diff --git a/refpolicy/Makefile b/refpolicy/Makefile index cb9c184..7b32984 100644 --- a/refpolicy/Makefile +++ b/refpolicy/Makefile @@ -371,7 +371,7 @@ $(POLXML): $(DETECTED_MODS:.te=.if) $(foreach dir,$(ALL_LAYERS),$(dir)/$(LAYERXM @test -d $(TMPDIR) || mkdir -p $(TMPDIR) $(verbose) echo '' > $@ $(verbose) echo '' >> $@ - $(verbose) $(GENXML) -m $(LAYERXML) -t $(GLOBALTUN) -b $(GLOBALBOOL) -o $(DOCS) $(ALL_LAYERS) >> $@ + $(verbose) $(GENXML) -w -m $(LAYERXML) -t $(GLOBALTUN) -b $(GLOBALBOOL) -o $(DOCS) $(ALL_LAYERS) >> $@ $(verbose) if test -x $(XMLLINT) && test -f $(XMLDTD); then \ $(XMLLINT) --noout --path $(dir $(XMLDTD)) --dtdvalid $(XMLDTD) $@ ;\ fi diff --git a/refpolicy/policy/modules/admin/quota.if b/refpolicy/policy/modules/admin/quota.if index 8f4dd73..8d3bac7 100644 --- a/refpolicy/policy/modules/admin/quota.if +++ b/refpolicy/policy/modules/admin/quota.if @@ -73,6 +73,17 @@ interface(`quota_dontaudit_getattr_db',` dontaudit $1 quota_db_t:file getattr; ') +######################################## +## +## Create, read, write, and delete quota +## flag files. +## +## +## +## Domain to not audit. +## +## +# interface(`quota_manage_flags',` gen_require(` type quota_flag_t; diff --git a/refpolicy/policy/modules/admin/su.if b/refpolicy/policy/modules/admin/su.if index e51472d..e4ed937 100644 --- a/refpolicy/policy/modules/admin/su.if +++ b/refpolicy/policy/modules/admin/su.if @@ -1,5 +1,33 @@ ## Run shells with substitute user and group +####################################### +## +## Restricted su domain template. +## +## +##

+## This template creates a derived domain which is allowed +## to change the linux user id, to run shells as a different +## user. +##

+##
+## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## The type of the user domain. +## +## +## +## +## The role associated with the user domain. +## +## +# template(`su_restricted_domain_template', ` gen_require(` type su_exec_t; diff --git a/refpolicy/policy/modules/kernel/corecommands.if b/refpolicy/policy/modules/kernel/corecommands.if index 93d38c3..dc642b3 100644 --- a/refpolicy/policy/modules/kernel/corecommands.if +++ b/refpolicy/policy/modules/kernel/corecommands.if @@ -49,6 +49,7 @@ interface(`corecmd_executable_file',` ## Alias type for bin_t. ## ## +# interface(`corecmd_bin_alias',` ifdef(`targeted_policy',` gen_require(` @@ -71,6 +72,7 @@ interface(`corecmd_bin_alias',` ## The domain for which bin_t is an entrypoint. ## ## +# interface(`corecmd_bin_entry_type',` gen_require(` type bin_t; @@ -89,6 +91,7 @@ interface(`corecmd_bin_entry_type',` ## The domain for which sbin programs are an entrypoint. ## ## +# interface(`corecmd_sbin_entry_type',` gen_require(` type sbin_t; @@ -106,6 +109,7 @@ interface(`corecmd_sbin_entry_type',` ## The domain for which the shell is an entrypoint. ## ## +# interface(`corecmd_shell_entry_type',` gen_require(` type shell_exec_t; @@ -115,8 +119,14 @@ interface(`corecmd_shell_entry_type',` ') ######################################## -# -# corecmd_search_bin(domain) +## +## Search the contents of bin directories. +## +## +## +## Domain allowed access. +## +## # interface(`corecmd_search_bin',` gen_require(` @@ -127,8 +137,14 @@ interface(`corecmd_search_bin',` ') ######################################## -# -# corecmd_list_bin(domain) +## +## List the contents of bin directories. +## +## +## +## Domain allowed access. +## +## # interface(`corecmd_list_bin',` gen_require(` @@ -233,8 +249,15 @@ interface(`corecmd_read_bin_sockets',` ') ######################################## -# -# corecmd_exec_bin(domain) +## +## Execute generic programs in bin directories, +## in the caller domain. +## +## +## +## Domain allowed access. +## +## # interface(`corecmd_exec_bin',` gen_require(` @@ -395,8 +418,14 @@ interface(`corecmd_bin_domtrans',` ') ######################################## -# -# corecmd_search_sbin(domain) +## +## Search the contents of sbin directories. +## +## +## +## Domain allowed access. +## +## # interface(`corecmd_search_sbin',` gen_require(` @@ -426,8 +455,14 @@ interface(`corecmd_dontaudit_search_sbin',` ') ######################################## -# -# corecmd_list_sbin(domain) +## +## List the contents of sbin directories. +## +## +## +## Domain allowed access. +## +## # interface(`corecmd_list_sbin',` gen_require(` @@ -438,8 +473,14 @@ interface(`corecmd_list_sbin',` ') ######################################## -# -# corecmd_getattr_sbin_files(domain) +## +## Get the attributes of sbin files. +## +## +## +## Domain allowed access. +## +## # interface(`corecmd_getattr_sbin_files',` gen_require(` @@ -450,8 +491,15 @@ interface(`corecmd_getattr_sbin_files',` ') ######################################## -# -# corecmd_dontaudit_getattr_sbin_files(domain) +## +## Do not audit attempts to get the attibutes +## of sbin files. +## +## +## +## Domain to not audit. +## +## # interface(`corecmd_dontaudit_getattr_sbin_files',` gen_require(` @@ -538,8 +586,15 @@ interface(`corecmd_read_sbin_sockets',` ') ######################################## -# -# corecmd_exec_sbin(domain) +## +## Execute generic programs in sbin directories, +## in the caller domain. +## +## +## +## Domain allowed access. +## +## # interface(`corecmd_exec_sbin',` gen_require(` @@ -724,8 +779,14 @@ interface(`corecmd_check_exec_shell',` ') ######################################## -# -# corecmd_exec_shell(domain) +## +## Execute a shell in the caller domain. +## +## +## +## Domain allowed access. +## +## # interface(`corecmd_exec_shell',` gen_require(` @@ -738,8 +799,14 @@ interface(`corecmd_exec_shell',` ') ######################################## -# -# corecmd_exec_ls(domain) +## +## Execute ls in the caller domain. +## +## +## +## Domain allowed access. +## +## # interface(`corecmd_exec_ls',` gen_require(` @@ -826,8 +893,14 @@ interface(`corecmd_shell_domtrans',` ') ######################################## -# -# corecmd_exec_chroot(domain) +## +## Execute chroot in the caller domain. +## +## +## +## Domain allowed access. +## +## # interface(`corecmd_exec_chroot',` gen_require(` diff --git a/refpolicy/policy/modules/kernel/domain.if b/refpolicy/policy/modules/kernel/domain.if index 95822fb..3de6530 100644 --- a/refpolicy/policy/modules/kernel/domain.if +++ b/refpolicy/policy/modules/kernel/domain.if @@ -103,8 +103,15 @@ interface(`domain_entry_file',` ') ######################################## -# -# domain_interactive_fd(domain) +## +## Make the file descriptors of the specified +## domain for interactive use (widely inheritable) +## +## +## +## Domain allowed access. +## +## # interface(`domain_interactive_fd',` gen_require(` @@ -115,8 +122,25 @@ interface(`domain_interactive_fd',` ') ######################################## -# -# domain_dyntrans_type(domain) +## +## Allow the specified domain to perform +## dynamic transitions. +## +## +##

+## Allow the specified domain to perform +## dynamic transitions. +##

+##

+## This violates process tranquility, and it +## is strongly suggested that this not be used. +##

