports',`
## Execute domain in nfsd domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`rpc_domtrans_nfsd',`
@@ -208,7 +220,9 @@ interface(`rpc_domtrans_nfsd',`
## Allow domain to create read and write NFS directories.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`rpc_manage_nfs_rw_content',`
@@ -226,7 +240,9 @@ interface(`rpc_manage_nfs_rw_content',`
## Allow domain to create read and write NFS directories.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`rpc_manage_nfs_ro_content',`
@@ -244,7 +260,9 @@ interface(`rpc_manage_nfs_ro_content',`
## Allow domain to read and write to an NFS UDP socket.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`rpc_udp_rw_nfs_sockets',`
@@ -261,7 +279,9 @@ interface(`rpc_udp_rw_nfs_sockets',`
## Send UDP traffic to NFSd.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`rpc_udp_send_nfs',`
@@ -278,7 +298,9 @@ interface(`rpc_udp_send_nfs',`
## Search NFS state data in /var/lib/nfs.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`rpc_search_nfs_state_data',`
diff --git a/refpolicy/policy/modules/services/rshd.if b/refpolicy/policy/modules/services/rshd.if
index daee569..eefcd30 100644
--- a/refpolicy/policy/modules/services/rshd.if
+++ b/refpolicy/policy/modules/services/rshd.if
@@ -5,7 +5,9 @@
## Domain transition to rshd.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`rshd_domtrans',`
diff --git a/refpolicy/policy/modules/services/samba.if b/refpolicy/policy/modules/services/samba.if
index eaf7e9b..e170713 100644
--- a/refpolicy/policy/modules/services/samba.if
+++ b/refpolicy/policy/modules/services/samba.if
@@ -21,8 +21,10 @@
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
#
template(`samba_per_userdomain_template',`
@@ -44,7 +46,9 @@ template(`samba_per_userdomain_template',`
## Execute samba net in the samba_net domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`samba_domtrans_net',`
@@ -67,13 +71,19 @@ interface(`samba_domtrans_net',`
## allow the specified role the samba_net domain.
##
##
+##
## The type of the process performing this action.
+##
##
##
+##
## The role to be allowed the samba_net domain.
+##
##
##
+##
## The type of the terminal allow the samba_net domain to use.
+##
##
#
interface(`samba_run_net',`
@@ -91,7 +101,9 @@ interface(`samba_run_net',`
## Execute smbmount in the smbmount domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`samba_domtrans_smbmount',`
@@ -114,7 +126,9 @@ interface(`samba_domtrans_smbmount',`
## samba configuration files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`samba_read_config',`
@@ -132,7 +146,9 @@ interface(`samba_read_config',`
## and write samba configuration files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`samba_rw_config',`
@@ -149,7 +165,9 @@ interface(`samba_rw_config',`
## Allow the specified domain to read samba's log files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`samba_read_log',`
@@ -167,7 +185,9 @@ interface(`samba_read_log',`
## Execute samba log in the caller domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`samba_exec_log',`
@@ -184,7 +204,9 @@ interface(`samba_exec_log',`
## Allow the specified domain to read samba's secrets.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`samba_read_secrets',`
@@ -202,7 +224,9 @@ interface(`samba_read_secrets',`
## samba /var directories.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`samba_search_var',`
@@ -220,7 +244,9 @@ interface(`samba_search_var',`
## read and write samba /var files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`samba_rw_var_files',`
@@ -238,7 +264,9 @@ interface(`samba_rw_var_files',`
## Allow the specified domain to write to smbmount tcp sockets.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`samba_write_smbmount_tcp_sockets',`
@@ -254,7 +282,9 @@ interface(`samba_write_smbmount_tcp_sockets',`
## Allow the specified domain to read and write to smbmount tcp sockets.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`samba_rw_smbmount_tcp_sockets',`
@@ -270,7 +300,9 @@ interface(`samba_rw_smbmount_tcp_sockets',`
## Execute winbind_helper in the winbind_helper domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`samba_domtrans_winbind_helper',`
@@ -292,13 +324,19 @@ interface(`samba_domtrans_winbind_helper',`
## allow the specified role the winbind_helper domain.
##
##
+##
## The type of the process performing this action.
+##
##
##
+##
## The role to be allowed the winbind_helper domain.
+##
##
##
+##
## The type of the terminal allow the winbind_helper domain to use.
+##
##
#
interface(`samba_run_winbind_helper',`
@@ -316,7 +354,9 @@ interface(`samba_run_winbind_helper',`
## Allow the specified domain to read the winbind pid files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`samba_read_winbind_pid',`
@@ -333,7 +373,9 @@ interface(`samba_read_winbind_pid',`
## Connect to winbind.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`samba_stream_connect_winbind',`
diff --git a/refpolicy/policy/modules/services/sasl.if b/refpolicy/policy/modules/services/sasl.if
index d085472..60a8cfe 100644
--- a/refpolicy/policy/modules/services/sasl.if
+++ b/refpolicy/policy/modules/services/sasl.if
@@ -5,7 +5,9 @@
## Connect to SASL.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`sasl_connect',`
diff --git a/refpolicy/policy/modules/services/sendmail.if b/refpolicy/policy/modules/services/sendmail.if
index bee09bd..28872b0 100644
--- a/refpolicy/policy/modules/services/sendmail.if
+++ b/refpolicy/policy/modules/services/sendmail.if
@@ -5,7 +5,9 @@
## Sendmail stub interface. No access allowed.
##
##
+##
## N/A
+##
##
#
interface(`sendmail_stub',`
@@ -19,7 +21,9 @@ interface(`sendmail_stub',`
## Domain transition to sendmail.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`sendmail_domtrans',`
@@ -42,7 +46,9 @@ interface(`sendmail_domtrans',`
## Read and write sendmail TCP sockets.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`sendmail_rw_tcp_sockets',`
@@ -57,7 +63,9 @@ interface(`sendmail_rw_tcp_sockets',`
## Read and write sendmail unix_stream_sockets.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`sendmail_rw_unix_stream_sockets',`
@@ -73,7 +81,9 @@ interface(`sendmail_rw_unix_stream_sockets',`
## Create, read, write, and delete sendmail logs.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`sendmail_manage_log',`
@@ -90,7 +100,9 @@ interface(`sendmail_manage_log',`
## Create sendmail logs with the correct type.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`sendmail_create_log',`
diff --git a/refpolicy/policy/modules/services/slrnpull.if b/refpolicy/policy/modules/services/slrnpull.if
index 4e1d944..bfac15a 100644
--- a/refpolicy/policy/modules/services/slrnpull.if
+++ b/refpolicy/policy/modules/services/slrnpull.if
@@ -5,7 +5,9 @@
## Allow the domain to search slrnpull spools.
##
##
+##
## domain allowed access
+##
##
#
interface(`slrnpull_search_spool',`
@@ -23,7 +25,9 @@ interface(`slrnpull_search_spool',`
## write, and delete slrnpull spools.
##
##
+##
## domain allowed access
+##
##
#
interface(`slrnpull_manage_spool',`
diff --git a/refpolicy/policy/modules/services/smartmon.if b/refpolicy/policy/modules/services/smartmon.if
index 5b83f56..c976663 100644
--- a/refpolicy/policy/modules/services/smartmon.if
+++ b/refpolicy/policy/modules/services/smartmon.if
@@ -5,7 +5,9 @@
## Allow caller to read smartmon temporary files.
##
##
+##
## The process type reading the temporary files.
+##
##
#
interface(`smartmon_read_tmp_files',`
diff --git a/refpolicy/policy/modules/services/snmp.if b/refpolicy/policy/modules/services/snmp.if
index 1c1cf99..f9ebe44 100644
--- a/refpolicy/policy/modules/services/snmp.if
+++ b/refpolicy/policy/modules/services/snmp.if
@@ -5,7 +5,9 @@
## Use snmp over a TCP connection.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`snmp_tcp_connect',`
@@ -23,7 +25,9 @@ interface(`snmp_tcp_connect',`
## Send and receive UDP traffic to SNMP
##
##
+##
## Domain allowed access.
+##
##
#
interface(`snmp_udp_chat',`
@@ -40,7 +44,9 @@ interface(`snmp_udp_chat',`
## Read snmpd libraries.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`snmp_read_snmp_var_lib_files',`
diff --git a/refpolicy/policy/modules/services/spamassassin.if b/refpolicy/policy/modules/services/spamassassin.if
index db5a792..00564f5 100644
--- a/refpolicy/policy/modules/services/spamassassin.if
+++ b/refpolicy/policy/modules/services/spamassassin.if
@@ -15,14 +15,20 @@
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## The type of the user domain.
+##
##
##
+##
## The role associated with the user domain.
+##
##
#
# cjp: when tunables are available, spamc stuff should be
@@ -329,7 +335,9 @@ template(`spamassassin_per_userdomain_template',`
## program in the caller directory.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`spamassassin_exec',`
@@ -347,7 +355,9 @@ interface(`spamassassin_exec',`
## program in the caller directory.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`spamassassin_exec_client',`
diff --git a/refpolicy/policy/modules/services/squid.if b/refpolicy/policy/modules/services/squid.if
index 10497bf..10e77d7 100644
--- a/refpolicy/policy/modules/services/squid.if
+++ b/refpolicy/policy/modules/services/squid.if
@@ -5,7 +5,9 @@
## Execute squid in the squid domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`squid_domtrans',`
@@ -27,7 +29,9 @@ interface(`squid_domtrans',`
## Read squid configuration file.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`squid_read_config',`
@@ -44,7 +48,9 @@ interface(`squid_read_config',`
## Append squid logs.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`squid_read_log',`
@@ -62,7 +68,9 @@ interface(`squid_read_log',`
## Append squid logs.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`squid_append_log',`
@@ -81,7 +89,9 @@ interface(`squid_append_log',`
## squid logs.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`squid_manage_logs',`
@@ -99,7 +109,9 @@ interface(`squid_manage_logs',`
## Use squid services by connecting over TCP.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`squid_use',`
diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if
index f7861ca..d4bfca2 100644
--- a/refpolicy/policy/modules/services/ssh.if
+++ b/refpolicy/policy/modules/services/ssh.if
@@ -17,14 +17,20 @@
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## The type of the user domain.
+##
##
##
+##
## The role associated with the user domain.
+##
##
#
template(`ssh_per_userdomain_template',`
@@ -400,8 +406,10 @@ template(`ssh_per_userdomain_template',`
##
##
##
+##
## The prefix of the server domain (e.g., sshd
## is the prefix for sshd_t).
+##
##
#
template(`ssh_server_template', `
@@ -550,7 +558,9 @@ template(`ssh_server_template', `
## Send a SIGCHLD signal to the ssh server.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`ssh_sigchld',`
@@ -566,7 +576,9 @@ interface(`ssh_sigchld',`
## Read a ssh server unnamed pipe.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`ssh_read_pipes',`
@@ -583,7 +595,9 @@ interface(`ssh_read_pipes',`
## ssh server TCP sockets.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`ssh_dontaudit_rw_tcp_sockets',`
@@ -599,7 +613,9 @@ interface(`ssh_dontaudit_rw_tcp_sockets',`
## Read ssh server keys
##
##
+##
## Domain allowed access.
+##
##
#
interface(`ssh_dontaudit_read_server_keys',`
diff --git a/refpolicy/policy/modules/services/sysstat.if b/refpolicy/policy/modules/services/sysstat.if
index 6428dad..d646197 100644
--- a/refpolicy/policy/modules/services/sysstat.if
+++ b/refpolicy/policy/modules/services/sysstat.if
@@ -5,7 +5,9 @@
## Manage sysstat logs.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`sysstat_manage_log',`
diff --git a/refpolicy/policy/modules/services/tcpd.if b/refpolicy/policy/modules/services/tcpd.if
index d43e529..16e8fb1 100644
--- a/refpolicy/policy/modules/services/tcpd.if
+++ b/refpolicy/policy/modules/services/tcpd.if
@@ -5,7 +5,9 @@
## Execute tcpd in the tcpd domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`tcpd_domtrans',`
diff --git a/refpolicy/policy/modules/services/ucspitcp.if b/refpolicy/policy/modules/services/ucspitcp.if
index 0d1990d..03f11c5 100644
--- a/refpolicy/policy/modules/services/ucspitcp.if
+++ b/refpolicy/policy/modules/services/ucspitcp.if
@@ -10,10 +10,14 @@
## Define a specified domain as a ucspitcp service.
##
##
+##
## Domain allowed access.
+##
##
##
+##
## The type associated with the process program.
+##
##
#
interface(`ucspitcp_service_domain', `
diff --git a/refpolicy/policy/modules/services/xfs.if b/refpolicy/policy/modules/services/xfs.if
index bb2fa26..92ec773 100644
--- a/refpolicy/policy/modules/services/xfs.if
+++ b/refpolicy/policy/modules/services/xfs.if
@@ -5,7 +5,9 @@
## Read a X font server named socket.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`xfs_read_sockets',`
@@ -24,7 +26,9 @@ interface(`xfs_read_sockets',`
## a unix domain stream socket.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`xfs_stream_connect',`
diff --git a/refpolicy/policy/modules/services/xserver.if b/refpolicy/policy/modules/services/xserver.if
index e803cdb..a2cf69c 100644
--- a/refpolicy/policy/modules/services/xserver.if
+++ b/refpolicy/policy/modules/services/xserver.if
@@ -183,14 +183,20 @@ template(`xserver_common_domain_template',`
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## The type of the user domain.
+##
##
##
+##
## The role associated with the user domain.
+##
##
#
template(`xserver_per_userdomain_template',`
@@ -412,11 +418,15 @@ template(`xserver_per_userdomain_template',`
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## Domain allowed access.
+##
##
#
template(`xserver_domtrans_user_xauth',`
@@ -437,7 +447,9 @@ template(`xserver_domtrans_user_xauth',`
## stream socket.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`xserver_stream_connect_xdm',`
@@ -453,7 +465,9 @@ interface(`xserver_stream_connect_xdm',`
## Read xdm-writable configuration files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`xserver_read_xdm_rw_config',`
@@ -470,7 +484,9 @@ interface(`xserver_read_xdm_rw_config',`
## Set the attributes of XDM temporary directories.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`xserver_setattr_xdm_tmp_dirs',`
@@ -487,7 +503,9 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
## temporary directory.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`xserver_create_xdm_tmp_sockets',`
@@ -505,7 +523,9 @@ interface(`xserver_create_xdm_tmp_sockets',`
## Read XDM pid files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`xserver_read_xdm_pid',`
@@ -522,7 +542,9 @@ interface(`xserver_read_xdm_pid',`
## Execute the X server in the XDM X server domain.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`xserver_domtrans_xdm_xserver',`
@@ -543,7 +565,9 @@ interface(`xserver_domtrans_xdm_xserver',`
## Make an X session script an entrypoint for the specified domain.
##
##
+##
## The domain for which the shell is an entrypoint.
+##
##
#
interface(`xserver_xsession_entry_type',`
@@ -573,10 +597,14 @@ interface(`xserver_xsession_entry_type',`
##
##
##
+##
## Domain allowed access.
+##
##
##
+##
## The type of the shell process.
+##
##
#
interface(`xserver_xsession_spec_domtrans',`
@@ -593,7 +621,9 @@ interface(`xserver_xsession_spec_domtrans',`
## log files.
##
##
+##
## Domain to not audit
+##
##
#
interface(`xserver_dontaudit_write_log',`
@@ -610,7 +640,9 @@ interface(`xserver_dontaudit_write_log',`
## log files.
##
##
+##
## Domain to not audit
+##
##
#
interface(`xserver_delete_log',`
diff --git a/refpolicy/policy/modules/services/zebra.if b/refpolicy/policy/modules/services/zebra.if
index cc57721..4c6bcc9 100644
--- a/refpolicy/policy/modules/services/zebra.if
+++ b/refpolicy/policy/modules/services/zebra.if
@@ -5,7 +5,9 @@
## Read the configuration files for zebra.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`zebra_read_config',`
diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if
index a940335..02b692c 100644
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@@ -11,8 +11,10 @@
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
#
template(`authlogin_common_auth_domain_template',`
@@ -91,14 +93,20 @@ template(`authlogin_common_auth_domain_template',`
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## The type of the user domain.
+##
##
##
+##
## The role associated with the user domain.
+##
##
#
template(`authlogin_per_userdomain_template',`
@@ -147,11 +155,15 @@ template(`authlogin_per_userdomain_template',`
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## The type of the process performing this action.
+##
##
#
template(`auth_domtrans_user_chk_passwd',`
@@ -185,7 +197,9 @@ template(`auth_domtrans_user_chk_passwd',`
## Use the login program as an entry point program.
##
##
+##
## The type of process using the login program as entry point.
+##
##
#
interface(`auth_login_entry_type',`
@@ -201,10 +215,14 @@ interface(`auth_login_entry_type',`
## Execute a login_program in the target domain.
##
##
+##
## The type of the process performing this action.
+##
##
##
+##
## The type of the login_program process.
+##
##
#
interface(`auth_domtrans_login_program',`
@@ -226,7 +244,9 @@ interface(`auth_domtrans_login_program',`
## Run unix_chkpwd to check a password.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`auth_domtrans_chk_passwd',`
@@ -273,7 +293,9 @@ interface(`auth_domtrans_chk_passwd',`
## Get the attributes of the shadow passwords file.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`auth_getattr_shadow',`
@@ -291,7 +313,9 @@ interface(`auth_getattr_shadow',`
## of the shadow passwords file.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`auth_dontaudit_getattr_shadow',`
@@ -307,7 +331,9 @@ interface(`auth_dontaudit_getattr_shadow',`
## Read the shadow passwords file (/etc/shadow)
##
##
+##
## The type of the process performing this action.
+##
##
#
# cjp: these next three interfaces are split
@@ -342,7 +368,9 @@ interface(`auth_tunable_read_shadow',`
## password file (/etc/shadow).
##
##
+##
## The type of the domain to not audit.
+##
##
#
interface(`auth_dontaudit_read_shadow',`
@@ -358,7 +386,9 @@ interface(`auth_dontaudit_read_shadow',`
## Read and write the shadow password file (/etc/shadow).
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`auth_rw_shadow',`
@@ -394,7 +424,9 @@ interface(`auth_manage_shadow',`
## password file type.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`auth_relabelto_shadow',`
@@ -414,7 +446,9 @@ interface(`auth_relabelto_shadow',`
## password file type.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`auth_relabel_shadow',`
@@ -433,7 +467,9 @@ interface(`auth_relabel_shadow',`
## Append to the login failure log.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`auth_append_faillog',`
@@ -463,7 +499,9 @@ interface(`auth_rw_faillog',`
## Read the last logins log.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`auth_read_lastlog',`
@@ -480,7 +518,9 @@ interface(`auth_read_lastlog',`
## Append only to the last logins log.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`auth_append_lastlog',`
@@ -497,7 +537,9 @@ interface(`auth_append_lastlog',`
## Read and write to the last logins log.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`auth_rw_lastlog',`
@@ -514,7 +556,9 @@ interface(`auth_rw_lastlog',`
## Execute pam programs in the pam domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`auth_domtrans_pam',`
@@ -535,13 +579,19 @@ interface(`auth_domtrans_pam',`
## Execute pam programs in the PAM domain.
##
##
+##
## The type of the process performing this action.
+##
##
##
+##
## The role to allow the PAM domain.
+##
##
##
+##
## The type of the terminal allow the PAM domain to use.
+##
##
#
interface(`auth_run_pam',`
@@ -559,7 +609,9 @@ interface(`auth_run_pam',`
## Execute the pam program.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`auth_exec_pam',`
@@ -576,7 +628,9 @@ interface(`auth_exec_pam',`
## and pam applets etc.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`auth_manage_var_auth',`
@@ -610,7 +664,9 @@ interface(`auth_read_pam_pid',`
## Do not audit attemps to read PAM pid files.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`auth_dontaudit_read_pam_pid',`
@@ -626,7 +682,9 @@ interface(`auth_dontaudit_read_pam_pid',`
## Delete pam PID files.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`auth_delete_pam_pid',`
@@ -645,7 +703,9 @@ interface(`auth_delete_pam_pid',`
## Manage pam PID files.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`auth_manage_pam_pid',`
@@ -681,7 +741,9 @@ interface(`auth_domtrans_pam_console',`
## pam_console data directory.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`auth_search_pam_console_data',`
@@ -744,7 +806,9 @@ interface(`auth_manage_pam_console_data',`
## Delete pam_console data.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`auth_delete_pam_console_data',`
@@ -764,11 +828,15 @@ interface(`auth_delete_pam_console_data',`
## the shadow passwords and listed exceptions.
##
##
+##
## The type of the domain perfoming this action.
+##
##
##
+##
## The types to be excluded. Each type or attribute
## must be negated by the caller.
+##
##
#
interface(`auth_read_all_dirs_except_shadow',`
@@ -785,11 +853,15 @@ interface(`auth_read_all_dirs_except_shadow',`
## the shadow passwords and listed exceptions.
##
##
+##
## The type of the domain perfoming this action.
+##
##
##
+##
## The types to be excluded. Each type or attribute
## must be negated by the caller.
+##
##
#
interface(`auth_read_all_files_except_shadow',`
@@ -806,11 +878,15 @@ interface(`auth_read_all_files_except_shadow',`
## the shadow passwords and listed exceptions.
##
##
+##
## The type of the domain perfoming this action.
+##
##
##
+##
## The types to be excluded. Each type or attribute
## must be negated by the caller.
+##
##
#
interface(`auth_read_all_symlinks_except_shadow',`
@@ -827,11 +903,15 @@ interface(`auth_read_all_symlinks_except_shadow',`
## the shadow passwords and listed exceptions.
##
##
+##
## The type of the domain perfoming this action.
+##
##
##
+##
## The types to be excluded. Each type or attribute
## must be negated by the caller.
+##
##
#
@@ -849,11 +929,15 @@ interface(`auth_relabel_all_files_except_shadow',`
## the shadow passwords and listed exceptions.
##
##
+##
## The type of the domain perfoming this action.
+##
##
##
+##
## The types to be excluded. Each type or attribute
## must be negated by the caller.
+##
##
#
@@ -870,7 +954,9 @@ interface(`auth_manage_all_files_except_shadow',`
## Execute utempter programs in the utempter domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`auth_domtrans_utempter',`
@@ -891,13 +977,19 @@ interface(`auth_domtrans_utempter',`
## Execute utempter programs in the utempter domain.
##
##
+##
## The type of the process performing this action.
+##
##
##
+##
## The role to allow the utempter domain.
+##
##
##
+##
## The type of the terminal allow the utempter domain to use.
+##
##
#
interface(`auth_run_utempter',`
@@ -915,7 +1007,9 @@ interface(`auth_run_utempter',`
## Do not audit attemps to execute utempter executable.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`auth_dontaudit_exec_utempter',`
@@ -969,7 +1063,9 @@ interface(`auth_dontaudit_write_login_records',`
## Append to login records (wtmp).
##
##
+##
## Domain allowed access.
+##
##
#
interface(`auth_append_login_records',`
@@ -985,7 +1081,9 @@ interface(`auth_append_login_records',`
## Write to login records (wtmp).
##
##
+##
## Domain allowed access.
+##
##
#
interface(`auth_write_login_records',`
@@ -1039,7 +1137,9 @@ interface(`auth_manage_login_records',`
## Use nsswitch to look up uid-username mappings.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`auth_use_nsswitch',`
@@ -1078,7 +1178,9 @@ interface(`auth_use_nsswitch',`
##
##
##
+##
## Domain allowed access.
+##
##
#
interface(`auth_unconfined',`
diff --git a/refpolicy/policy/modules/system/clock.if b/refpolicy/policy/modules/system/clock.if
index 050bb43..d5c66e3 100644
--- a/refpolicy/policy/modules/system/clock.if
+++ b/refpolicy/policy/modules/system/clock.if
@@ -5,7 +5,9 @@
## Execute hwclock in the clock domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`clock_domtrans',`
@@ -27,13 +29,19 @@ interface(`clock_domtrans',`
## allow the specified role the hwclock domain.
##
##
+##
## The type of the process performing this action.
+##
##
##
+##
## The role to be allowed the clock domain.
+##
##
##
+##
## The type of the terminal allow the clock domain to use.
+##
##
#
interface(`clock_run',`
@@ -51,7 +59,9 @@ interface(`clock_run',`
## Execute hwclock in the caller domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`clock_exec',`
@@ -67,7 +77,9 @@ interface(`clock_exec',`
## Allow executing domain to modify clock drift
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`clock_rw_adjtime',`
diff --git a/refpolicy/policy/modules/system/daemontools.if b/refpolicy/policy/modules/system/daemontools.if
index 6bb1348..598e580 100644
--- a/refpolicy/policy/modules/system/daemontools.if
+++ b/refpolicy/policy/modules/system/daemontools.if
@@ -10,7 +10,9 @@
## An ipc channel between the supervised domain and svc_start_t
##
##
+##
## Domain allowed access to svc_start_t.
+##
##
#
interface(`daemontools_ipc_domain',`
@@ -29,10 +31,14 @@ interface(`daemontools_ipc_domain',`
## Define a specified domain as a supervised service.
##
##
+##
## Domain allowed access.
+##
##
##
+##
## The type associated with the process program.
+##
##
#
interface(`daemontools_service_domain',`
@@ -52,7 +58,9 @@ interface(`daemontools_service_domain',`
## Execute in the svc_start_t domain.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`daemontools_domtrans_start',`
@@ -73,7 +81,9 @@ interface(`daemontools_domtrans_start',`
## Execute in the svc_run_t domain.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`daemontools_domtrans_run',`
@@ -94,7 +104,9 @@ interface(`daemontools_domtrans_run',`
## Execute in the svc_multilog_t domain.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`daemontools_domtrans_multilog',`
@@ -115,7 +127,9 @@ interface(`daemontools_domtrans_multilog',`
## Allow a domain to read svc_svc_t files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`daemontools_read_svc',`
@@ -132,7 +146,9 @@ interface(`daemontools_read_svc',`
## Allow a domain to create svc_svc_t files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`daemontools_manage_svc',`
diff --git a/refpolicy/policy/modules/system/fstools.if b/refpolicy/policy/modules/system/fstools.if
index c3e24ba..1fb801b 100644
--- a/refpolicy/policy/modules/system/fstools.if
+++ b/refpolicy/policy/modules/system/fstools.if
@@ -5,7 +5,9 @@
## Execute fs tools in the fstools domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`fstools_domtrans',`
@@ -28,13 +30,19 @@ interface(`fstools_domtrans',`
## allow the specified role the fs tools domain.
##
##
+##
## The type of the process performing this action.
+##
##
##
+##
## The role to be allowed the fs tools domain.
+##
##
##
+##
## The type of the terminal allow the fs tools domain to use.
+##
##
#
interface(`fstools_run',`
@@ -52,7 +60,9 @@ interface(`fstools_run',`
## Execute fsadm in the caller domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`fstools_exec',`
@@ -69,7 +79,9 @@ interface(`fstools_exec',`
## filesystem tools programs.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`fstools_relabelto_entry_files',`
@@ -86,7 +98,9 @@ interface(`fstools_relabelto_entry_files',`
## filesystem tools programs.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`fstools_manage_entry_files',`
diff --git a/refpolicy/policy/modules/system/getty.if b/refpolicy/policy/modules/system/getty.if
index 85b8951..ed6cf36 100644
--- a/refpolicy/policy/modules/system/getty.if
+++ b/refpolicy/policy/modules/system/getty.if
@@ -5,7 +5,9 @@
## Execute gettys in the getty domain.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`getty_domtrans',`
@@ -27,7 +29,9 @@ interface(`getty_domtrans',`
## Inherit and use getty file descriptors.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`getty_use_fd',`
@@ -43,7 +47,9 @@ interface(`getty_use_fd',`
## Allow process to read getty log file.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`getty_read_log',`
@@ -60,7 +66,9 @@ interface(`getty_read_log',`
## Allow process to read getty config file.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`getty_read_config',`
@@ -77,7 +85,9 @@ interface(`getty_read_config',`
## Allow process to edit getty config file.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`getty_rw_config',`
diff --git a/refpolicy/policy/modules/system/hostname.if b/refpolicy/policy/modules/system/hostname.if