+##
+## +## +## Domain allowed access. +## +## # interface(`domain_dyntrans_type',` gen_require(` @@ -309,8 +333,15 @@ interface(`domain_cron_exemption_target',` ') ######################################## -# -# domain_use_interactive_fds(domain) +## +## Inherit and use file descriptors from +## domains with interactive programs. +## +## +## +## Domain allowed access. +## +## # interface(`domain_use_interactive_fds',` gen_require(` @@ -321,8 +352,16 @@ interface(`domain_use_interactive_fds',` ') ######################################## -# -# domain_dontaudit_use_interactive_fds(domain) +## +## Do not audit attempts to inherit file +## descriptors from domains with interactive +## programs. +## +## +## +## Domain allowed access. +## +## # interface(`domain_dontaudit_use_interactive_fds',` gen_require(` @@ -353,8 +392,14 @@ interface(`domain_sigchld_interactive_fds',` ') ######################################## -# -# domain_setpriority_all_domains(domain) +## +## Set the nice level of all domains. +## +## +## +## Domain allowed access. +## +## # interface(`domain_setpriority_all_domains',` gen_require(` @@ -370,7 +415,7 @@ interface(`domain_setpriority_all_domains',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -388,7 +433,7 @@ interface(`domain_signal_all_domains',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -406,7 +451,7 @@ interface(`domain_signull_all_domains',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -424,7 +469,7 @@ interface(`domain_sigstop_all_domains',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -442,7 +487,7 @@ interface(`domain_sigchld_all_domains',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -674,7 +719,7 @@ interface(`domain_dontaudit_ptrace_confined_domains',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -699,7 +744,7 @@ interface(`domain_dontaudit_read_all_domains_state',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -717,7 +762,7 @@ interface(`domain_dontaudit_list_all_domains_state',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -736,7 +781,7 @@ interface(`domain_getsession_all_domains',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -813,7 +858,7 @@ interface(`domain_dontaudit_getattr_all_sockets',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -832,7 +877,7 @@ interface(`domain_dontaudit_getattr_all_tcp_sockets',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -851,7 +896,7 @@ interface(`domain_dontaudit_getattr_all_udp_sockets',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -870,7 +915,7 @@ interface(`domain_dontaudit_rw_all_udp_sockets',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -889,7 +934,7 @@ interface(`domain_dontaudit_getattr_all_key_sockets',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -908,7 +953,7 @@ interface(`domain_dontaudit_getattr_all_packet_sockets',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -927,7 +972,7 @@ interface(`domain_dontaudit_getattr_all_raw_sockets',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -946,7 +991,7 @@ interface(`domain_dontaudit_rw_all_key_sockets',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -965,7 +1010,7 @@ interface(`domain_dontaudit_getattr_all_dgram_sockets',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -984,7 +1029,7 @@ interface(`domain_dontaudit_getattr_all_stream_sockets',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -1017,8 +1062,14 @@ interface(`domain_getattr_all_entry_files',` ') ######################################## -# -# domain_read_all_entry_files(domain) +## +## Read the entry point files for all domains. +## +## +## +## Domain allowed access. +## +## # interface(`domain_read_all_entry_files',` gen_require(` @@ -1030,8 +1081,15 @@ interface(`domain_read_all_entry_files',` ') ######################################## -# -# domain_exec_all_entry_files(domain) +## +## Execute the entry point files for all +## domains in the caller domain. +## +## +## +## Domain allowed access. +## +## # interface(`domain_exec_all_entry_files',` gen_require(` @@ -1106,7 +1164,7 @@ interface(`domain_mmap_all_entry_files',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -1125,7 +1183,7 @@ interface(`domain_entry_file_spec_domtrans',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -1156,8 +1214,24 @@ interface(`domain_unconfined',` # ######################################## -# -# domain_trans(source_domain,entrypoint_file,target_domain) +## +## Specified domain transition requiring setexeccon. +## +## +## +## Domain to transition from. +## +## +## +## +## Type of program to execute. +## +## +## +## +## Domain to transition to. +## +## # template(`domain_trans',` allow $1 $2:file { getattr read execute }; @@ -1166,8 +1240,24 @@ template(`domain_trans',` ') ######################################## -# -# domain_auto_trans(source_domain,entrypoint_file,target_domain) +## +## Automatic domain transition by type_transition. +## +## +## +## Domain to transition from. +## +## +## +## +## Type of program to execute. +## +## +## +## +## Domain to transition to. +## +## # template(`domain_auto_trans',` domain_trans($1,$2,$3) diff --git a/refpolicy/policy/modules/kernel/files.if b/refpolicy/policy/modules/kernel/files.if index 5f5a897..1ec9f57 100644 --- a/refpolicy/policy/modules/kernel/files.if +++ b/refpolicy/policy/modules/kernel/files.if @@ -39,8 +39,15 @@ interface(`files_type',` ') ######################################## -# -# files_lock_file(type) +## +## Make the specified type usable for +## lock files. +## +## +## +## Type to be used for lock files. +## +## # interface(`files_lock_file',` gen_require(` @@ -52,8 +59,15 @@ interface(`files_lock_file',` ') ######################################## -# -# files_mountpoint(type) +## +## Make the specified type usable for +## filesystem mount points. +## +## +## +## Type to be used for mount points. +## +## # interface(`files_mountpoint',` gen_require(` @@ -65,8 +79,15 @@ interface(`files_mountpoint',` ') ######################################## -# -# files_pid_file(type) +## +## Make the specified type usable for +## runtime process ID files. +## +## +## +## Type to be used for PID files. +## +## # interface(`files_pid_file',` gen_require(` @@ -862,8 +883,15 @@ interface(`files_manage_all_files',` ') ######################################## -# -# files_search_all(domain) +## +## Search the contents of all directories on +## extended attribute filesystems. +## +## +## +## Domain allowed access. +## +## # interface(`files_search_all',` gen_require(` @@ -874,8 +902,15 @@ interface(`files_search_all',` ') ######################################## -# -# files_list_all(domain) +## +## List the contents of all directories on +## extended attribute filesystems. +## +## +## +## Domain allowed access. +## +## # interface(`files_list_all',` gen_require(` @@ -886,8 +921,16 @@ interface(`files_list_all',` ') ######################################## -# -# files_dontaudit_search_all_dirs(domain) +## +## Do not audit attempts to search the +## contents of any directories on extended +## attribute filesystems. +## +## +## +## Domain allowed access. +## +## # interface(`files_dontaudit_search_all_dirs',` gen_require(` @@ -897,9 +940,15 @@ interface(`files_dontaudit_search_all_dirs',` dontaudit $1 file_type:dir search; ') -####################################### -# -# files_relabelto_all_file_type_fs(domain) +######################################## +## +## Relabel a filesystem to the type of a file. +## +## +## +## Domain allowed access. +## +## # interface(`files_relabelto_all_file_type_fs',` gen_require(` @@ -909,9 +958,15 @@ interface(`files_relabelto_all_file_type_fs',` allow $1 file_type:filesystem relabelto; ') -####################################### -# -# files_mount_all_file_type_fs(domain) +######################################## +## +## Mount all filesystems with the type of a file. +## +## +## +## Domain allowed access. +## +## # interface(`files_mount_all_file_type_fs',` gen_require(` @@ -921,9 +976,15 @@ interface(`files_mount_all_file_type_fs',` allow $1 file_type:filesystem mount; ') -####################################### -# -# files_unmount_all_file_type_fs(domain) +######################################## +## +## Unmount all filesystems with the type of a file. +## +## +## +## Domain allowed access. +## +## # interface(`files_unmount_all_file_type_fs',` gen_require(` @@ -934,8 +995,14 @@ interface(`files_unmount_all_file_type_fs',` ') ######################################## -# -# files_mounton_all_mountpoints(domain) +## +## Mount a filesystem on all mount points. +## +## +## +## Domain allowed access. +## +## # interface(`files_mounton_all_mountpoints',` gen_require(` @@ -965,8 +1032,14 @@ interface(`files_getattr_all_mountpoints',` ') ######################################## -# -# files_list_root(domain) +## +## List the contents of the root directory. +## +## +## +## Domain allowed access. +## +## # interface(`files_list_root',` gen_require(` @@ -980,7 +1053,7 @@ interface(`files_list_root',` ######################################## ## ## Create an object in the root directory, with a private -## type. +## type using a type transition. ## ## ## @@ -1008,8 +1081,15 @@ interface(`files_root_filetrans',` ') ######################################## -# -# files_dontaudit_read_root_files(domain) +## +## Do not audit attempts to read files in +## the root directory. +## +## +## +## Domain to not audit. +## +## # interface(`files_dontaudit_read_root_files',` gen_require(` @@ -1020,8 +1100,15 @@ interface(`files_dontaudit_read_root_files',` ') ######################################## -# -# files_dontaudit_rw_root_files(domain) +## +## Do not audit attempts to read or write +## files in the root directory. +## +## +## +## Domain allowed access. +## +## # interface(`files_dontaudit_rw_root_files',` gen_require(` @@ -1032,8 +1119,15 @@ interface(`files_dontaudit_rw_root_files',` ') ######################################## -# -# files_dontaudit_rw_root_chr_files(domain) +## +## Do not audit attempts to read or write +## character device nodes in the root directory. +## +## +## +## Domain allowed access. +## +## # interface(`files_dontaudit_rw_root_chr_files',` gen_require(` @@ -1044,8 +1138,14 @@ interface(`files_dontaudit_rw_root_chr_files',` ') ######################################## -# -# files_delete_root_dir_entry(domain) +## +## Remove entries from the root directory. +## +## +## +## Domain allowed access. +## +## # interface(`files_delete_root_dir_entry',` gen_require(` @@ -1056,8 +1156,14 @@ interface(`files_delete_root_dir_entry',` ') ######################################## -# -# files_unmount_rootfs(domain) +## +## Unmount a rootfs filesystem. +## +## +## +## Domain allowed access. +## +## # interface(`files_unmount_rootfs',` gen_require(` @@ -1546,8 +1652,14 @@ interface(`files_read_default_pipes',` ') ######################################## -# -# files_search_etc(domain) +## +## Search the contents of /etc directories. +## +## +## +## Domain allowed access. +## +## # interface(`files_search_etc',` gen_require(` @@ -1576,8 +1688,14 @@ interface(`files_setattr_etc_dirs',` ') ######################################## -# -# files_list_etc(domain) +## +## List the contents of /etc directories. +## +## +## +## Domain allowed access. +## +## # interface(`files_list_etc',` gen_require(` @@ -1588,8 +1706,14 @@ interface(`files_list_etc',` ') ######################################## -# -# files_read_etc_files(domain) +## +## Read generic files in /etc. +## +## +## +## Domain allowed access. +## +## # interface(`files_read_etc_files',` gen_require(` @@ -1602,8 +1726,14 @@ interface(`files_read_etc_files',` ') ######################################## -# -# files_rw_etc_files(domain) +## +## Read and write generic files in /etc. +## +## +## +## Domain allowed access. +## +## # interface(`files_rw_etc_files',` gen_require(` @@ -1616,8 +1746,15 @@ interface(`files_rw_etc_files',` ') ######################################## -# -# files_manage_etc_files(domain) +## +## Create, read, write, and delete generic +## files in /etc. +## +## +## +## Domain allowed access. +## +## # interface(`files_manage_etc_files',` gen_require(` @@ -1649,8 +1786,14 @@ interface(`files_delete_etc_files',` ') ######################################## -# -# files_exec_etc_files(domain) +## +## Execute generic files in /etc. +## +## +## +## Domain allowed access. +## +## # interface(`files_exec_etc_files',` gen_require(` @@ -1683,8 +1826,25 @@ interface(`files_relabel_etc_files',` ') ######################################## -# -# files_etc_filetrans(domain,privatetype,class(es)) +## +## Create objects in /etc with a private +## type using a type_transition. +## +## +## +## Domain allowed access. +## +## +## +## +## Private file type. +## +## +## +## +## Object classes to be created. +## +## # interface(`files_etc_filetrans',` gen_require(` @@ -1696,10 +1856,20 @@ interface(`files_etc_filetrans',` ') ######################################## -# -# files_create_boot_flag(domain) -# -# /halt, /.autofsck, etc +## +## Create a boot flag. +## +## +##

+## Create a boot flag, such as +## /.autorelabel and /.autofsck. +##

+##
+## +## +## Domain allowed access. +## +## # interface(`files_create_boot_flag',` gen_require(` @@ -2219,8 +2389,14 @@ interface(`files_manage_lost_found',` ') ######################################## -# -# files_search_mnt(domain) +## +## Search the contents of /mnt. +## +## +## +## Domain allowed access. +## +## # interface(`files_search_mnt',` gen_require(` @@ -2249,8 +2425,14 @@ interface(`files_dontaudit_search_mnt',` ') ######################################## -# -# files_list_mnt(domain) +## +## List the contents of /mnt. +## +## +## +## Domain allowed access. +## +## # interface(`files_list_mnt',` gen_require(` @@ -2812,8 +2994,25 @@ interface(`files_setattr_all_tmp_dirs',` ') ######################################## -# -# files_tmp_filetrans(domain,private_type,object class(es)) +## +## Create an object in the tmp directories, with a private +## type using a type transition. +## +## +## +## Domain allowed access. +## +## +## +## +## The type of the object to be created. +## +## +## +## +## The object class of the object being created. +## +## # interface(`files_tmp_filetrans',` gen_require(` @@ -2825,8 +3024,14 @@ interface(`files_tmp_filetrans',` ') ######################################## -# -# files_purge_tmp(domain) +## +## Delete the contents of /tmp. +## +## +## +## Domain allowed access. +## +## # interface(`files_purge_tmp',` gen_require(` @@ -2838,8 +3043,14 @@ interface(`files_purge_tmp',` ') ######################################## -# -# files_search_usr(domain) +## +## Search the content of /etc. +## +## +## +## Domain allowed access. +## +## # interface(`files_search_usr',` gen_require(` @@ -2888,8 +3099,14 @@ interface(`files_getattr_usr_files',` ') ######################################## -# -# files_read_usr_files(domain) +## +## Read generic files in /usr. +## +## +## +## Domain allowed access. +## +## # interface(`files_read_usr_files',` gen_require(` @@ -3009,8 +3226,14 @@ interface(`files_exec_usr_src_files',` ') ######################################## -# -# files_dontaudit_search_src(domain) +## +## Do not audit attempts to search /usr/src. +## +## +## +## Domain to not audit. +## +## # interface(`files_dontaudit_search_src',` gen_require(` @@ -3021,8 +3244,14 @@ interface(`files_dontaudit_search_src',` ') ######################################## -# -# files_read_usr_src_files(domain) +## +## Read files in /usr/src. +## +## +## +## Domain allowed access. +## +## # interface(`files_read_usr_src_files',` gen_require(` @@ -3439,8 +3668,15 @@ interface(`files_read_var_lib_symlinks',` # in some way. They really neeed their own types. ######################################## -# -# files_manage_urandom_seed(domain) +## +## Create, read, write, and delete the +## pseudorandom number generator seed. +## +## +## +## Domain allowed access. +## +## # interface(`files_manage_urandom_seed',` gen_require(` @@ -3531,8 +3767,14 @@ interface(`files_rw_lock_dirs',` ') ######################################## -# -# files_getattr_generic_locks(domain) +## +## Get the attributes of generic lock files. +## +## +## +## Domain allowed access. +## +## # interface(`files_getattr_generic_locks',` gen_require(` @@ -3545,21 +3787,34 @@ interface(`files_getattr_generic_locks',` ') ######################################## -# -# files_manage_generic_locks(domain) +## +## Create, read, write, and delete generic +## lock files. +## +## +## +## Domain allowed access. +## +## # interface(`files_manage_generic_locks',` gen_require(` type var_lock_t; ') - allow $1 var_lock_t:dir { getattr search create read write setattr add_name remove_name rmdir }; - allow $1 var_lock_t:file { getattr create read write setattr unlink }; + allow $1 var_lock_t:dir rw_dir_perms; + allow $1 var_lock_t:file manage_file_perms; ') ######################################## -# -# files_delete_all_locks(domain) +## +## Delete all lock files. +## +## +## +## Domain allowed access. +## +## # interface(`files_delete_all_locks',` gen_require(` @@ -3593,8 +3848,25 @@ interface(`files_read_all_locks',` ') ######################################## -# -# files_lock_filetrans(domain,private_type,[object class(es)]) +## +## Create an object in the locks directory, with a private +## type using a type transition. +## +## +## +## Domain allowed access. +## +## +## +## +## The type of the object to be created. +## +## +## +## +## The object class of the object being created. +## +## # interface(`files_lock_filetrans',` gen_require(` @@ -3626,8 +3898,15 @@ interface(`files_dontaudit_getattr_pid_dirs',` ') ######################################## -# -# files_search_pids(domain) +## +## Search the contents of runtime process +## ID directories (/var/run). +## +## +## +## Domain allowed access. +## +## # interface(`files_search_pids',` gen_require(` @@ -3658,8 +3937,15 @@ interface(`files_dontaudit_search_pids',` ') ######################################## -# -# files_list_pids(domain) +## +## List the contents of the runtime process +## ID directories (/var/run). +## +## +## +## Domain allowed access. +## +## # interface(`files_list_pids',` gen_require(` @@ -3671,8 +3957,25 @@ interface(`files_list_pids',` ') ######################################## -# -# files_pid_filetrans(domain,pidfile,[object class(es)]) +## +## Create an object in the process ID directory, with a private +## type using a type transition. +## +## +## +## Domain allowed access. +## +## +## +## +## The type of the object to be created. +## +## +## +## +## The object class of the object being created. +## +## # interface(`files_pid_filetrans',` gen_require(` @@ -3685,8 +3988,14 @@ interface(`files_pid_filetrans',` ') ######################################## -# -# files_rw_generic_pids(domain) +## +## Read and write generic process ID files. +## +## +## +## Domain allowed access. +## +## # interface(`files_rw_generic_pids',` gen_require(` @@ -3735,8 +4044,14 @@ interface(`files_dontaudit_ioctl_all_pids',` ') ######################################## -# -# files_read_all_pids(domain) +## +## Read all process ID files. +## +## +## +## Domain allowed access. +## +## # interface(`files_read_all_pids',` gen_require(` @@ -3769,8 +4084,14 @@ interface(`files_mounton_all_poly_members',` ') ######################################## -# -# files_delete_all_pids(domain) +## +## Delete all process IDs. +## +## +## +## Domain allowed access. +## +## # interface(`files_delete_all_pids',` gen_require(` @@ -3787,8 +4108,14 @@ interface(`files_delete_all_pids',` ') ######################################## -# -# files_delete_all_pid_dirs(domain) +## +## Delete all process ID directories. +## +## +## +## Domain allowed access. +## +## # interface(`files_delete_all_pid_dirs',` gen_require(` @@ -3801,8 +4128,15 @@ interface(`files_delete_all_pid_dirs',` ') ######################################## -# -# files_search_spool(domain) +## +## Search the contents of generic spool +## directories (/var/spool). +## +## +## +## Domain allowed access. +## +## # interface(`files_search_spool',` gen_require(` @@ -3833,8 +4167,15 @@ interface(`files_dontaudit_search_spool',` ') ######################################## -# -# files_list_spool(domain) +## +## List the contents of generic spool +## (/var/spool) directories. +## +## +## +## Domain allowed access. +## +## # interface(`files_list_spool',` gen_require(` @@ -3846,8 +4187,15 @@ interface(`files_list_spool',` ') ######################################## -# -# files_manage_generic_spool_dirs(domain) +## +## Create, read, write, and delete generic +## spool directories (/var/spool). +## +## +## +## Domain allowed access. +## +## # interface(`files_manage_generic_spool_dirs',` gen_require(` @@ -3859,8 +4207,14 @@ interface(`files_manage_generic_spool_dirs',` ') ######################################## -# -# files_read_generic_spool(domain) +## +## Read generic spool files. +## +## +## +## Domain allowed access. +## +## # interface(`files_read_generic_spool',` gen_require(` @@ -3873,8 +4227,15 @@ interface(`files_read_generic_spool',` ') ######################################## -# -# files_manage_generic_spool(domain) +## +## Create, read, write, and delete generic +## spool files. +## +## +## +## Domain allowed access. +## +## # interface(`files_manage_generic_spool',` gen_require(` diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if index 7777254..643a4a2 100644 --- a/refpolicy/policy/modules/kernel/filesystem.if +++ b/refpolicy/policy/modules/kernel/filesystem.if @@ -9,7 +9,7 @@ ##
## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -29,7 +29,7 @@ interface(`fs_type',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -113,7 +113,7 @@ interface(`fs_exec_noxattr',` ## ## ## -## The type of the domain mounting the filesystem. +## Domain allowed access. ## ## # @@ -134,7 +134,7 @@ interface(`fs_mount_xattr_fs',` ## ## ## -## The type of the domain remounting the filesystem. +## Domain allowed access. ## ## # @@ -154,7 +154,7 @@ interface(`fs_remount_xattr_fs',` ## ## ## -## The type of the domain unmounting the filesystem. +## Domain allowed access. ## ## # @@ -174,8 +174,7 @@ interface(`fs_unmount_xattr_fs',` ## ## ## -## The type of the domain doing the -## getattr on the filesystem. +## Domain allowed access. ## ## # @@ -196,7 +195,7 @@ interface(`fs_getattr_xattr_fs',` ## ## ## -## The type of the domain to not audit. +## Domain to not audit. ## ## # @@ -216,7 +215,7 @@ interface(`fs_dontaudit_getattr_xattr_fs',` ## ## ## -## The type of the domain mounting the filesystem. +## Domain allowed access. ## ## # @@ -235,7 +234,7 @@ interface(`fs_relabelfrom_xattr_fs',` ## ## ## -## The type of the domain mounting the filesystem. +## Domain allowed access. ## ## # @@ -254,7 +253,7 @@ interface(`fs_get_xattr_fs_quotas',` ## ## ## -## The type of the domain mounting the filesystem. +## Domain allowed access. ## ## # @@ -272,7 +271,7 @@ interface(`fs_set_xattr_fs_quotas',` ## ## ## -## The type of the domain mounting the filesystem. +## Domain allowed access. ## ## # @@ -292,7 +291,7 @@ interface(`fs_mount_autofs',` ## ## ## -## The type of the domain remounting the filesystem. +## Domain allowed access. ## ## # @@ -310,7 +309,7 @@ interface(`fs_remount_autofs',` ## ## ## -## The type of the domain unmounting the filesystem. +## Domain allowed access. ## ## # @@ -329,8 +328,7 @@ interface(`fs_unmount_autofs',` ## ## ## -## The type of the domain doing the -## getattr on the filesystem. +## Domain allowed access. ## ## # @@ -349,7 +347,7 @@ interface(`fs_getattr_autofs',` ## ## ## -## The type of the domain performing this action. +## Domain allowed access. ## ## # @@ -368,7 +366,7 @@ interface(`fs_search_auto_mountpoints',` ## ## ## -## The type of the domain performing this action. +## Domain allowed access. ## ## # @@ -387,7 +385,7 @@ interface(`fs_list_auto_mountpoints',` ## ## ## -## The type of the domain performing this action. +## Domain to not audit. ## ## # @@ -403,16 +401,25 @@ interface(`fs_dontaudit_list_auto_mountpoints',` ## ## Register an interpreter for new binary ## file types, using the kernel binfmt_misc -## support. A common use for this is to +## support. +## +## +##

+## Register an interpreter for new binary +## file types, using the kernel binfmt_misc +## support. +##

+##

+## A common use for this is to ## register a JVM as an interpreter for ## Java byte code. Registered binaries ## can be directly executed on a command line ## without specifying the interpreter. -## +##