index b6daa3f..94f0233 100644
--- a/refpolicy/policy/modules/system/hostname.if
+++ b/refpolicy/policy/modules/system/hostname.if
@@ -5,7 +5,9 @@
## Execute hostname in the hostname domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`hostname_domtrans',`
@@ -28,13 +30,19 @@ interface(`hostname_domtrans',`
## allow the specified role the hostname domain.
##
##
+##
## The type of the process performing this action.
+##
##
##
+##
## The role to be allowed the hostname domain.
+##
##
##
+##
## The type of the terminal allow the hostname domain to use.
+##
##
#
interface(`hostname_run',`
@@ -52,7 +60,9 @@ interface(`hostname_run',`
## Execute hostname in the caller domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`hostname_exec',`
diff --git a/refpolicy/policy/modules/system/hotplug.if b/refpolicy/policy/modules/system/hotplug.if
index 74ae242..6b8abaf 100644
--- a/refpolicy/policy/modules/system/hotplug.if
+++ b/refpolicy/policy/modules/system/hotplug.if
@@ -75,7 +75,9 @@ interface(`hotplug_dontaudit_search_config',`
## Get the attributes of the hotplug configuration directory.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`hotplug_getattr_config_dirs',`
@@ -91,7 +93,9 @@ interface(`hotplug_getattr_config_dirs',`
## Search the hotplug configuration directory.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`hotplug_search_config',`
@@ -107,7 +111,9 @@ interface(`hotplug_search_config',`
## Read the configuration files for hotplug.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`hotplug_read_config',`
diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if
index cd46605..cf400b4 100644
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@@ -5,10 +5,14 @@
## Create a domain which can be started by init.
##
##
+##
## Type to be used as a domain.
+##
##
##
+##
## Type of the program to be used as an entry point to this domain.
+##
##
#
interface(`init_domain',`
@@ -36,10 +40,14 @@ interface(`init_domain',`
## (daemons) which can be started by init scripts.
##
##
+##
## Type to be used as a domain.
+##
##
##
+##
## Type of the program to be used as an entry point to this domain.
+##
##
#
interface(`init_daemon_domain',`
@@ -112,10 +120,14 @@ interface(`init_daemon_domain',`
## which can be started by init scripts.
##
##
+##
## Type to be used as a domain.
+##
##
##
+##
## Type of the program to be used as an entry point to this domain.
+##
##
#
interface(`init_system_domain',`
@@ -159,7 +171,9 @@ interface(`init_domtrans',`
## Execute the init program in the caller domain.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`init_exec',`
@@ -250,7 +264,9 @@ interface(`init_dontaudit_rw_initctl',`
## Send init a null signal.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`init_signull',`
@@ -266,7 +282,9 @@ interface(`init_signull',`
## Send init a SIGCHLD signal.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`init_sigchld',`
@@ -306,7 +324,9 @@ interface(`init_dontaudit_use_fd',`
## Send UDP network traffic to init.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`init_udp_send',`
@@ -348,13 +368,19 @@ interface(`init_domtrans_script',`
##
##
##
+##
## Domain allowed access.
+##
##
##
+##
## The role to be performing this action.
+##
##
##
+##
## The type of the terminal of the user.
+##
##
#
interface(`init_run_daemon',`
@@ -373,7 +399,9 @@ interface(`init_run_daemon',`
## Write an init script unnamed pipe.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`init_write_script_pipes',`
@@ -389,7 +417,9 @@ interface(`init_write_script_pipes',`
## Get the attribute of init script entrypoint files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`init_getattr_script_files',`
@@ -419,7 +449,9 @@ interface(`init_exec_script_files',`
## Read the process state (/proc/pid) of the init scripts.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`init_read_script_state',`
@@ -480,7 +512,9 @@ interface(`init_getpgid_script',`
## Send SIGCHLD signals to init scripts.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`init_sigchld_script',`
@@ -496,7 +530,9 @@ interface(`init_sigchld_script',`
## Send generic signals to init scripts.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`init_signal_script',`
@@ -512,7 +548,9 @@ interface(`init_signal_script',`
## Send null signals to init scripts.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`init_signull_script',`
@@ -528,7 +566,9 @@ interface(`init_signull_script',`
## Read and write init script unnamed pipes.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`init_rw_script_pipes',`
@@ -544,7 +584,9 @@ interface(`init_rw_script_pipes',`
## Send UDP network traffic to init scripts.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`init_udp_send_script',`
@@ -562,7 +604,9 @@ interface(`init_udp_send_script',`
## init scripts with a unix socket.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`init_stream_connect_script',`
@@ -579,7 +623,9 @@ interface(`init_stream_connect_script',`
## init scripts with a unix domain stream socket.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`init_dontaudit_stream_connect_script',`
@@ -596,7 +642,9 @@ interface(`init_dontaudit_stream_connect_script',`
## init scripts over dbus.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`init_dbus_chat_script',`
@@ -623,7 +671,9 @@ interface(`init_dbus_chat_script',`
##
##
##
+##
## Domain allowed access.
+##
##
#
interface(`init_use_script_ptys',`
@@ -641,7 +691,9 @@ interface(`init_use_script_ptys',`
## write the init script pty.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`init_dontaudit_use_script_ptys',`
@@ -657,7 +709,9 @@ interface(`init_dontaudit_use_script_ptys',`
## Read init scripts.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`init_read_script_files',`
@@ -674,7 +728,9 @@ interface(`init_read_script_files',`
## Read and write init script temporary data.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`init_rw_script_tmp_files',`
@@ -692,13 +748,19 @@ interface(`init_rw_script_tmp_files',`
## temporary data directory.
##
##
+##
## Domain allowed access.
+##
##
##
+##
## The type of the object to be created
+##
##
##
+##
## The object class. If not specified, file is used.
+##
##
#
interface(`init_filetrans_script_tmp',`
@@ -722,7 +784,9 @@ interface(`init_filetrans_script_tmp',`
## Get the attributes of init script process id files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`init_getattr_utmp',`
@@ -764,7 +828,9 @@ interface(`init_dontaudit_write_utmp',`
## init script pid files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`init_dontaudit_lock_utmp',`
@@ -805,7 +871,9 @@ interface(`init_dontaudit_rw_utmp',`
## Create, read, write, and delete utmp.
##
##
+##
## Domain access allowed.
+##
##
#
interface(`init_manage_utmp',`
diff --git a/refpolicy/policy/modules/system/ipsec.if b/refpolicy/policy/modules/system/ipsec.if
index 237622a..a3fc91d 100644
--- a/refpolicy/policy/modules/system/ipsec.if
+++ b/refpolicy/policy/modules/system/ipsec.if
@@ -5,7 +5,9 @@
## Execute ipsec in the ipsec domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`ipsec_domtrans',`
@@ -26,7 +28,9 @@ interface(`ipsec_domtrans',`
## Connect to IPSEC using a unix domain stream socket.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`ipsec_stream_connect',`
@@ -45,7 +49,9 @@ interface(`ipsec_stream_connect',`
## Get the attributes of an IPSEC key socket.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`ipsec_getattr_key_sockets',`
@@ -61,7 +67,9 @@ interface(`ipsec_getattr_key_sockets',`
## Execute the IPSEC management program in the caller domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`ipsec_exec_mgmt',`
@@ -77,7 +85,9 @@ interface(`ipsec_exec_mgmt',`
## Read the IPSEC configuration
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`ipsec_read_config',`
@@ -94,7 +104,9 @@ interface(`ipsec_read_config',`
## Create, read, write, and delete the IPSEC pid files.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`ipsec_manage_pid',`
diff --git a/refpolicy/policy/modules/system/iptables.if b/refpolicy/policy/modules/system/iptables.if
index cae9fc3..2d748cb 100644
--- a/refpolicy/policy/modules/system/iptables.if
+++ b/refpolicy/policy/modules/system/iptables.if
@@ -5,7 +5,9 @@
## Execute iptables in the iptables domain.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`iptables_domtrans',`
@@ -28,13 +30,19 @@ interface(`iptables_domtrans',`
## allow the specified role the iptables domain.
##
##
+##
## Domain allowed access.
+##
##
##
+##
## The role to be allowed the iptables domain.
+##
##
##
+##
## The type of the terminal allow the iptables domain to use.
+##
##
#
interface(`iptables_run',`
@@ -52,7 +60,9 @@ interface(`iptables_run',`
## Execute iptables in the caller domain.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`iptables_exec',`
diff --git a/refpolicy/policy/modules/system/libraries.if b/refpolicy/policy/modules/system/libraries.if
index 812fc7f..a53d338 100644
--- a/refpolicy/policy/modules/system/libraries.if
+++ b/refpolicy/policy/modules/system/libraries.if
@@ -5,7 +5,9 @@
## Execute ldconfig in the ldconfig domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`libs_domtrans_ldconfig',`
@@ -27,13 +29,19 @@ interface(`libs_domtrans_ldconfig',`
## Execute ldconfig in the ldconfig domain.
##
##
+##
## The type of the process performing this action.
+##
##
##
+##
## The role to allow the ldconfig domain.
+##
##
##
+##
## The type of the terminal allow the ldconfig domain to use.
+##
##
#
interface(`libs_run_ldconfig',`
@@ -52,7 +60,9 @@ interface(`libs_run_ldconfig',`
## of shared libraries.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`libs_use_ld_so',`
@@ -74,7 +84,9 @@ interface(`libs_use_ld_so',`
## of shared libraries with legacy support.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`libs_legacy_use_ld_so',`
@@ -92,7 +104,9 @@ interface(`libs_legacy_use_ld_so',`
## Execute the dynamic link/loader in the caller's domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`libs_exec_ld_so',`
@@ -112,7 +126,9 @@ interface(`libs_exec_ld_so',`
## dynamic link/loader.
##
##
+##
## Domain allowed access.
+##
##
#
# cjp: added for prelink
@@ -131,7 +147,9 @@ interface(`libs_manage_ld_so',`
## the dynamic link/loader.
##
##
+##
## Domain allowed access.
+##
##
#
# cjp: added for prelink
@@ -150,7 +168,9 @@ interface(`libs_relabel_ld_so',`
## of shared libraries.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`libs_rw_ld_so_cache',`
@@ -167,7 +187,9 @@ interface(`libs_rw_ld_so_cache',`
## Search lib directories.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`libs_search_lib',`
@@ -184,7 +206,9 @@ interface(`libs_search_lib',`
## as static libraries.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`libs_read_lib_files',`
@@ -202,7 +226,9 @@ interface(`libs_read_lib_files',`
## Execute library scripts in the caller domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`libs_exec_lib_files',`
@@ -222,7 +248,9 @@ interface(`libs_exec_lib_files',`
## lib files as shared libraries.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`libs_use_lib_files',`
@@ -242,7 +270,9 @@ interface(`libs_use_lib_files',`
## files in library directories.
##
##
+##
## Domain allowed access.
+##
##
#
# cjp: added for prelink
@@ -260,7 +290,9 @@ interface(`libs_manage_lib_files',`
## Relabel files to the type used in library directories.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`libs_relabelto_lib_files',`
@@ -278,7 +310,9 @@ interface(`libs_relabelto_lib_files',`
## for generic lib files.
##
##
+##
## Domain allowed access.
+##
##
#
# cjp: added for prelink
@@ -296,7 +330,9 @@ interface(`libs_relabel_lib_files',`
## Create, read, write, and delete shared libraries.
##
##
+##
## Domain allowed access.
+##
##
#
# cjp: added for prelink
@@ -314,7 +350,9 @@ interface(`libs_manage_shared_libs',`
## Load and execute functions from shared libraries.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`libs_use_shared_libs',`
@@ -336,7 +374,9 @@ interface(`libs_use_shared_libs',`
## with legacy support.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`libs_legacy_use_shared_libs',`
@@ -354,7 +394,9 @@ interface(`libs_legacy_use_shared_libs',`
## shared libraries.
##
##
+##
## Domain allowed access.
+##
##
#
# cjp: added for prelink
diff --git a/refpolicy/policy/modules/system/locallogin.if b/refpolicy/policy/modules/system/locallogin.if
index 8bfaee3..bba2c99 100644
--- a/refpolicy/policy/modules/system/locallogin.if
+++ b/refpolicy/policy/modules/system/locallogin.if
@@ -5,7 +5,9 @@
## Execute local logins in the local login domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`locallogin_domtrans',`
@@ -21,7 +23,9 @@ interface(`locallogin_domtrans',`
## Allow processes to inherit local login file descriptors.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`locallogin_use_fd',`
@@ -37,7 +41,9 @@ interface(`locallogin_use_fd',`
## Do not audit attempts to inherit local login file descriptors.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`locallogin_dontaudit_use_fd',`
@@ -53,7 +59,9 @@ interface(`locallogin_dontaudit_use_fd',`
## Send a null signal to local login processes.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`locallogin_signull',`
diff --git a/refpolicy/policy/modules/system/logging.if b/refpolicy/policy/modules/system/logging.if
index 992de9d..dc93191 100644
--- a/refpolicy/policy/modules/system/logging.if
+++ b/refpolicy/policy/modules/system/logging.if
@@ -6,7 +6,9 @@
## used for logs.
##
##
+##
## Type of the file to be used as a log.
+##
##
#
interface(`logging_log_file',`
@@ -25,7 +27,9 @@ interface(`logging_log_file',`
## Read the audit log.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`logging_read_audit_log',`
@@ -43,7 +47,9 @@ interface(`logging_read_audit_log',`
## Execute auditctl in the auditctl domain.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`logging_domtrans_auditctl',`
@@ -64,7 +70,9 @@ interface(`logging_domtrans_auditctl',`
## Execute syslogd in the syslog domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`logging_domtrans_syslog',`
@@ -126,7 +134,9 @@ interface(`logging_send_syslog_msg',`
## Read the auditd configuration files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`logging_read_audit_config',`
@@ -145,7 +155,9 @@ interface(`logging_read_audit_config',`
## of the contents of the log directory.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`logging_search_logs',`
@@ -162,7 +174,9 @@ interface(`logging_search_logs',`
## List the contents of the generic log directory (/var/log).
##
##
+##
## Domain allowed access.
+##
##
#
interface(`logging_list_logs',`
@@ -179,7 +193,9 @@ interface(`logging_list_logs',`
## Read and write the generic log directory (/var/log).
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`logging_rw_generic_log_dirs',`
@@ -238,7 +254,9 @@ interface(`logging_read_all_logs',`
## Execute all log files in the caller domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
# cjp: not sure why this is needed. This was added
@@ -301,7 +319,9 @@ interface(`logging_write_generic_logs',`
## Read and write generic log files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`logging_rw_generic_logs',`
@@ -320,7 +340,9 @@ interface(`logging_rw_generic_logs',`
## generic log files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`logging_manage_generic_logs',`
diff --git a/refpolicy/policy/modules/system/lvm.if b/refpolicy/policy/modules/system/lvm.if
index 35c144e..193069c 100644
--- a/refpolicy/policy/modules/system/lvm.if
+++ b/refpolicy/policy/modules/system/lvm.if
@@ -5,7 +5,9 @@
## Execute lvm programs in the lvm domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`lvm_domtrans',`
@@ -27,13 +29,19 @@ interface(`lvm_domtrans',`
## Execute lvm programs in the lvm domain.
##
##
+##
## The type of the process performing this action.
+##
##
##
+##
## The role to allow the LVM domain.
+##
##
##
+##
## The type of the terminal allow the LVM domain to use.
+##
##
#
interface(`lvm_run',`
@@ -51,7 +59,9 @@ interface(`lvm_run',`
## Read LVM configuration files.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`lvm_read_config',`
diff --git a/refpolicy/policy/modules/system/miscfiles.if b/refpolicy/policy/modules/system/miscfiles.if
index 644d6bd..ac3e8f6 100644
--- a/refpolicy/policy/modules/system/miscfiles.if
+++ b/refpolicy/policy/modules/system/miscfiles.if
@@ -5,7 +5,9 @@
## Read system SSL certificates.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`miscfiles_read_certs',`
@@ -23,7 +25,9 @@ interface(`miscfiles_read_certs',`
## Read fonts.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`miscfiles_read_fonts',`
@@ -45,7 +49,9 @@ interface(`miscfiles_read_fonts',`
## Create, read, write, and delete fonts.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`miscfiles_manage_fonts',`
@@ -67,7 +73,9 @@ interface(`miscfiles_manage_fonts',`
## Read hardware identification data.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`miscfiles_read_hwdata',`
@@ -85,7 +93,9 @@ interface(`miscfiles_read_hwdata',`
## Allow process to read localization info
##
##
+##
## Domain allowed access.
+##
##
#
interface(`miscfiles_read_localization',`
@@ -109,7 +119,9 @@ interface(`miscfiles_read_localization',`
## Allow process to read legacy time localization info
##
##
+##
## Domain allowed access.
+##
##
#
interface(`miscfiles_legacy_read_localization',`
@@ -126,7 +138,9 @@ interface(`miscfiles_legacy_read_localization',`
## Do not audit attempts to search man pages.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`miscfiles_dontaudit_search_man_pages',`
@@ -142,7 +156,9 @@ interface(`miscfiles_dontaudit_search_man_pages',`
## Read man pages
##
##
+##
## Domain allowed access.
+##
##
#
interface(`miscfiles_read_man_pages',`
@@ -161,7 +177,9 @@ interface(`miscfiles_read_man_pages',`
## Delete man pages
##
##
+##
## Domain allowed access.
+##
##
# cjp: added for tmpreaper
#
@@ -181,7 +199,9 @@ interface(`miscfiles_delete_man_pages',`
## Create, read, write, and delete man pages
##
##
+##
## Domain allowed access.
+##
##
#
interface(`miscfiles_manage_man_pages',`
@@ -201,7 +221,9 @@ interface(`miscfiles_manage_man_pages',`
## transfer services.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`miscfiles_read_public_files',`
@@ -220,7 +242,9 @@ interface(`miscfiles_read_public_files',`
## and directories used for file transfer services.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`miscfiles_manage_public_files',`
@@ -238,7 +262,9 @@ interface(`miscfiles_manage_public_files',`
## Read TeX data
##
##
+##
## Domain allowed access.
+##
##
#
interface(`miscfiles_read_tetex_data',`
@@ -260,7 +286,9 @@ interface(`miscfiles_read_tetex_data',`
## Execute TeX data programs in the caller domain.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`miscfiles_exec_tetex_data',`
diff --git a/refpolicy/policy/modules/system/modutils.if b/refpolicy/policy/modules/system/modutils.if
index dab722c..c82e973 100644
--- a/refpolicy/policy/modules/system/modutils.if
+++ b/refpolicy/policy/modules/system/modutils.if
@@ -5,7 +5,9 @@
## Read the dependencies of kernel modules.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`modutils_read_module_deps',`
@@ -23,7 +25,9 @@ interface(`modutils_read_module_deps',`
## loading modules.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`modutils_read_module_config',`
@@ -45,7 +49,9 @@ interface(`modutils_read_module_config',`
## loading modules.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`modutils_rename_module_config',`
@@ -61,7 +67,9 @@ interface(`modutils_rename_module_config',`
## Unconditionally execute insmod in the insmod domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
# cjp: this is added for pppd, due to nested
@@ -85,7 +93,9 @@ interface(`modutils_domtrans_insmod_uncond',`
## Execute insmod in the insmod domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`modutils_domtrans_insmod',`
@@ -106,13 +116,19 @@ interface(`modutils_domtrans_insmod',`
## backchannel.
##
##
+##
## The type of the process performing this action.
+##
##
##
+##
## The role to be allowed the insmod domain.
+##
##
##
+##
## The type of the terminal allow the insmod domain to use.
+##
##
#
interface(`modutils_run_insmod',`
@@ -143,7 +159,9 @@ interface(`modutils_exec_insmod',`
## Execute depmod in the depmod domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`modutils_domtrans_depmod',`
@@ -165,13 +183,19 @@ interface(`modutils_domtrans_depmod',`
## Execute depmod in the depmod domain.
##
##
+##
## The type of the process performing this action.
+##
##
##
+##
## The role to be allowed the depmod domain.
+##
##
##
+##
## The type of the terminal allow the depmod domain to use.
+##
##
#
interface(`modutils_run_depmod',`
@@ -202,7 +226,9 @@ interface(`modutils_exec_depmod',`
## Execute depmod in the depmod domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`modutils_domtrans_update_mods',`
@@ -224,13 +250,19 @@ interface(`modutils_domtrans_update_mods',`
## Execute update_modules in the update_modules domain.
##
##
+##
## The type of the process performing this action.
+##
##
##
+##
## The role to be allowed the update_modules domain.
+##
##
##
+##
## The type of the terminal allow the update_modules domain to use.
+##
##
#
interface(`modutils_run_update_mods',`
diff --git a/refpolicy/policy/modules/system/mount.if b/refpolicy/policy/modules/system/mount.if
index 56a6740..b4ad149 100644
--- a/refpolicy/policy/modules/system/mount.if
+++ b/refpolicy/policy/modules/system/mount.if
@@ -5,7 +5,9 @@
## Execute mount in the mount domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`mount_domtrans',`
@@ -28,13 +30,19 @@ interface(`mount_domtrans',`
## and use the caller's terminal.
##
##
+##
## The type of the process performing this action.
+##
##
##
+##
## The role to be allowed the mount domain.
+##
##
##
+##
## The type of the terminal allow the mount domain to use.
+##
##
#
interface(`mount_run',`
@@ -52,7 +60,9 @@ interface(`mount_run',`
## Execute mount in the caller domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`mount_exec',`
@@ -71,7 +81,9 @@ interface(`mount_exec',`
## Use file descriptors for mount.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`mount_use_fd',`
@@ -88,7 +100,9 @@ interface(`mount_use_fd',`
## network drives
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`mount_send_nfs_client_request',`
diff --git a/refpolicy/policy/modules/system/pcmcia.if b/refpolicy/policy/modules/system/pcmcia.if
index 77d6c24..5492a2b 100644
--- a/refpolicy/policy/modules/system/pcmcia.if
+++ b/refpolicy/policy/modules/system/pcmcia.if
@@ -5,7 +5,9 @@
## PCMCIA stub interface. No access allowed.
##
##
+##
## N/A
+##
##
#
interface(`pcmcia_stub',`
@@ -19,7 +21,9 @@ interface(`pcmcia_stub',`
## Execute cardmgr in the cardmgr domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`pcmcia_domtrans_cardmgr',`
@@ -40,7 +44,9 @@ interface(`pcmcia_domtrans_cardmgr',`
## Inherit and use file descriptors from cardmgr.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`pcmcia_use_cardmgr_fd',`
@@ -56,7 +62,9 @@ interface(`pcmcia_use_cardmgr_fd',`
## Execute cardctl in the cardmgr domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`pcmcia_domtrans_cardctl',`
@@ -78,13 +86,19 @@ interface(`pcmcia_domtrans_cardctl',`
## allow the specified role the cardmgr domain.
##
##
+##
## The type of the process performing this action.
+##
##
##
+##
## The role to be allowed the cardmgr domain.
+##
##
##
+##
## The type of the terminal allow the cardmgr domain to use.
+##
##
#
interface(`pcmcia_run_cardctl',`
@@ -102,7 +116,9 @@ interface(`pcmcia_run_cardctl',`
## Read cardmgr pid files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`pcmcia_read_pid',`
@@ -122,7 +138,9 @@ interface(`pcmcia_read_pid',`
## cardmgr pid files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`pcmcia_manage_pid',`
@@ -141,7 +159,9 @@ interface(`pcmcia_manage_pid',`
## cardmgr runtime character nodes.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`pcmcia_manage_pid_chr_files',`
diff --git a/refpolicy/policy/modules/system/raid.if b/refpolicy/policy/modules/system/raid.if
index cfbcff9..04673a8 100644
--- a/refpolicy/policy/modules/system/raid.if
+++ b/refpolicy/policy/modules/system/raid.if
@@ -5,7 +5,9 @@
## Execute software raid tools in the mdadm domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`raid_domtrans_mdadm',`
@@ -35,7 +37,9 @@ interface(`raid_domtrans_mdadm',`
##
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`raid_manage_mdadm_pid',`
diff --git a/refpolicy/policy/modules/system/selinuxutil.if b/refpolicy/policy/modules/system/selinuxutil.if
index 02d3074..606c511 100644
--- a/refpolicy/policy/modules/system/selinuxutil.if
+++ b/refpolicy/policy/modules/system/selinuxutil.if
@@ -5,7 +5,9 @@
## Execute checkpolicy in the checkpolicy domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`seutil_domtrans_checkpolicy',`
@@ -30,13 +32,19 @@ interface(`seutil_domtrans_checkpolicy',`
## and use the caller's terminal.
##
##
+##
## The type of the process performing this action.
+##
##
##
+##
## The role to be allowed the checkpolicy domain.
+##
##
##
+##
## The type of the terminal allow the checkpolicy domain to use.
+##
##
#
interface(`seutil_run_checkpolicy',`
@@ -68,7 +76,9 @@ interface(`seutil_exec_checkpolicy',`
## Execute load_policy in the load_policy domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`seutil_domtrans_loadpolicy',`
@@ -93,13 +103,19 @@ interface(`seutil_domtrans_loadpolicy',`
## Has a SIGCHLD signal backchannel.
##
##
+##
## The type of the process performing this action.
+##
##
##
+##
## The role to be allowed the load_policy domain.
+##
##
##
+##
## The type of the terminal allow the load_policy domain to use.
+##
##
#
interface(`seutil_run_loadpolicy',`
@@ -143,7 +159,9 @@ interface(`seutil_read_loadpolicy',`
## Execute newrole in the load_policy domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`seutil_domtrans_newrole',`
@@ -168,13 +186,19 @@ interface(`seutil_domtrans_newrole',`
## and use the caller's terminal.
##
##
+##
## The type of the process performing this action.
+##
##
##
+##
## The role to be allowed the newrole domain.
+##
##
##
+##
## The type of the terminal allow the newrole domain to use.
+##
##
#
interface(`seutil_run_newrole',`
@@ -207,7 +231,9 @@ interface(`seutil_exec_newrole',`
## a signal to newrole.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`seutil_dontaudit_signal_newrole',`
@@ -247,7 +273,9 @@ interface(`seutil_use_newrole_fd',`
## Execute restorecon in the restorecon domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`seutil_domtrans_restorecon',`