+##
## ## -## The type of the domain registering -## the interpreter. +## Domain allowed access. ## ## # @@ -431,7 +438,7 @@ interface(`fs_register_binary_executable_type',` ## ## ## -## The type of the domain mounting the filesystem. +## Domain allowed access. ## ## # @@ -450,7 +457,7 @@ interface(`fs_mount_cifs',` ## ## ## -## The type of the domain mounting the filesystem. +## Domain allowed access. ## ## # @@ -468,7 +475,7 @@ interface(`fs_remount_cifs',` ## ## ## -## The type of the domain mounting the filesystem. +## Domain allowed access. ## ## # @@ -487,8 +494,7 @@ interface(`fs_unmount_cifs',` ## ## ## -## The type of the domain doing the -## getattr on the filesystem. +## Domain allowed access. ## ## # @@ -640,7 +646,7 @@ interface(`fs_read_noxattr_fs_symlinks',` ## ## ## -## The type of the domain to not audit. +## Domain to not audit. ## ## # @@ -659,7 +665,7 @@ interface(`fs_dontaudit_read_cifs_files',` ## ## ## -## The type of the domain to not audit. +## Domain to not audit. ## ## # @@ -677,7 +683,7 @@ interface(`fs_dontaudit_rw_cifs_files',` ## ## ## -## The type of the domain reading the symbolic links. +## Domain allowed access. ## ## # @@ -698,7 +704,7 @@ interface(`fs_read_cifs_symlinks',` ## ## ## -## The type of the domain executing the files. +## Domain allowed access. ## ## # @@ -718,7 +724,7 @@ interface(`fs_exec_cifs_files',` ## ## ## -## The type of the domain managing the directories. +## Domain allowed access. ## ## # @@ -738,7 +744,7 @@ interface(`fs_manage_cifs_dirs',` ## ## ## -## The type of the domain managing the directories. +## Domain allowed access. ## ## # @@ -757,7 +763,7 @@ interface(`fs_dontaudit_manage_cifs_dirs',` ## ## ## -## The type of the domain managing the files. +## Domain allowed access. ## ## # @@ -797,7 +803,7 @@ interface(`fs_dontaudit_manage_cifs_files',` ## ## ## -## The type of the domain managing the symbolic links. +## Domain allowed access. ## ## # @@ -817,7 +823,7 @@ interface(`fs_manage_cifs_symlinks',` ## ## ## -## The type of the domain managing the pipes. +## Domain allowed access. ## ## # @@ -837,7 +843,7 @@ interface(`fs_manage_cifs_named_pipes',` ## ## ## -## The type of the domain managing the sockets. +## Domain allowed access. ## ## # @@ -876,7 +882,7 @@ interface(`fs_manage_cifs_named_sockets',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## @@ -902,7 +908,7 @@ interface(`fs_cifs_domtrans',` ## ## ## -## The type of the domain mounting the filesystem. +## Domain allowed access. ## ## # @@ -922,7 +928,7 @@ interface(`fs_mount_dos_fs',` ## ## ## -## The type of the domain remounting the filesystem. +## Domain allowed access. ## ## # @@ -941,7 +947,7 @@ interface(`fs_remount_dos_fs',` ## ## ## -## The type of the domain unmounting the filesystem. +## Domain allowed access. ## ## # @@ -960,8 +966,7 @@ interface(`fs_unmount_dos_fs',` ## ## ## -## The type of the domain doing the -## getattr on the filesystem. +## Domain allowed access. ## ## # @@ -980,7 +985,7 @@ interface(`fs_getattr_dos_fs',` ## ## ## -## The type of the domain mounting the filesystem. +## Domain allowed access. ## ## # @@ -1054,7 +1059,7 @@ interface(`fs_list_inotifyfs',` ## ## ## -## The type of the domain mounting the filesystem. +## Domain allowed access. ## ## # @@ -1074,7 +1079,7 @@ interface(`fs_mount_iso9660_fs',` ## ## ## -## The type of the domain remounting the filesystem. +## Domain allowed access. ## ## # @@ -1093,7 +1098,7 @@ interface(`fs_remount_iso9660_fs',` ## ## ## -## The type of the domain unmounting the filesystem. +## Domain allowed access. ## ## # @@ -1112,8 +1117,7 @@ interface(`fs_unmount_iso9660_fs',` ## ## ## -## The type of the domain doing the -## getattr on the filesystem. +## Domain allowed access. ## ## # @@ -1152,7 +1156,7 @@ interface(`fs_read_iso9660_files',` ## ## ## -## The type of the domain mounting the filesystem. +## Domain allowed access. ## ## # @@ -1171,7 +1175,7 @@ interface(`fs_mount_nfs',` ## ## ## -## The type of the domain remounting the filesystem. +## Domain allowed access. ## ## # @@ -1189,7 +1193,7 @@ interface(`fs_remount_nfs',` ## ## ## -## The type of the domain unmounting the filesystem. +## Domain allowed access. ## ## # @@ -1207,8 +1211,7 @@ interface(`fs_unmount_nfs',` ## ## ## -## The type of the domain doing the -## getattr on the filesystem. +## Domain allowed access. ## ## # @@ -1301,7 +1304,7 @@ interface(`fs_read_nfs_files',` ## ## ## -## The type of the domain to not audit. +## Domain to not audit. ## ## # @@ -1338,7 +1341,7 @@ interface(`fs_write_nfs_files',` ## ## ## -## The type of the domain executing the files. +## Domain allowed access. ## ## # @@ -1358,7 +1361,7 @@ interface(`fs_exec_nfs_files',` ## ## ## -## The type of the domain to not audit. +## Domain to not audit. ## ## # @@ -1376,7 +1379,7 @@ interface(`fs_dontaudit_rw_nfs_files',` ## ## ## -## The type of the domain reading the symbolic links. +## Domain allowed access. ## ## # @@ -1395,7 +1398,7 @@ interface(`fs_read_nfs_symlinks',` ## ## ## -## The type of the domain reading the symbolic links. +## Domain allowed access. ## ## # @@ -1414,7 +1417,7 @@ interface(`fs_getattr_rpc_dirs',` ## ## ## -## The type of the domain reading the symbolic links. +## Domain allowed access. ## ## # @@ -1523,7 +1526,7 @@ interface(`fs_read_removable_symlinks',` ## ## ## -## The type of the domain reading the symbolic links. +## Domain allowed access. ## ## # @@ -1542,7 +1545,7 @@ interface(`fs_list_rpc',` ## ## ## -## The type of the domain reading the symbolic links. +## Domain allowed access. ## ## # @@ -1561,7 +1564,7 @@ interface(`fs_read_rpc_files',` ## ## ## -## The type of the domain reading the symbolic links. +## Domain allowed access. ## ## # @@ -1580,7 +1583,7 @@ interface(`fs_read_rpc_symlinks',` ## ## ## -## The type of the domain reading the symbolic links. +## Domain allowed access. ## ## # @@ -1600,7 +1603,7 @@ interface(`fs_read_rpc_sockets',` ## ## ## -## The type of the domain managing the directories. +## Domain allowed access. ## ## # @@ -1639,7 +1642,7 @@ interface(`fs_dontaudit_manage_nfs_dirs',` ## ## ## -## The type of the domain managing the files. +## Domain allowed access. ## ## # @@ -1679,7 +1682,7 @@ interface(`fs_dontaudit_manage_nfs_files',` ## ## ## -## The type of the