@@ -271,13 +299,19 @@ interface(`seutil_domtrans_restorecon',`
## and use the caller's terminal.
##
##
+##
## The type of the process performing this action.
+##
##
##
+##
## The role to be allowed the restorecon domain.
+##
##
##
+##
## The type of the terminal allow the restorecon domain to use.
+##
##
#
interface(`seutil_run_restorecon',`
@@ -308,7 +342,9 @@ interface(`seutil_exec_restorecon',`
## Execute run_init in the run_init domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`seutil_domtrans_runinit',`
@@ -333,13 +369,19 @@ interface(`seutil_domtrans_runinit',`
## and use the caller's terminal.
##
##
+##
## The type of the process performing this action.
+##
##
##
+##
## The role to be allowed the run_init domain.
+##
##
##
+##
## The type of the terminal allow the run_init domain to use.
+##
##
#
interface(`seutil_run_runinit',`
@@ -371,7 +413,9 @@ interface(`seutil_use_runinit_fd',`
## Execute setfiles in the setfiles domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`seutil_domtrans_setfiles',`
@@ -396,13 +440,19 @@ interface(`seutil_domtrans_setfiles',`
## and use the caller's terminal.
##
##
+##
## The type of the process performing this action.
+##
##
##
+##
## The role to be allowed the setfiles domain.
+##
##
##
+##
## The type of the terminal allow the setfiles domain to use.
+##
##
#
interface(`seutil_run_setfiles',`
@@ -435,7 +485,9 @@ interface(`seutil_exec_setfiles',`
## configuration directory (/etc/selinux).
##
##
+##
## Domain to not audit.
+##
##
#
interface(`seutil_dontaudit_search_config',`
@@ -452,7 +504,9 @@ interface(`seutil_dontaudit_search_config',`
## userland configuration (/etc/selinux).
##
##
+##
## Domain to not audit.
+##
##
#
interface(`seutil_dontaudit_read_config',`
@@ -484,7 +538,9 @@ interface(`seutil_read_config',`
## Search the policy directory with default_context files.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`seutil_search_default_contexts',`
@@ -566,7 +622,9 @@ interface(`seutil_create_bin_policy',`
## Allow the caller to relabel a file to the binary policy type.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`seutil_relabelto_bin_policy',`
diff --git a/refpolicy/policy/modules/system/sysnetwork.if b/refpolicy/policy/modules/system/sysnetwork.if
index f2b5996..0d5a065 100644
--- a/refpolicy/policy/modules/system/sysnetwork.if
+++ b/refpolicy/policy/modules/system/sysnetwork.if
@@ -5,7 +5,9 @@
## Execute dhcp client in dhcpc domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`sysnet_domtrans_dhcpc',`
@@ -28,13 +30,19 @@ interface(`sysnet_domtrans_dhcpc',`
## allow the specified role the dhcpc domain.
##
##
+##
## The type of the process performing this action.
+##
##
##
+##
## The role to be allowed the clock domain.
+##
##
##
+##
## The type of the terminal allow the clock domain to use.
+##
##
#
interface(`sysnet_run_dhcpc',`
@@ -52,7 +60,9 @@ interface(`sysnet_run_dhcpc',`
## Send a SIGCHLD signal to the dhcp client.
##
##
+##
## The domain sending the SIGCHLD.
+##
##
#
interface(`sysnet_sigchld_dhcpc',`
@@ -68,7 +78,9 @@ interface(`sysnet_sigchld_dhcpc',`
## Send a kill signal to the dhcp client.
##
##
+##
## The domain sending the SIGKILL.
+##
##
#
interface(`sysnet_kill_dhcpc',`
@@ -84,7 +96,9 @@ interface(`sysnet_kill_dhcpc',`
## Send a SIGSTOP signal to the dhcp client.
##
##
+##
## The domain sending the SIGSTOP.
+##
##
#
interface(`sysnet_sigstop_dhcpc',`
@@ -100,7 +114,9 @@ interface(`sysnet_sigstop_dhcpc',`
## Send a null signal to the dhcp client.
##
##
+##
## The domain sending the null signal.
+##
##
#
interface(`sysnet_signull_dhcpc',`
@@ -116,7 +132,9 @@ interface(`sysnet_signull_dhcpc',`
## Send a generic signal to the dhcp client.
##
##
+##
## The domain sending the signal.
+##
##
#
interface(`sysnet_signal_dhcpc',`
@@ -133,7 +151,9 @@ interface(`sysnet_signal_dhcpc',`
## dhcpc over dbus.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`sysnet_dbus_chat_dhcpc',`
@@ -151,7 +171,9 @@ interface(`sysnet_dbus_chat_dhcpc',`
## Read and write dhcp configuration files.
##
##
+##
## The domain allowed access.
+##
##
#
interface(`sysnet_rw_dhcp_config',`
@@ -168,7 +190,9 @@ interface(`sysnet_rw_dhcp_config',`
## Read dhcp client state files.
##
##
+##
## The domain allowed access.
+##
##
#
interface(`sysnet_read_dhcpc_state',`
@@ -184,7 +208,9 @@ interface(`sysnet_read_dhcpc_state',`
## Allow network init to read network config files.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`sysnet_read_config',`
@@ -201,7 +227,9 @@ interface(`sysnet_read_config',`
## Do not audit attempts to read network config files.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`sysnet_dontaudit_read_config',`
@@ -218,7 +246,9 @@ interface(`sysnet_dontaudit_read_config',`
## the network config files.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`sysnet_filetrans_config',`
@@ -234,7 +264,9 @@ interface(`sysnet_filetrans_config',`
## Create, read, write, and delete network config files.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`sysnet_manage_config',`
@@ -250,7 +282,9 @@ interface(`sysnet_manage_config',`
## Read the dhcp client pid file.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`sysnet_read_dhcpc_pid',`
@@ -267,7 +301,9 @@ interface(`sysnet_read_dhcpc_pid',`
## Delete the dhcp client pid file.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`sysnet_delete_dhcpc_pid',`
@@ -283,7 +319,9 @@ interface(`sysnet_delete_dhcpc_pid',`
## Execute ifconfig in the ifconfig domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`sysnet_domtrans_ifconfig',`
@@ -307,13 +345,19 @@ interface(`sysnet_domtrans_ifconfig',`
## and use the caller's terminal.
##
##
+##
## The type of the process performing this action.
+##
##
##
+##
## The role to be allowed the ifconfig domain.
+##
##
##
+##
## The type of the terminal allow the ifconfig domain to use.
+##
##
#
interface(`sysnet_run_ifconfig',`
@@ -332,7 +376,9 @@ interface(`sysnet_run_ifconfig',`
## Execute ifconfig in the caller domain.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`sysnet_exec_ifconfig',`
@@ -349,7 +395,9 @@ interface(`sysnet_exec_ifconfig',`
## Read the DHCP configuration files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`sysnet_read_dhcp_config',`
@@ -367,7 +415,9 @@ interface(`sysnet_read_dhcp_config',`
## Search the DHCP state data directory.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`sysnet_search_dhcp_state',`
@@ -394,13 +444,19 @@ interface(`sysnet_search_dhcp_state',`
##
##
##
+##
## Domain allowed access.
+##
##
##
+##
## The type of the object to be created
+##
##
##
+##
## The object class. If not specified, file is used.
+##
##
#
interface(`sysnet_filetrans_dhcp_state',`
@@ -423,7 +479,9 @@ interface(`sysnet_filetrans_dhcp_state',`
## Perform a DNS name resolution.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`sysnet_dns_name_resolve',`
@@ -455,7 +513,9 @@ interface(`sysnet_dns_name_resolve',`
## Connect and use a LDAP server.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`sysnet_use_ldap',`
@@ -483,7 +543,9 @@ interface(`sysnet_use_ldap',`
## Connect and use remote port mappers.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`sysnet_use_portmap',`
diff --git a/refpolicy/policy/modules/system/udev.if b/refpolicy/policy/modules/system/udev.if
index afb0a11..1e4175a 100644
--- a/refpolicy/policy/modules/system/udev.if
+++ b/refpolicy/policy/modules/system/udev.if
@@ -5,7 +5,9 @@
## Execute udev in the udev domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`udev_domtrans',`
@@ -26,7 +28,9 @@ interface(`udev_domtrans',`
## Execute a udev helper in the udev domain.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`udev_helper_domtrans',`
@@ -47,7 +51,9 @@ interface(`udev_helper_domtrans',`
## Allow process to read udev process state.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`udev_read_state',`
@@ -66,7 +72,9 @@ interface(`udev_read_state',`
## udev file descriptor.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`udev_dontaudit_use_fd',`
@@ -83,7 +91,9 @@ interface(`udev_dontaudit_use_fd',`
## to a udev unix datagram socket.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`udev_dontaudit_rw_dgram_sockets',`
@@ -99,7 +109,9 @@ interface(`udev_dontaudit_rw_dgram_sockets',`
## Allow process to read list of devices.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`udev_read_db',`
@@ -116,7 +128,9 @@ interface(`udev_read_db',`
## Allow process to modify list of devices.
##
##
+##
## The type of the process performing this action.
+##
##
#
interface(`udev_rw_db',`
diff --git a/refpolicy/policy/modules/system/unconfined.if b/refpolicy/policy/modules/system/unconfined.if
index bd69ec1..6e0d8dd 100644
--- a/refpolicy/policy/modules/system/unconfined.if
+++ b/refpolicy/policy/modules/system/unconfined.if
@@ -5,7 +5,9 @@
## Make the specified domain unconfined.
##
##
+##
## Domain to make unconfined.
+##
##
#
interface(`unconfined_domain_noaudit',`
@@ -106,7 +108,9 @@ interface(`unconfined_domain_noaudit',`
## usage.
##
##
+##
## Domain to make unconfined.
+##
##
#
interface(`unconfined_domain',`
@@ -126,7 +130,9 @@ interface(`unconfined_domain',`
## Transition to the unconfined domain.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`unconfined_domtrans',`
@@ -147,13 +153,19 @@ interface(`unconfined_domtrans',`
## Execute specified programs in the unconfined domain.
##
##
+##
## The type of the process performing this action.
+##
##
##
+##
## The role to allow the unconfined domain.
+##
##
##
+##
## The type of the terminal allow the unconfined domain to use.
+##
##
#
interface(`unconfined_run',`
@@ -171,7 +183,9 @@ interface(`unconfined_run',`
## Transition to the unconfined domain by executing a shell.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`unconfined_shell_domtrans',`
@@ -187,7 +201,9 @@ interface(`unconfined_shell_domtrans',`
## Inherit file descriptors from the unconfined domain.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`unconfined_use_fd',`
@@ -203,7 +219,9 @@ interface(`unconfined_use_fd',`
## Send a SIGCHLD signal to the unconfined domain.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`unconfined_sigchld',`
@@ -219,7 +237,9 @@ interface(`unconfined_sigchld',`
## Send generic signals to the unconfined domain.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`unconfined_signal',`
@@ -235,7 +255,9 @@ interface(`unconfined_signal',`
## Read unconfined domain unnamed pipes.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`unconfined_read_pipes',`
@@ -251,7 +273,9 @@ interface(`unconfined_read_pipes',`
## Do not audit attempts to read unconfined domain unnamed pipes.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`unconfined_dontaudit_read_pipes',`
@@ -267,7 +291,9 @@ interface(`unconfined_dontaudit_read_pipes',`
## Read and write unconfined domain unnamed pipes.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`unconfined_rw_pipes',`
@@ -294,7 +320,9 @@ interface(`unconfined_rw_pipes',`
##
##
##
+##
## Domain to not audit.
+##
##
#
interface(`unconfined_dontaudit_rw_tcp_sockets',`
@@ -310,7 +338,9 @@ interface(`unconfined_dontaudit_rw_tcp_sockets',`
## Send messages to the unconfined domain over dbus.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`unconfined_dbus_send',`
@@ -337,7 +367,9 @@ interface(`unconfined_dbus_send',`
##
##
##
+##
## New alias of the unconfined domain.
+##
##
#
interface(`unconfined_alias_domain',`
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 7513b24..5fb7042 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -18,8 +18,10 @@
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
#
template(`base_user_template',`
@@ -509,8 +511,10 @@ template(`base_user_template',`
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
#
template(`unpriv_user_template', `
@@ -761,8 +765,10 @@ template(`unpriv_user_template', `
##
##
##
+##
## The prefix of the user domain (e.g., sysadm
## is the prefix for sysadm_t).
+##
##
#
template(`admin_user_template',`
@@ -1001,12 +1007,16 @@ template(`admin_user_template',`
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## Type to be used as a file in the
## user home directory.
+##
##
#
template(`userdom_home_file',`
@@ -1032,11 +1042,15 @@ template(`userdom_home_file',`
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## Domain allowed access.
+##
##
#
template(`userdom_setattr_user_pty',`
@@ -1063,11 +1077,15 @@ template(`userdom_setattr_user_pty',`
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## Domain allowed access.
+##
##
#
template(`userdom_create_user_pty',`
@@ -1094,11 +1112,15 @@ template(`userdom_create_user_pty',`
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## Domain allowed access.
+##
##
#
template(`userdom_search_user_home',`
@@ -1124,11 +1146,15 @@ template(`userdom_search_user_home',`
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## Domain allowed access.
+##
##
#
template(`userdom_list_user_home',`
@@ -1163,14 +1189,20 @@ template(`userdom_list_user_home',`
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## Domain allowed access.
+##
##
##
+##
## Domain to transition to.
+##
##
#
template(`userdom_user_home_domtrans',`
@@ -1197,11 +1229,15 @@ template(`userdom_user_home_domtrans',`
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## Domain to not audit
+##
##
#
template(`userdom_dontaudit_list_user_home_dir',`
@@ -1228,11 +1264,15 @@ template(`userdom_dontaudit_list_user_home_dir',`
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## Domain allowed access.
+##
##
#
template(`userdom_manage_user_home_subdirs',`
@@ -1261,11 +1301,15 @@ template(`userdom_manage_user_home_subdirs',`
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## Domain allowed access.
+##
##
#
template(`userdom_dontaudit_setattr_user_home_files',`
@@ -1290,11 +1334,15 @@ template(`userdom_dontaudit_setattr_user_home_files',`
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## Domain allowed access.
+##
##
#
template(`userdom_read_user_home_files',`
@@ -1322,11 +1370,15 @@ template(`userdom_read_user_home_files',`
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## Domain to not audit.
+##
##
#
template(`userdom_dontaudit_read_user_home_files',`
@@ -1352,11 +1404,15 @@ template(`userdom_dontaudit_read_user_home_files',`
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## Domain allowed access.
+##
##
#
template(`userdom_read_user_home_symlinks',`
@@ -1384,11 +1440,15 @@ template(`userdom_read_user_home_symlinks',`
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## Domain allowed access.
+##
##
#
template(`userdom_exec_user_home_files',`
@@ -1416,11 +1476,15 @@ template(`userdom_exec_user_home_files',`
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## Domain allowed access.
+##
##
#
template(`userdom_dontaudit_exec_user_home_files',`
@@ -1447,11 +1511,15 @@ template(`userdom_dontaudit_exec_user_home_files',`
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## Domain allowed access.
+##
##
#
template(`userdom_manage_user_home_subdir_files',`
@@ -1481,11 +1549,15 @@ template(`userdom_manage_user_home_subdir_files',`
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## Domain allowed access.
+##
##
#
template(`userdom_manage_user_home_subdir_symlinks',`
@@ -1515,11 +1587,15 @@ template(`userdom_manage_user_home_subdir_symlinks',`
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## Domain allowed access.
+##
##
#
template(`userdom_manage_user_home_subdir_pipes',`
@@ -1549,11 +1625,15 @@ template(`userdom_manage_user_home_subdir_pipes',`
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## Domain allowed access.
+##
##
#
template(`userdom_manage_user_home_subdir_sockets',`
@@ -1585,18 +1665,26 @@ template(`userdom_manage_user_home_subdir_sockets',`
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## Domain allowed access.
+##
##
##
+##
## The type of the object to create.
+##
##
##
+##
## The class of the object to be created. If not
## specified, file is used.
+##
##
#
template(`userdom_filetrans_user_home_dir',`
@@ -1627,15 +1715,21 @@ template(`userdom_filetrans_user_home_dir',`
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## Domain allowed access.
+##
##
##
+##
## The class of the object to be created. If not
## specified, file is used.
+##
##
#
template(`userdom_filetrans_user_home',`
@@ -1662,11 +1756,15 @@ template(`userdom_filetrans_user_home',`
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## Domain allowed access.
+##
##
#
template(`userdom_write_user_tmp_sockets',`
@@ -1692,11 +1790,15 @@ template(`userdom_write_user_tmp_sockets',`
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## Domain allowed access.
+##
##
#
template(`userdom_list_user_tmp',`
@@ -1724,11 +1826,15 @@ template(`userdom_list_user_tmp',`
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## Domain to not audit.
+##
##
#
template(`userdom_dontaudit_list_user_tmp',`
@@ -1753,11 +1859,15 @@ template(`userdom_dontaudit_list_user_tmp',`
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## Domain allowed access.
+##
##
#
template(`userdom_read_user_tmp_files',`
@@ -1786,11 +1896,15 @@ template(`userdom_read_user_tmp_files',`
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## Domain to not audit.
+##
##
#
template(`userdom_dontaudit_read_user_tmp_files',`
@@ -1817,11 +1931,15 @@ template(`userdom_dontaudit_read_user_tmp_files',`
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## Domain allowed access.
+##
##
#
template(`userdom_read_user_tmp_symlinks',`
@@ -1850,11 +1968,15 @@ template(`userdom_read_user_tmp_symlinks',`
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## Domain allowed access.
+##
##
#
template(`userdom_manage_user_tmp_dirs',`
@@ -1882,11 +2004,15 @@ template(`userdom_manage_user_tmp_dirs',`
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## Domain allowed access.
+##
##
#
template(`userdom_manage_user_tmp_files',`
@@ -1915,11 +2041,15 @@ template(`userdom_manage_user_tmp_files',`
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## Domain allowed access.
+##
##
#
template(`userdom_manage_user_tmp_symlinks',`
@@ -1948,11 +2078,15 @@ template(`userdom_manage_user_tmp_symlinks',`
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## Domain allowed access.
+##
##
#
template(`userdom_manage_user_tmp_pipes',`
@@ -1981,11 +2115,15 @@ template(`userdom_manage_user_tmp_pipes',`
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## Domain allowed access.
+##
##
#
template(`userdom_manage_user_tmp_sockets',`
@@ -2012,11 +2150,15 @@ template(`userdom_manage_user_tmp_sockets',`
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## Domain allowed access.
+##
##
#
template(`userdom_rw_user_tmpfs_files',`
@@ -2044,11 +2186,15 @@ template(`userdom_rw_user_tmpfs_files',`
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## Domain allowed access.
+##
##
#
template(`userdom_list_user_untrusted_content',`
@@ -2075,11 +2221,15 @@ template(`userdom_list_user_untrusted_content',`
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## Domain to not audit.
+##
##
#
template(`userdom_dontaudit_list_user_untrusted_content',`
@@ -2104,11 +2254,15 @@ template(`userdom_dontaudit_list_user_untrusted_content',`
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## Domain allowed access.
+##
##
#
template(`userdom_read_user_untrusted_content_files',`
@@ -2136,11 +2290,15 @@ template(`userdom_read_user_untrusted_content_files',`
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## Domain to not audit.
+##
##
#
template(`userdom_dontaudit_read_user_untrusted_content_files',`
@@ -2165,11 +2323,15 @@ template(`userdom_dontaudit_read_user_untrusted_content_files',`
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## Domain allowed access.
+##
##
#
template(`userdom_read_user_untrusted_content_symlinks',`
@@ -2195,11 +2357,15 @@ template(`userdom_read_user_untrusted_content_symlinks',`
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## Domain allowed access.
+##
##
#
template(`userdom_list_user_tmp_untrusted_content',`
@@ -2226,11 +2392,15 @@ template(`userdom_list_user_tmp_untrusted_content',`
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## Domain to not audit.
+##
##
#
template(`userdom_dontaudit_list_user_tmp_untrusted_content',`
@@ -2255,11 +2425,15 @@ template(`userdom_dontaudit_list_user_tmp_untrusted_content',`
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## Domain allowed access.
+##
##
#
template(`userdom_read_user_tmp_untrusted_content_files',`
@@ -2287,11 +2461,15 @@ template(`userdom_read_user_tmp_untrusted_content_files',`
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## Domain to not audit.
+##
##
#
template(`userdom_dontaudit_read_user_tmp_untrusted_content_files',`
@@ -2316,11 +2494,15 @@ template(`userdom_dontaudit_read_user_tmp_untrusted_content_files',`
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## Domain allowed access.
+##
##
#
template(`userdom_read_user_tmp_untrusted_content_symlinks',`
@@ -2337,7 +2519,9 @@ template(`userdom_read_user_tmp_untrusted_content_symlinks',`
## Read all user untrusted content files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`userdom_read_all_untrusted_content',`
@@ -2354,7 +2538,9 @@ interface(`userdom_read_all_untrusted_content',`
## Read all user temporary untrusted content files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`userdom_read_all_tmp_untrusted_content',`
@@ -2380,11 +2566,15 @@ interface(`userdom_read_all_tmp_untrusted_content',`
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## Domain allowed access.
+##
##
#
template(`userdom_setattr_user_tty',`
@@ -2413,11 +2603,15 @@ template(`userdom_setattr_user_tty',`
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## Domain allowed access.
+##
##
#
template(`userdom_use_user_tty',`
@@ -2446,11 +2640,15 @@ template(`userdom_use_user_tty',`
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## Domain allowed access.
+##
##
#
template(`userdom_use_user_terminals',`
@@ -2484,11 +2682,15 @@ template(`userdom_use_user_terminals',`
##
##
##
+##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
+##
##
##
+##
## Domain allowed access.
+##
##
#
template(`userdom_dontaudit_use_user_terminals',`
@@ -2507,7 +2709,9 @@ template(`userdom_dontaudit_use_user_terminals',`
## caller to use setexeccon().
##
##
+##
## Domain allowed access.
+##
##
#
interface(`userdom_spec_domtrans_all_users',`
@@ -2529,7 +2733,9 @@ interface(`userdom_spec_domtrans_all_users',`
## caller to use setexeccon().
##
##
+##
## Domain allowed access.
+##
##
#
interface(`userdom_xsession_spec_domtrans_all_users',`
@@ -2551,7 +2757,9 @@ interface(`userdom_xsession_spec_domtrans_all_users',`
## caller to use setexeccon().
##
##
+##
## Domain allowed access.
+##
##
#
interface(`userdom_spec_domtrans_unpriv_users',`
@@ -2573,7 +2781,9 @@ interface(`userdom_spec_domtrans_unpriv_users',`
## caller to use setexeccon().
##
##
+##
## Domain allowed access.
+##
##
#
interface(`userdom_xsession_spec_domtrans_unpriv_users',`
@@ -2593,7 +2803,9 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
## Manage unpriviledged user SysV sempaphores.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`userdom_manage_unpriv_user_semaphores',`
@@ -2610,7 +2822,9 @@ interface(`userdom_manage_unpriv_user_semaphores',`
## memory segments.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`userdom_manage_unpriv_user_shared_mem',`
@@ -2628,7 +2842,9 @@ interface(`userdom_manage_unpriv_user_shared_mem',`
## caller to use setexeccon().
##
##
+##
## Domain allowed access.
+##
##
#
interface(`userdom_bin_spec_domtrans_unpriv_users',`
@@ -2651,7 +2867,9 @@ interface(`userdom_bin_spec_domtrans_unpriv_users',`
## caller to use setexeccon().
##
##
+##
## Domain allowed access.
+##
##
#
interface(`userdom_sbin_spec_domtrans_unpriv_users',`
@@ -2674,7 +2892,9 @@ interface(`userdom_sbin_spec_domtrans_unpriv_users',`
## caller to use setexeccon().
##
##
+##
## Domain allowed access.
+##
##
#
interface(`userdom_entry_spec_domtrans_unpriv_users',`
@@ -2695,7 +2915,9 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
## Execute a shell in the sysadm domain.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`userdom_shell_domtrans_sysadm',`
@@ -2721,7 +2943,9 @@ interface(`userdom_shell_domtrans_sysadm',`
## Execute a generic bin program in the sysadm domain.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`userdom_bin_spec_domtrans_sysadm',`
@@ -2742,7 +2966,9 @@ interface(`userdom_bin_spec_domtrans_sysadm',`
## Execute a generic sbin program in the sysadm domain.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`userdom_sbin_spec_domtrans_sysadm',`
@@ -2765,7 +2991,9 @@ interface(`userdom_sbin_spec_domtrans_sysadm',`
## caller to use setexeccon().
##
##
+##
## Domain allowed access.
+##
##
#
interface(`userdom_entry_spec_domtrans_sysadm',`
@@ -2786,7 +3014,9 @@ interface(`userdom_entry_spec_domtrans_sysadm',`
## Search the staff users home directory.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`userdom_search_staff_home_dir',`
@@ -2804,7 +3034,9 @@ interface(`userdom_search_staff_home_dir',`
## users home directory.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`userdom_dontaudit_search_staff_home_dir',`
@@ -2820,7 +3052,9 @@ interface(`userdom_dontaudit_search_staff_home_dir',`
## Read files in the staff users home directory.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`userdom_read_staff_home_files',`
@@ -2838,7 +3072,9 @@ interface(`userdom_read_staff_home_files',`
## Send a SIGCHLD signal to sysadm users.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`userdom_sigchld_sysadm',`
@@ -2859,7 +3095,9 @@ interface(`userdom_sigchld_sysadm',`
## of sysadm ttys.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`userdom_dontaudit_getattr_sysadm_ttys',`
@@ -2879,7 +3117,9 @@ interface(`userdom_dontaudit_getattr_sysadm_ttys',`
## Read and write sysadm ttys.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`userdom_use_sysadm_ttys',`
@@ -2901,7 +3141,9 @@ interface(`userdom_use_sysadm_ttys',`
## Do not audit attempts to use sysadm ttys.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`userdom_dontaudit_use_sysadm_ttys',`
@@ -2921,7 +3163,9 @@ interface(`userdom_dontaudit_use_sysadm_ttys',`
## Read and write sysadm ptys.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`userdom_use_sysadm_ptys',`
@@ -2943,7 +3187,9 @@ interface(`userdom_use_sysadm_ptys',`
## Dont audit attempts to read and write sysadm ptys.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`userdom_dontaudit_use_sysadm_ptys',`
@@ -2963,7 +3209,9 @@ interface(`userdom_dontaudit_use_sysadm_ptys',`
## Read and write sysadm ttys and ptys.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`userdom_use_sysadm_terms',`
@@ -2976,7 +3224,9 @@ interface(`userdom_use_sysadm_terms',`
## Do not audit attempts to use sysadm ttys and ptys.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`userdom_dontaudit_use_sysadm_terms',`
@@ -2996,7 +3246,9 @@ interface(`userdom_dontaudit_use_sysadm_terms',`
## Inherit and use sysadm file descriptors
##
##
+##
## Domain allowed access.
+##
##
#
interface(`userdom_use_sysadm_fd',`
@@ -3017,7 +3269,9 @@ interface(`userdom_use_sysadm_fd',`
## Read and write sysadm user unnamed pipes.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`userdom_rw_sysadm_pipes',`
@@ -3039,7 +3293,9 @@ interface(`userdom_rw_sysadm_pipes',`
## home directory.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`userdom_getattr_sysadm_home_dir',`
@@ -3057,7 +3313,9 @@ interface(`userdom_getattr_sysadm_home_dir',`
## home directory.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`userdom_dontaudit_getattr_sysadm_home_dirs',`
@@ -3081,7 +3339,9 @@ interface(`userdom_dontaudit_getattr_sysadm_home_dirs',`
## Search the sysadm users home directory.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`userdom_search_sysadm_home_dir',`
@@ -3098,7 +3358,9 @@ interface(`userdom_search_sysadm_home_dir',`
## users home directory.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`userdom_dontaudit_search_sysadm_home_dir',`
@@ -3122,7 +3384,9 @@ interface(`userdom_dontaudit_search_sysadm_home_dir',`
## List the sysadm users home directory.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`userdom_list_sysadm_home_dir',`
@@ -3139,7 +3403,9 @@ interface(`userdom_list_sysadm_home_dir',`
## users home directory.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`userdom_dontaudit_list_sysadm_home_dir',`
@@ -3156,7 +3422,9 @@ interface(`userdom_dontaudit_list_sysadm_home_dir',`
## users home directory.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`userdom_dontaudit_read_sysadm_home_files',`