domain managing the symbolic links. +## Domain allowed access. ## ## # @@ -1699,7 +1702,7 @@ interface(`fs_manage_nfs_symlinks',` ## ## ## -## The type of the domain managing the pipes. +## Domain allowed access. ## ## # @@ -1719,7 +1722,7 @@ interface(`fs_manage_nfs_named_pipes',` ## ## ## -## The type of the domain managing the sockets. +## Domain allowed access. ## ## # @@ -1758,7 +1761,7 @@ interface(`fs_manage_nfs_named_sockets',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## @@ -1783,7 +1786,7 @@ interface(`fs_nfs_domtrans',` ## ## ## -## The type of the domain mounting the filesystem. +## Domain allowed access. ## ## # @@ -1802,7 +1805,7 @@ interface(`fs_mount_nfsd_fs',` ## ## ## -## The type of the domain remounting the filesystem. +## Domain allowed access. ## ## # @@ -1820,7 +1823,7 @@ interface(`fs_remount_nfsd_fs',` ## ## ## -## The type of the domain unmounting the filesystem. +## Domain allowed access. ## ## # @@ -1839,8 +1842,7 @@ interface(`fs_unmount_nfsd_fs',` ## ## ## -## The type of the domain doing the -## getattr on the filesystem. +## Domain allowed access. ## ## # @@ -1858,8 +1860,7 @@ interface(`fs_getattr_nfsd_fs',` ## ## ## -## The type of the domain doing the -## search on nfsd directories. +## Domain allowed access. ## ## # @@ -1877,8 +1878,7 @@ interface(`fs_search_nfsd_fs',` ## ## ## -## The type of the domain doing the -## read or write on nfsd files. +## Domain allowed access. ## ## # @@ -1896,7 +1896,7 @@ interface(`fs_rw_nfsd_fs',` ## ## ## -## The type of the domain mounting the filesystem. +## Domain allowed access. ## ## # @@ -1915,7 +1915,7 @@ interface(`fs_mount_ramfs',` ## ## ## -## The type of the domain remounting the filesystem. +## Domain allowed access. ## ## # @@ -1933,7 +1933,7 @@ interface(`fs_remount_ramfs',` ## ## ## -## The type of the domain unmounting the filesystem. +## Domain allowed access. ## ## # @@ -1951,8 +1951,7 @@ interface(`fs_unmount_ramfs',` ## ## ## -## The type of the domain doing the -## getattr on the filesystem. +## Domain allowed access. ## ## # @@ -2177,7 +2176,7 @@ interface(`fs_manage_ramfs_sockets',` ## ## ## -## The type of the domain mounting the filesystem. +## Domain allowed access. ## ## # @@ -2196,7 +2195,7 @@ interface(`fs_mount_romfs',` ## ## ## -## The type of the domain remounting the filesystem. +## Domain allowed access. ## ## # @@ -2214,7 +2213,7 @@ interface(`fs_remount_romfs',` ## ## ## -## The type of the domain unmounting the filesystem. +## Domain allowed access. ## ## # @@ -2233,8 +2232,7 @@ interface(`fs_unmount_romfs',` ## ## ## -## The type of the domain doing the -## getattr on the filesystem. +## Domain allowed access. ## ## # @@ -2252,7 +2250,7 @@ interface(`fs_getattr_romfs',` ## ## ## -## The type of the domain mounting the filesystem. +## Domain allowed access. ## ## # @@ -2271,7 +2269,7 @@ interface(`fs_mount_rpc_pipefs',` ## ## ## -## The type of the domain remounting the filesystem. +## Domain allowed access. ## ## # @@ -2289,7 +2287,7 @@ interface(`fs_remount_rpc_pipefs',` ## ## ## -## The type of the domain unmounting the filesystem. +## Domain allowed access. ## ## # @@ -2308,8 +2306,7 @@ interface(`fs_unmount_rpc_pipefs',` ## ## ## -## The type of the domain doing the -## getattr on the filesystem. +## Domain allowed access. ## ## # @@ -2327,7 +2324,7 @@ interface(`fs_getattr_rpc_pipefs',` ## ## ## -## The type of the domain mounting the filesystem. +## Domain allowed access. ## ## # @@ -2345,7 +2342,7 @@ interface(`fs_mount_tmpfs',` ## ## ## -## The type of the domain remounting the filesystem. +## Domain allowed access. ## ## # @@ -2363,7 +2360,7 @@ interface(`fs_remount_tmpfs',` ## ## ## -## The type of the domain unmounting the filesystem. +## Domain allowed access. ## ## # @@ -2382,8 +2379,7 @@ interface(`fs_unmount_tmpfs',` ## ## ## -## The type of the domain doing the -## getattr on the filesystem. +## Domain allowed access. ## ## # @@ -2543,8 +2539,25 @@ interface(`fs_manage_tmpfs_dirs',` ') ######################################## -# -# fs_tmpfs_filetrans(domain,derivedtype,class) +## +## Create an object in a tmpfs filesystem, with a private +## type using a type transition. +## +## +## +## Domain allowed access. +## +## +## +## +## The type of the object to be created. +## +## +## +## +## The object class of the object being created. +## +## # interface(`fs_tmpfs_filetrans',` gen_require(` @@ -2600,7 +2613,7 @@ interface(`fs_manage_auto_mountpoints',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -2619,7 +2632,7 @@ interface(`fs_rw_tmpfs_files',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -2638,7 +2651,7 @@ interface(`fs_read_tmpfs_symlinks',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -2657,7 +2670,7 @@ interface(`fs_rw_tmpfs_chr_files',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -2676,7 +2689,7 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -2695,7 +2708,7 @@ interface(`fs_relabel_tmpfs_chr_file',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -2714,7 +2727,7 @@ interface(`fs_rw_tmpfs_blk_files',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -2734,7 +2747,7 @@ interface(`fs_relabel_tmpfs_blk_file',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -2754,7 +2767,7 @@ interface(`fs_manage_tmpfs_files',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -2774,7 +2787,7 @@ interface(`fs_manage_tmpfs_symlinks',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -2794,7 +2807,7 @@ interface(`fs_manage_tmpfs_sockets',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -2814,7 +2827,7 @@ interface(`fs_manage_tmpfs_chr_files',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -2833,7 +2846,7 @@ interface(`fs_manage_tmpfs_blk_files',` ## ## ## -## The type of the domain mounting the filesystem. +## Domain allowed access. ## ## # @@ -2852,7 +2865,7 @@ interface(`fs_mount_all_fs',` ## ## ## -## The type of the domain mounting the filesystem. +## Domain allowed access. ## ## # @@ -2870,7 +2883,7 @@ interface(`fs_remount_all_fs',` ## ## ## -## The type of the domain unmounting the filesystem. +## Domain allowed access. ## ## # @@ -2889,8 +2902,7 @@ interface(`fs_unmount_all_fs',` ## ## ## -## The type of the domain doing the -## getattr on the filesystem. +## Domain allowed access. ## ## # @@ -2909,7 +2921,7 @@ interface(`fs_getattr_all_fs',` ## ## ## -## The type of the domain to not audit. +## Domain to not audit. ## ## # @@ -2963,8 +2975,7 @@ interface(`fs_set_all_quotas',` ## ## ## -## The type of the domain doing the -## getattr on the filesystem. +## Domain allowed access. ## ## # @@ -3229,4 +3240,3 @@ interface(`fs_relabelfrom_noxattr_fs',` allow $1 noxattrfs:blk_file { getattr relabelfrom }; allow $1 noxattrfs:chr_file { getattr relabelfrom }; ') - diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if index 926fe6c..07df538 100644 --- a/refpolicy/policy/modules/kernel/kernel.if +++ b/refpolicy/policy/modules/kernel/kernel.if @@ -1538,8 +1538,15 @@ interface(`kernel_rw_irq_sysctls',` ') ######################################## -# -# kernel_read_rpc_sysctls(domain) +## +## Read RPC sysctls. +## +## +## +## Domain allowed access. +## +## +## # interface(`kernel_read_rpc_sysctls',` gen_require(` @@ -1553,8 +1560,15 @@ interface(`kernel_read_rpc_sysctls',` ') ######################################## -# -# kernel_rw_rpc_sysctls(domain) +## +## Read and write RPC sysctls. +## +## +## +## Domain allowed access. +## +## +## # interface(`kernel_rw_rpc_sysctls',` gen_require(` @@ -1914,7 +1928,7 @@ interface(`kernel_dontaudit_getattr_unlabeled_chr_files',` ## ## ## -## The process type relabeling the objects. +## Domain allowed access. ## ## # @@ -1932,7 +1946,7 @@ interface(`kernel_relabelfrom_unlabeled_dirs',` ## ## ## -## The process type relabeling the objects. +## Domain allowed access. ## ## # @@ -1951,7 +1965,7 @@ interface(`kernel_relabelfrom_unlabeled_files',` ## ## ## -## The process type relabeling the objects. +## Domain allowed access. ## ## # @@ -1970,7 +1984,7 @@ interface(`kernel_relabelfrom_unlabeled_symlinks',` ## ## ## -## The process type relabeling the objects. +## Domain allowed access. ## ## # @@ -1989,7 +2003,7 @@ interface(`kernel_relabelfrom_unlabeled_pipes',` ## ## ## -## The process type relabeling the objects. +## Domain allowed access. ## ## # diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if index b0d0784..70f6fdf 100644 --- a/refpolicy/policy/modules/services/mta.if +++ b/refpolicy/policy/modules/services/mta.if @@ -300,9 +300,15 @@ template(`mta_admin_template',` ') ') -####################################### -# -# mta_mailserver(domain,entrypointtype) +######################################## +## +## Make the specified domain usable for a mail server. +## +## +## +## Type to be used as a mail server domain. +## +## # interface(`mta_mailserver',` gen_require(` @@ -439,9 +445,15 @@ interface(`mta_mailserver_user_agent',` ') ') -####################################### -# -# mta_send_mail(domain) +######################################## +## +## Send mail from the system. +## +## +## +## Domain allowed access. +## +## # interface(`mta_send_mail',` gen_require(` @@ -462,9 +474,15 @@ interface(`mta_send_mail',` allow mta_user_agent $1:fifo_file { read write }; ') -####################################### -# -# mta_exec(domain) +######################################## +## +## Execute sendmail in the caller domain. +## +## +## +## Domain allowed access. +## +## # interface(`mta_exec',` gen_require(` @@ -533,9 +551,15 @@ interface(`mta_etc_filetrans_aliases',` files_etc_filetrans($1,etc_aliases_t, file) ') -####################################### -# -# mta_rw_aliases(domain) +######################################## +## +## Read and write mail aliases. +## +## +## +## Domain allowed access. +## +## # interface(`mta_rw_aliases',` gen_require(` @@ -604,9 +628,15 @@ interface(`mta_dontaudit_read_spool_symlinks',` dontaudit $1 mail_spool_t:lnk_file read; ') -####################################### -# -# mta_getattr_spool(domain) +######################################## +## +## Get the attributes of mail spool files. +## +## +## +## Domain allowed access. +## +## # interface(`mta_getattr_spool',` gen_require(` @@ -619,6 +649,17 @@ interface(`mta_getattr_spool',` allow $1 mail_spool_t:file getattr; ') +######################################## +## +## Do not audit attempts to get the attributes +## of mail spool files. +## +## +## +## Domain to not audit. +## +## +# interface(`mta_dontaudit_getattr_spool_files',` gen_require(` type mail_spool_t; @@ -661,9 +702,15 @@ interface(`mta_spool_filetrans',` type_transition $1 mail_spool_t:$3 $2; ') -####################################### -# -# mta_rw_spool(domain) +######################################## +## +## Read and write the mail spool. +## +## +## +## Domain allowed access. +## +## # interface(`mta_rw_spool',` gen_require(` @@ -717,9 +764,15 @@ interface(`mta_delete_spool',` allow $1 mail_spool_t:file unlink; ') -####################################### -# -# mta_manage_spool(domain) +######################################## +## +## Create, read, write, and delete mail spool files. +## +## +## +## Domain allowed access. +## +## # interface(`mta_manage_spool',` gen_require(` @@ -751,9 +804,16 @@ interface(`mta_dontaudit_rw_queue',` dontaudit $1 mqueue_spool_t:file { getattr read write }; ') -####################################### -# -# mta_manage_queue(domain) +######################################## +## +## Create, read, write, and delete +## mail queue files. +## +## +## +## Domain allowed access. +## +## # interface(`mta_manage_queue',` gen_require(` diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if index 4c4e40b..5c7a18a 100644 --- a/refpolicy/policy/modules/system/authlogin.if +++ b/refpolicy/policy/modules/system/authlogin.if @@ -162,7 +162,7 @@ template(`authlogin_per_userdomain_template',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -216,7 +216,7 @@ interface(`auth_login_entry_type',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## @@ -245,7 +245,7 @@ interface(`auth_domtrans_login_program',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -294,7 +294,7 @@ interface(`auth_domtrans_chk_passwd',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -332,7 +332,7 @@ interface(`auth_dontaudit_getattr_shadow',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -345,6 +345,25 @@ interface(`auth_read_shadow',` auth_tunable_read_shadow($1) ') +######################################## +## +## Pass shadow assertion for reading. +## +## +##