@@ -3183,14 +3451,20 @@ interface(`userdom_dontaudit_read_sysadm_home_files',`
## with automatic file type transition.
##
##
+##
## Domain allowed access.
+##
##
##
+##
## The type of the object to be created.
+##
##
##
+##
## The class of the object to be created.
## If not specified, file is used.
+##
##
#
interface(`userdom_filetrans_sysadm_home_dir',`
@@ -3207,7 +3481,9 @@ interface(`userdom_filetrans_sysadm_home_dir',`
## Search the sysadm users home sub directories.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`userdom_search_sysadm_home_subdirs',`
@@ -3223,7 +3499,9 @@ interface(`userdom_search_sysadm_home_subdirs',`
## Read files in the sysadm users home directory.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`userdom_read_sysadm_home_files',`
@@ -3241,7 +3519,9 @@ interface(`userdom_read_sysadm_home_files',`
## List all users home directories.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`userdom_list_all_users_home_dir',`
@@ -3258,7 +3538,9 @@ interface(`userdom_list_all_users_home_dir',`
## Search all users home directories.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`userdom_search_all_users_home',`
@@ -3275,7 +3557,9 @@ interface(`userdom_search_all_users_home',`
## Do not audit attempts to search all users home directories.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`userdom_dontaudit_search_all_users_home',`
@@ -3291,7 +3575,9 @@ interface(`userdom_dontaudit_search_all_users_home',`
## Read all files in all users home directories.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`userdom_read_all_user_files',`
@@ -3310,7 +3596,9 @@ interface(`userdom_read_all_user_files',`
## in all users home directories.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`userdom_manage_all_user_dirs',`
@@ -3328,7 +3616,9 @@ interface(`userdom_manage_all_user_dirs',`
## in all users home directories.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`userdom_manage_all_user_files',`
@@ -3347,7 +3637,9 @@ interface(`userdom_manage_all_user_files',`
## in all users home directories.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`userdom_manage_all_user_symlinks',`
@@ -3375,7 +3667,9 @@ interface(`userdom_manage_all_user_symlinks',`
##
##
##
+##
## Domain allowed access.
+##
##
#
interface(`userdom_priveleged_home_dir_manager',`
@@ -3392,7 +3686,9 @@ interface(`userdom_priveleged_home_dir_manager',`
## Send general signals to unprivileged user domains.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`userdom_signal_unpriv_users',`
@@ -3408,7 +3704,9 @@ interface(`userdom_signal_unpriv_users',`
## Inherit the file descriptors from unprivileged user domains.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`userdom_use_unpriv_users_fd',`
@@ -3425,7 +3723,9 @@ interface(`userdom_use_unpriv_users_fd',`
## file descriptors from all user domains.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`userdom_dontaudit_use_unpriv_user_fd',`
@@ -3442,7 +3742,9 @@ interface(`userdom_dontaudit_use_unpriv_user_fd',`
## with automatic file type transition.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`userdom_filetrans_generic_user_home_dir',`
@@ -3458,7 +3760,9 @@ interface(`userdom_filetrans_generic_user_home_dir',`
## Search generic user home directories.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`userdom_search_generic_user_home_dir',`
@@ -3475,11 +3779,15 @@ interface(`userdom_search_generic_user_home_dir',`
## with automatic file type transition.
##
##
+##
## Domain allowed access.
+##
##
##
+##
## The class of the object to be created.
## If not specified, file is used.
+##
##
#
interface(`userdom_filetrans_generic_user_home',`
@@ -3500,7 +3808,9 @@ interface(`userdom_filetrans_generic_user_home',`
## Don't audit search on the user home subdirectory.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`userdom_dontaudit_search_user_home_dirs',`
@@ -3518,7 +3828,9 @@ interface(`userdom_dontaudit_search_user_home_dirs',`
## home directories.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`userdom_manage_generic_user_home_dirs',`
@@ -3535,7 +3847,9 @@ interface(`userdom_manage_generic_user_home_dirs',`
## in generic user home directories.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`userdom_manage_generic_user_home_files',`
@@ -3553,7 +3867,9 @@ interface(`userdom_manage_generic_user_home_files',`
## links in generic user home directories.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`userdom_manage_generic_user_home_symlinks',`
@@ -3571,7 +3887,9 @@ interface(`userdom_manage_generic_user_home_symlinks',`
## pipes in generic user home directories.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`userdom_manage_generic_user_home_pipes',`
@@ -3589,7 +3907,9 @@ interface(`userdom_manage_generic_user_home_pipes',`
## sockets in generic user home directories.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`userdom_manage_generic_user_home_sockets',`
@@ -3606,7 +3926,9 @@ interface(`userdom_manage_generic_user_home_sockets',`
## Search all unprivileged users home directories.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`userdom_search_unpriv_user_home_dirs',`
@@ -3624,7 +3946,9 @@ interface(`userdom_search_unpriv_user_home_dirs',`
## files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`userdom_read_unpriv_user_home_files',`
@@ -3644,7 +3968,9 @@ interface(`userdom_read_unpriv_user_home_files',`
## Set the attributes of user ptys.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`userdom_setattr_unpriv_user_pty',`
@@ -3660,7 +3986,9 @@ interface(`userdom_setattr_unpriv_user_pty',`
## Read and write unprivileged user ptys.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`userdom_use_unpriv_users_ptys',`
@@ -3682,7 +4010,9 @@ interface(`userdom_use_unpriv_users_ptys',`
## user ptys.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`userdom_dontaudit_use_unpriv_users_ptys',`
@@ -3702,7 +4032,9 @@ interface(`userdom_dontaudit_use_unpriv_users_ptys',`
## Relabel files to unprivileged user pty types.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`userdom_relabelto_unpriv_user_pty',`
@@ -3719,7 +4051,9 @@ interface(`userdom_relabelto_unpriv_user_pty',`
## unprivileged user pty types.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`userdom_dontaudit_relabelfrom_unpriv_users_ptys',`
@@ -3735,7 +4069,9 @@ interface(`userdom_dontaudit_relabelfrom_unpriv_users_ptys',`
## Read all unprivileged users temporary directories.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`userdom_list_unpriv_user_tmp',`
@@ -3755,7 +4091,9 @@ interface(`userdom_list_unpriv_user_tmp',`
## Read all unprivileged users temporary files.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`userdom_read_unpriv_user_tmp_files',`
@@ -3775,7 +4113,9 @@ interface(`userdom_read_unpriv_user_tmp_files',`
## Read all unprivileged users temporary symbolic links.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`userdom_read_unpriv_user_tmp_symlinks',`
@@ -3795,7 +4135,9 @@ interface(`userdom_read_unpriv_user_tmp_symlinks',`
## Write all unprivileged users files in /tmp
##
##
+##
## Domain allowed access.
+##
##
#
interface(`userdom_write_unpriv_user_tmp',`
@@ -3812,7 +4154,9 @@ interface(`userdom_write_unpriv_user_tmp',`
## user ttys.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`userdom_dontaudit_use_unpriv_users_ttys',`
@@ -3832,7 +4176,9 @@ interface(`userdom_dontaudit_use_unpriv_users_ttys',`
## Read the process state of all user domains.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`userdom_read_all_users_state',`
@@ -3850,7 +4196,9 @@ interface(`userdom_read_all_users_state',`
## Get the attributes of all user domains.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`userdom_getattr_all_userdomains',`
@@ -3866,7 +4214,9 @@ interface(`userdom_getattr_all_userdomains',`
## Inherit the file descriptors from all user domains
##
##
+##
## Domain allowed access.
+##
##
#
interface(`userdom_use_all_users_fd',`
@@ -3883,7 +4233,9 @@ interface(`userdom_use_all_users_fd',`
## descriptors from any user domains.
##
##
+##
## Domain to not audit.
+##
##
#
interface(`userdom_dontaudit_use_all_user_fd',`
@@ -3899,7 +4251,9 @@ interface(`userdom_dontaudit_use_all_user_fd',`
## Send general signals to all user domains.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`userdom_signal_all_users',`
@@ -3915,7 +4269,9 @@ interface(`userdom_signal_all_users',`
## Send a SIGCHLD signal to all user domains.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`userdom_sigchld_all_users',`
@@ -3931,7 +4287,9 @@ interface(`userdom_sigchld_all_users',`
## Send a dbus message to all user domains.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`userdom_dbus_send_all_users',`
@@ -3948,7 +4306,9 @@ interface(`userdom_dbus_send_all_users',`
## Unconfined access to user domains.
##
##
+##
## Domain allowed access.
+##
##
#
interface(`userdom_unconfined',`
diff --git a/refpolicy/support/Makefile.devel b/refpolicy/support/Makefile.devel
new file mode 100644
index 0000000..6f2fbea
--- /dev/null
+++ b/refpolicy/support/Makefile.devel
@@ -0,0 +1,180 @@
+
+include $(HEADERDIR)/build.conf
+
+# executables
+PREFIX := /usr
+BINDIR := $(PREFIX)/bin
+SBINDIR := $(PREFIX)/sbin
+CHECKMODULE := $(BINDIR)/checkmodule
+SEMODULE := $(SBINDIR)/semodule
+SEMOD_PKG := $(BINDIR)/semodule_package
+XMLLINT := $(BINDIR)/xmllint
+
+# helper tools
+AWK ?= gawk
+INSTALL ?= install
+M4 ?= m4
+SED ?= sed
+EINFO ?= echo
+PYTHON ?= python
+
+# set default build options if missing
+TYPE ?= strict
+NAME ?= $(TYPE)
+DIRECT_INITRC ?= n
+POLY ?= n
+QUIET ?= y
+
+genxml := $(PYTHON) $(HEADERDIR)/support/segenxml.py
+
+docs = doc
+polxml = $(docs)/policy.xml
+xmldtd = $(HEADERDIR)/support/policy.dtd
+layerxml = metadata.xml
+
+globaltun = $(HEADERDIR)/global_tunables.xml
+globalbool = $(HEADERDIR)/global_booleans.xml
+
+# compile strict policy if requested.
+ifneq ($(findstring strict,$(TYPE)),)
+ M4PARAM += -D strict_policy
+endif
+
+# compile targeted policy if requested.
+ifneq ($(findstring targeted,$(TYPE)),)
+ M4PARAM += -D targeted_policy
+endif
+
+# enable MLS if requested.
+ifneq ($(findstring -mls,$(TYPE)),)
+ M4PARAM += -D enable_mls
+ CHECKPOLICY += -M
+ CHECKMODULE += -M
+endif
+
+# enable MLS if MCS requested.
+ifneq ($(findstring -mcs,$(TYPE)),)
+ M4PARAM += -D enable_mcs
+ CHECKPOLICY += -M
+ CHECKMODULE += -M
+endif
+
+# enable distribution-specific policy
+ifneq ($(DISTRO),)
+ M4PARAM += -D distro_$(DISTRO)
+endif
+
+# enable polyinstantiation
+ifeq ($(POLY),y)
+ M4PARAM += -D enable_polyinstantiation
+endif
+
+ifeq ($(DIRECT_INITRC),y)
+ M4PARAM += -D direct_sysadm_daemon
+endif
+
+ifeq ($(QUIET),y)
+ verbose := @
+endif
+
+M4PARAM += -D hide_broken_symptoms
+
+# policy headers
+m4support = $(wildcard $(HEADERDIR)/support/*.spt)
+all_layers = $(filter-out $(HEADERDIR)/support,$(shell find $(wildcard $(HEADERDIR)/*) -maxdepth 0 -type d))
+all_interfaces = $(foreach layer,$(all_layers),$(wildcard $(layer)/*.if))
+rolemap = $(HEADERDIR)/rolemap
+
+detected_layers = $(filter-out CVS tmp $(docs),$(shell find $(wildcard *) -maxdepth 0 -type d))
+3rd_party_mods = $(wildcard *.te)
+3rd_party_ifs = $(3rd_party_mods:.te=.if)
+detected_mods = $(3rd_party_mods) $(foreach layer,$(detected_layers),$(wildcard $(layer)/*.te))
+detected_ifs = $(3rd_party_ifs) $(foreach layer,$(detected_layers),$(wildcard $(layer)/*.if))
+all_packages = $(detected_mods:.te=.pp)
+
+# if there are modules in the current directory, add them into the third party layer
+ifneq "$(3rd_party_ifs)" ""
+ genxml += -3 .
+endif
+
+########################################
+#
+# Functions
+#
+
+# parse-rolemap modulename,outputfile
+define parse-rolemap
+ $(verbose) $(M4) $(M4PARAM) $(rolemap) | \
+ $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_userdomain_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
+endef
+
+# peruser-expansion modulename,outputfile
+define peruser-expansion
+ $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" > $2
+ $(call parse-rolemap,$1,$2)
+ $(verbose) echo "')" >> $2
+endef
+
+.PHONY: clean all xml
+.SUFFIXES:
+.SUFFIXES: .pp
+
+########################################
+#
+# Main targets
+#
+
+all: $(all_packages)
+
+xml: $(polxml)
+
+########################################
+#
+# Build module packages
+#
+tmp/%.mod: $(m4support) tmp/all_interfaces.conf %.te
+ @$(EINFO) "Compliling $(NAME) $(basename $(@F)) module"
+ @test -d tmp || mkdir -p tmp
+ $(call peruser-expansion,$(basename $(@F)),$@.role)
+ $(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
+ $(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
+
+tmp/%.mod.fc: $(m4support) %.fc
+ $(verbose) $(M4) $(M4PARAM) $^ > $@
+
+%.pp: tmp/%.mod tmp/%.mod.fc
+ @echo "Creating $(NAME) $(@F) policy package"
+ $(verbose) $(SEMOD_PKG) -o $@ -m $< -f $<.fc
+
+tmp/all_interfaces.conf: $(m4support) $(all_interfaces) $(detected_ifs)
+ @test -d tmp || mkdir -p tmp
+ $(verbose) m4 $^ | sed -e s/dollarsstar/\$$\*/g > $@
+
+
+########################################
+#
+# Documentation generation
+#
+
+# minimal dependencies here, because we don't want to rebuild
+# this and its dependents every time the dependencies
+# change. Also use all .if files here, rather then just the
+# enabled modules.
+$(polxml): $(detected_ifs) $(foreach dir,$(all_layers),$(dir)/$(layerxml))
+ @echo "Creating $@"
+ @mkdir -p doc
+ $(verbose) echo '' > $@
+ $(verbose) echo '' >> $@
+ $(verbose) $(genxml) -m $(layerxml) --tunables-xml $(globaltun) --booleans-xml $(globalbool) $(all_layers) $(detected_layers) >> $@
+ $(verbose) if test -x $(XMLLINT) && test -f $(xmldtd); then \
+ $(XMLLINT) --noout --dtdvalid $(xmldtd) $@ ;\
+ fi
+
+########################################
+#
+# Clean the environment
+#
+
+clean:
+ rm -fR tmp
+ rm -f *.pp
diff --git a/refpolicy/support/sedoctool.py b/refpolicy/support/sedoctool.py
index 1868ca2..b0a1bcd 100755
--- a/refpolicy/support/sedoctool.py
+++ b/refpolicy/support/sedoctool.py
@@ -55,7 +55,10 @@ def gen_tunable_conf(doc, file_name, namevalue_list):
"""
for node in doc.getElementsByTagName("tunable"):
- s = string.split(format_txt_desc(node), "\n")
+ for desc in node.getElementsByTagName("desc"):
+ tun_desc = format_txt_desc(desc)
+ s = string.split(tun_desc, "\n")
+ file_name.write("#\n")
for line in s:
file_name.write("# %s\n" % line)
tun_name = tun_val = None
@@ -403,13 +406,15 @@ def gen_docs(doc, working_dir, templatedir):
interface_desc = interface_summary = None
interface_name = interface.getAttribute("name")
interface_line = interface.getAttribute("lineno")
- for desc in interface.getElementsByTagName("desc"):
- interface_desc = format_html_desc(desc)
- for desc in interface.getElementsByTagName("summary"):
- interface_summary = format_html_desc(desc)
-
+ for desc in interface.childNodes:
+ if desc.nodeName == "desc":
+ interface_desc = format_html_desc(desc)
+ elif desc.nodeName == "summary":
+ interface_summary = format_html_desc(desc)
+
for args in interface.getElementsByTagName("param"):
- paramdesc = args.firstChild.data
+ for desc in args.getElementsByTagName("summary"):
+ paramdesc = format_html_desc(desc)
paramname = args.getAttribute("name")
if args.getAttribute("optional") == "true":
paramopt = "Yes"
@@ -442,13 +447,15 @@ def gen_docs(doc, working_dir, templatedir):
template_desc = template_summary = None
template_name = template.getAttribute("name")
template_line = template.getAttribute("lineno")
- for desc in template.getElementsByTagName("desc"):
- template_desc = format_html_desc(desc)
- for desc in template.getElementsByTagName("summary"):
- template_summary = format_html_desc(desc)
-
+ for desc in template.childNodes:
+ if desc.nodeName == "desc":
+ template_desc = format_html_desc(desc)
+ elif desc.nodeName == "summary":
+ template_summary = format_html_desc(desc)
+
for args in template.getElementsByTagName("param"):
- paramdesc = args.firstChild.data
+ for desc in args.getElementsByTagName("summary"):
+ paramdesc = format_html_desc(desc)
paramname = args.getAttribute("name")
if args.getAttribute("optional") == "true":
paramopt = "Yes"
@@ -558,7 +565,8 @@ def gen_docs(doc, working_dir, templatedir):
if tunable.parentNode.nodeName == "policy":
tunable_name = tunable.getAttribute("name")
default_value = tunable.getAttribute("dftval")
- description = format_html_desc(tunable)
+ for desc in tunable.getElementsByTagName("desc"):
+ description = format_html_desc(desc)
global_tun_buf.append( { "tun_name" : tunable_name,
"def_val" : default_value,
"desc" : description } )
@@ -582,7 +590,8 @@ def gen_docs(doc, working_dir, templatedir):
if boolean.parentNode.nodeName == "policy":
bool_name = boolean.getAttribute("name")
default_value = boolean.getAttribute("dftval")
- description = format_html_desc(boolean)
+ for desc in boolean.getElementsByTagName("desc"):
+ description = format_html_desc(desc)
global_bool_buf.append( { "bool_name" : bool_name,
"def_val" : default_value,
"desc" : description } )
diff --git a/refpolicy/support/segenxml.py b/refpolicy/support/segenxml.py
index 14fb307..62b4fb4 100755
--- a/refpolicy/support/segenxml.py
+++ b/refpolicy/support/segenxml.py
@@ -1,8 +1,10 @@
#!/usr/bin/python
-# Author: Donald Miner
+# Author(s): Donald Miner
+# Dave Sugar
+# Brian Williams
#
-# Copyright (C) 2003 - 2005 Tresys Technology, LLC
+# Copyright (C) 2003 - 2006 Tresys Technology, LLC
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 2.
@@ -20,12 +22,15 @@ import re
# GLOBALS
# Default values of command line arguments:
-directory = "./"
warn = False
meta = "metadata"
-layers = []
+third_party = "third-party"
+layers = {}
tunable_files = []
bool_files = []
+xml_tunable_files = []
+xml_bool_files = []
+output_dir = ""
# Pre compiled regular expressions:
@@ -144,11 +149,14 @@ def getModuleXML(file_name):
# Add default summaries and parameters so that the
# DTD is happy.
else:
+ warning ("unable to find XML for %s %s()" % (groups[0], groups[1]))
module_buf.append("\n")
module_buf.append("Summary is missing!\n")
module_buf.append("\n")
module_buf.append("\n")
+ module_buf.append("")
module_buf.append("Parameter descriptions are missing!\n")
+ module_buf.append("")
module_buf.append("\n")
# Close the interface/template tag.
@@ -171,7 +179,7 @@ def getModuleXML(file_name):
return module_buf
-def getLayerXML(directory):
+def getLayerXML (layerName, directories):
'''
Returns the XML documentation for a layer.
'''
@@ -179,21 +187,35 @@ def getLayerXML(directory):
layer_buf = []
# Infer the layer name from the directory name.
- layer_buf.append("\n" % os.path.basename(directory))
+ layer_buf.append("\n" % layerName)
- # Try to open the metadata file for this directory and if it exists,
+ # Try to file the metadata file for this layer and if it exists,
# append the contents to the buffer.
- try:
- layer_meta = open(directory+"/"+meta, "r")
- layer_buf += layer_meta.readlines()
- layer_meta.close()
- except:
- warning("cannot open file %s for read, assuming no data"\
- % meta)
-
+ bFoundMeta = False
+ for directory in directories:
+ metafile = directory + "/" + meta
+
+ if not bFoundMeta and os.path.isfile (metafile):
+ layer_meta = open (metafile, "r")
+ layer_buf += layer_meta.readlines ()
+ layer_meta.close()
+ bFoundMeta = True
+
+ # force the metadata for the third party layer
+ if not bFoundMeta:
+ if layerName == third_party:
+ layer_buf.append ("This is all third-party generated modules.\n")
+ bFoundMeta = True
+
+ # didn't find meta data for this layer - oh well
+ if not bFoundMeta:
+ layer_buf.append ("Summary is missing!.\n")
+ warning ("unable to find %s for layer %s" % (meta, layerName))
+
# For each module file in the layer, add its XML.
- for module in glob.glob("%s/*.if" % directory):
- layer_buf += getModuleXML(module)
+ for directory in directories:
+ for module in glob.glob("%s/*.if" % directory):
+ layer_buf += getModuleXML(module)
layer_buf.append("\n")
@@ -222,7 +244,7 @@ def getTunableXML(file_name, kind):
# If it is an XML comment, add it to the buffer and go on.
comment = XML_COMMENT.match(line)
if comment:
- temp_buf.append(comment.group(1))
+ temp_buf.append(comment.group(1) + "\n")
continue
# Get the boolean/tunable data.
@@ -246,50 +268,70 @@ def getTunableXML(file_name, kind):
if len(temp_buf):
warning("orphan XML comments at bottom of file %s" % file_name)
+
+ # If the caller requested a the global_tunables and global_booleans to be
+ # output to a file output them now
+ if len(output_dir) > 0:
+ xmlfile = os.path.split(file_name)[1] + ".xml"
+
+ try:
+ xml_outfile = open(output_dir + "/" + xmlfile, "w")
+ for tunable_line in tunable_buf:
+ xml_outfile.write (tunable_line)
+ xml_outfile.close()
+ except:
+ warning ("cannot write to file %s, skipping creation" % xmlfile)
+
return tunable_buf
-def getPolicyXML(directory):
+def getXMLFileContents (file_name):
'''
- Return the compelete reference policy XML documentation through a list,
- one line per item.
+ Return all the XML in the file specified.
'''
- # Keep track of original path so that it will change back at the end.
- old_dir = os.path.abspath(os.path.curdir)
-
- # Attempt to change directory into the policy directory. If it doesn't
- # exist just return an empty documentation.
+ tunable_buf = []
+ # Try to open the xml file for this type of file
+ # append the contents to the buffer.
try:
- os.chdir(directory)
+ tunable_xml = open(file_name, "r")
+ tunable_buf += tunable_xml.readlines()
+ tunable_xml.close()
except:
- warning("cannot change directory to %s, ignoring"\
- % directory)
- return []
+ warning("cannot open file %s for read, assuming no data" % file_name)
+
+ return tunable_buf
+
+def getPolicyXML():
+ '''
+ Return the compelete reference policy XML documentation through a list,
+ one line per item.
+ '''
policy_buf = []
policy_buf.append("\n")
# Add to the XML each layer specified by the user.
- for layer in layers:
- policy_buf += getLayerXML(layer)
+ for layer in layers.keys ():
+ policy_buf += getLayerXML(layer, layers[layer])
# Add to the XML each tunable file specified by the user.
for tunable_file in tunable_files:
policy_buf += getTunableXML(tunable_file, "tunable")
+ # Add to the XML each XML tunable file specified by the user.
+ for tunable_file in xml_tunable_files:
+ policy_buf += getXMLFileContents (tunable_file)
+
# Add to the XML each bool file specified by the user.
for bool_file in bool_files:
policy_buf += getTunableXML(bool_file, "bool")
+ # Add to the XML each XML bool file specified by the user.
+ for bool_file in xml_bool_files:
+ policy_buf += getXMLFileContents (bool_file)
policy_buf.append("\n")
- # Return to old directory.
- try:
- os.chdir(old_dir)
- except:
- error("cannot change directory to %s" % old_dir)
-
return policy_buf
def usage():
@@ -297,27 +339,39 @@ def usage():
Displays a message describing the proper usage of this script.
"""
- sys.stdout.write("usage: %s [-w] [-d directory] [-m file] "\
+ sys.stdout.write("usage: %s [-w] [-m file] "\
% sys.argv[0])
sys.stdout.write("layerdirectory [layerdirectory...]\n\n")
sys.stdout.write("Options:\n")
- sys.stdout.write("-w --warn -- "+\
+ sys.stdout.write ("-h --help -- "+\
+ "show command line options\n")
+
+ sys.stdout.write("-w --warn -- "+\
"show warnings\n")
- sys.stdout.write("-m --meta -- "+\
+ sys.stdout.write("-m --meta -- "+\
"the filename of the metadata in each layer\n")
- sys.stdout.write("-d --directory -- "+\
- "directory where the layers are\n")
-
- sys.stdout.write("-t --tunable -- "+\
+ sys.stdout.write("-t --tunable -- "+\
"A file containing tunable declarations\n")
- sys.stdout.write("-b --bool -- "+\
+ sys.stdout.write("-b --bool -- "+\
"A file containing bool declarations\n")
+
+ sys.stdout.write("-o --output-dir -- "+\
+ "A directory to output global_tunables.xml and global_booleans.xml\n")
+
+ sys.stdout.write("--tunables-xml -- "+\
+ "A file containing tunable declarations already in XML format\n")
+
+ sys.stdout.write("--booleans-xml -- "+\
+ "A file containing bool declarations already in XML format\n")
+
+ sys.stdout.write ("-3 --third-party -- "+\
+ "Look for 3rd Party modules in directory.\n")
def warning(description):
'''
@@ -349,16 +403,13 @@ if len(sys.argv) <= 1:
# Parse the command line arguments
for i in range(1, len(sys.argv)):
- if sys.argv[i-1] in ("-d", "--directory", "-m", "--meta",\
- "-t", "--tunable", "-b", "--bool"):
+ if sys.argv[i-1] in ("-m", "--meta",\
+ "-t", "--tunable", "-b", "--bool",\
+ "-o", "--output-dir", "-3", "--third-party", \
+ "--tunables-xml", "--booleans-xml"):
continue
elif sys.argv[i] in ("-w", "--warn"):
warn = True
- elif sys.argv[i] in ("-d", "--directory"):
- if i < len(sys.argv)-1:
- directory = sys.argv[i+1]
- else:
- usage()
elif sys.argv[i] in ("-m", "--meta"):
if i < len(sys.argv)-1:
meta = sys.argv[i+1]
@@ -374,12 +425,49 @@ for i in range(1, len(sys.argv)):
bool_files.append(sys.argv[i+1])
else:
usage()
+
+ elif sys.argv[i] == "--tunables-xml":
+ if i < len(sys.argv)-1:
+ xml_bool_files.append (sys.argv[i+1])
+ else:
+ usage ()
+
+ elif sys.argv[i] == "--booleans-xml":
+ if i < len(sys.argv)-1:
+ xml_tunable_files.append (sys.argv[i+1])
+ else:
+ usage ()
+
+ elif sys.argv[i] in ("-o", "--output-dir"):
+ if i < len(sys.argv)-1:
+ output_dir = sys.argv[i+1]
+ else:
+ usage ()
+
+ elif sys.argv[i] in ("-3", "--third-party"):
+ if i < len(sys.argv) -1:
+ if layers.has_key (third_party):
+ layers[third_party].append (sys.argv[i+1])
+ else:
+ layers[third_party] = [sys.argv[i+1]]
+ else:
+ usage ()
+
+ elif sys.argv[i] in ("-h", "--help"):
+ usage ()
+ sys.exit (1)
else:
- layers.append(sys.argv[i])
+ # store directories in hash stored by layer name
+ splitlayer = os.path.split(sys.argv[i])
+ if layers.has_key (splitlayer[1]):
+ layers[splitlayer[1]].append (sys.argv[i])
+ else:
+ layers[splitlayer[1]] = [sys.argv[i]]
# Generate the XML and output it to a file
-lines = getPolicyXML(directory)
+lines = getPolicyXML()
for s in lines:
sys.stdout.write(s)
+