+## Pass shadow assertion for reading. +## This should only be used with +## auth_tunable_read_shadow(), and +## only exists because typeattribute +## does not work in conditionals. +##

+##
+## +## +## Domain allowed access. +## +## +# interface(`auth_can_read_shadow_passwords',` gen_require(` attribute can_read_shadow_passwords; @@ -353,6 +372,24 @@ interface(`auth_can_read_shadow_passwords',` typeattribute $1 can_read_shadow_passwords; ') +######################################## +## +## Read the shadow password file. +## +## +##

+## Read the shadow password file. This +## should only be used in a conditional; +## it does not pass the reading shadow +## assertion. +##

+##
+## +## +## Domain allowed access. +## +## +# interface(`auth_tunable_read_shadow',` gen_require(` type shadow_t; @@ -387,7 +424,7 @@ interface(`auth_dontaudit_read_shadow',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -402,9 +439,16 @@ interface(`auth_rw_shadow',` typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords; ') -####################################### -# -# auth_manage_shadow(domain) +######################################## +## +## Create, read, write, and delete the shadow +## password file. +## +## +## +## Domain allowed access. +## +## # interface(`auth_manage_shadow',` gen_require(` @@ -418,7 +462,7 @@ interface(`auth_manage_shadow',` ####################################### ## -## Automatic transition to shadow from etc. +## Automatic transition from etc to shadow. ## ## ## @@ -497,9 +541,15 @@ interface(`auth_append_faillog',` allow $1 faillog_t:file { getattr append }; ') -####################################### -# -# auth_rw_faillog(domain) +######################################## +## +## Read and write the login failure log. +## +## +## +## Domain allowed access. +## +## # interface(`auth_rw_faillog',` gen_require(` @@ -573,7 +623,7 @@ interface(`auth_rw_lastlog',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -596,7 +646,7 @@ interface(`auth_domtrans_pam',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## @@ -626,7 +676,7 @@ interface(`auth_run_pam',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -645,7 +695,7 @@ interface(`auth_exec_pam',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -660,9 +710,15 @@ interface(`auth_manage_var_auth',` allow $1 var_auth_t:lnk_file rw_file_perms; ') -####################################### -# -# auth_read_pam_pid(domain) +######################################## +## +## Read PAM PID files. +## +## +## +## Domain allowed access. +## +## # interface(`auth_read_pam_pid',` gen_require(` @@ -677,7 +733,7 @@ interface(`auth_read_pam_pid',` ####################################### ## -## Do not audit attemps to read PAM pid files. +## Do not audit attemps to read PAM PID files. ## ## ## @@ -699,7 +755,7 @@ interface(`auth_dontaudit_read_pam_pid',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -720,7 +776,7 @@ interface(`auth_delete_pam_pid',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -734,9 +790,15 @@ interface(`auth_manage_pam_pid',` allow $1 pam_var_run_t:file create_file_perms; ') -####################################### -# -# auth_domtrans_pam_console(domain) +######################################## +## +## Execute pam_console with a domain transition. +## +## +## +## Domain allowed access. +## +## # interface(`auth_domtrans_pam_console',` gen_require(` @@ -758,7 +820,7 @@ interface(`auth_domtrans_pam_console',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -772,9 +834,16 @@ interface(`auth_search_pam_console_data',` allow $1 pam_var_console_t:dir search_dir_perms; ') -####################################### -# -# auth_list_pam_console_data(domain) +######################################## +## +## List the contents of the pam_console +## data directory. +## +## +## +## Domain allowed access. +## +## # interface(`auth_list_pam_console_data',` gen_require(` @@ -786,9 +855,15 @@ interface(`auth_list_pam_console_data',` allow $1 pam_var_console_t:dir r_dir_perms; ') -####################################### -# -# auth_read_pam_console_data(domain) +######################################## +## +## Read pam_console data files. +## +## +## +## Domain allowed access. +## +## # interface(`auth_read_pam_console_data',` gen_require(` @@ -801,9 +876,16 @@ interface(`auth_read_pam_console_data',` allow $1 pam_var_console_t:file r_file_perms; ') -####################################### -# -# auth_manage_pam_console_data(domain) +######################################## +## +## Create, read, write, and delete +## pam_console data files. +## +## +## +## Domain allowed access. +## +## # interface(`auth_manage_pam_console_data',` gen_require(` @@ -971,7 +1053,7 @@ interface(`auth_manage_all_files_except_shadow',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -994,7 +1076,7 @@ interface(`auth_domtrans_utempter',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## @@ -1036,9 +1118,15 @@ interface(`auth_dontaudit_exec_utempter',` dontaudit $1 utempter_exec_t:file { execute execute_no_trans }; ') -####################################### -# -# auth_setattr_login_records(domain) +######################################## +## +## Set the attributes of login record files. +## +## +## +## Domain allowed access. +## +## # interface(`auth_setattr_login_records',` gen_require(` @@ -1049,9 +1137,15 @@ interface(`auth_setattr_login_records',` logging_search_logs($1) ') -####################################### -# -# auth_read_login_records(domain) +######################################## +## +## Read login records files (/var/log/wtmp). +## +## +## +## Domain allowed access. +## +## # interface(`auth_read_login_records',` gen_require(` @@ -1062,9 +1156,16 @@ interface(`auth_read_login_records',` allow $1 wtmp_t:file r_file_perms; ') -####################################### -# -# auth_dontaudit_write_login_records(domain) +######################################## +## +## Do not audit attempts to write to +## login records files. +## +## +## +## Domain to not audit. +## +## # interface(`auth_dontaudit_write_login_records',` gen_require(` @@ -1110,9 +1211,15 @@ interface(`auth_write_login_records',` allow $1 wtmp_t:file { write lock }; ') -####################################### -# -# auth_rw_login_records(domain) +######################################## +## +## Read and write login records. +## +## +## +## Domain allowed access. +## +## # interface(`auth_rw_login_records',` gen_require(` @@ -1123,9 +1230,16 @@ interface(`auth_rw_login_records',` logging_search_logs($1) ') -####################################### -# -# auth_log_filetrans_login_records(domain) +######################################## +## +## Create a login records in the log directory +## using a type transition. +## +## +## +## Domain allowed access. +## +## # interface(`auth_log_filetrans_login_records',` gen_require(` @@ -1135,9 +1249,16 @@ interface(`auth_log_filetrans_login_records',` logging_log_filetrans($1,wtmp_t,file) ') -####################################### -# -# auth_manage_login_records(domain) +######################################## +## +## Create, read, write, and delete login +## records files. +## +## +## +## Domain allowed access. +## +## # interface(`auth_manage_login_records',` gen_require(` diff --git a/refpolicy/policy/modules/system/hostname.if b/refpolicy/policy/modules/system/hostname.if index 94f0233..d7a3090 100644 --- a/refpolicy/policy/modules/system/hostname.if +++ b/refpolicy/policy/modules/system/hostname.if @@ -6,7 +6,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -31,7 +31,7 @@ interface(`hostname_domtrans',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## @@ -56,14 +56,14 @@ interface(`hostname_run',` ') ######################################## -## -## Execute hostname in the caller domain. -## -## +## +## Execute hostname in the caller domain. +## +## ## -## The type of the process performing this action. -## -## +## Domain allowed access. +## +## # interface(`hostname_exec',` gen_require(` diff --git a/refpolicy/policy/modules/system/hotplug.if b/refpolicy/policy/modules/system/hotplug.if index 3aa11c9..e9e0ee9 100644 --- a/refpolicy/policy/modules/system/hotplug.if +++ b/refpolicy/policy/modules/system/hotplug.if @@ -3,9 +3,15 @@ ## connection and disconnection of devices at runtime. ## -####################################### -# -# hotplug_domtrans(domain) +######################################## +## +## Execute hotplug with a domain transition. +## +## +## +## Domain allowed access. +## +## # interface(`hotplug_domtrans',` gen_require(` @@ -21,9 +27,15 @@ interface(`hotplug_domtrans',` allow hotplug_t $1:process sigchld; ') -####################################### -# -# hotplug_exec(domain) +######################################## +## +## Execute hotplug in the caller domain. +## +## +## +## Domain allowed access. +## +## # interface(`hotplug_exec',` gen_require(` @@ -34,9 +46,15 @@ interface(`hotplug_exec',` can_exec($1,hotplug_exec_t) ') -####################################### -# -# hotplug_use_fds(domain) +######################################## +## +## Inherit and use hotplug file descriptors. +## +## +## +## Domain allowed access. +## +## # interface(`hotplug_use_fds',` gen_require(` @@ -46,9 +64,16 @@ interface(`hotplug_use_fds',` allow $1 hotplug_t:fd use; ') -####################################### -# -# hotplug_dontaudit_use_fds(domain) +######################################## +## +## Do not audit attempts to inherit +## hotplug file descriptors. +## +## +## +## Domain to not audit. +## +## # interface(`hotplug_dontaudit_use_fds',` gen_require(` @@ -59,8 +84,15 @@ interface(`hotplug_dontaudit_use_fds',` ') ######################################## -# -# hotplug_dontaudit_search_config(domain) +## +## Do not audit attempts to search the +## hotplug configuration directories. +## +## +## +## Domain to not audit. +## +## # interface(`hotplug_dontaudit_search_config',` gen_require(` diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if index 766933d..3cf76fa 100644 --- a/refpolicy/policy/modules/system/init.if +++ b/refpolicy/policy/modules/system/init.if @@ -150,8 +150,14 @@ interface(`init_system_domain',` ') ######################################## -# -# init_domtrans(domain) +## +## Execute init (/sbin/init) with a domain transition. +## +## +## +## Domain allowed access. +## +## # interface(`init_domtrans',` gen_require(` @@ -186,8 +192,14 @@ interface(`init_exec',` ') ######################################## -# -# init_getpgid(domain) +## +## Get the process group of init. +## +## +## +## Domain allowed access. +## +## # interface(`init_getpgid',` gen_require(` @@ -243,8 +255,14 @@ interface(`init_sigchld',` ') ######################################## -# -# init_use_fds(domain) +## +## Inherit and use file descriptors from init. +## +## +## +## Domain allowed access. +## +## # interface(`init_use_fds',` gen_require(` @@ -258,8 +276,15 @@ interface(`init_use_fds',` ') ######################################## -# -# init_dontaudit_use_fds(domain) +## +## Do not audit attempts to inherit file +## descriptors from init. +## +## +## +## Domain allowed access. +## +## # interface(`init_dontaudit_use_fds',` gen_require(` @@ -295,8 +320,14 @@ interface(`init_udp_send',` ') ######################################## -# -# init_getattr_initctl(domain) +## +## Get the attributes of initctl. +## +## +## +## Domain allowed access. +## +## # interface(`init_getattr_initctl',` gen_require(` @@ -307,8 +338,15 @@ interface(`init_getattr_initctl',` ') ######################################## -# -# init_dontaudit_getattr_initctl(domain) +## +## Do not audit attempts to get the +## attributes of initctl. +## +## +## +## Domain to not audit. +## +## # interface(`init_dontaudit_getattr_initctl',` gen_require(` @@ -319,8 +357,14 @@ interface(`init_dontaudit_getattr_initctl',` ') ######################################## -# -# init_write_initctl(domain) +## +## Write to initctl. +## +## +## +## Domain allowed access. +## +## # interface(`init_write_initctl',` gen_require(` @@ -332,8 +376,14 @@ interface(`init_write_initctl',` ') ######################################## -# -# init_rw_initctl(domain) +## +## Read and write initctl. +## +## +## +## Domain allowed access. +## +## # interface(`init_rw_initctl',` gen_require(` @@ -345,8 +395,15 @@ interface(`init_rw_initctl',` ') ######################################## -# -# init_dontaudit_rw_initctl(domain) +## +## Do not audit attempts to read and +## write initctl. +## +## +## +## Domain allowed access. +## +## # interface(`init_dontaudit_rw_initctl',` gen_require(` @@ -376,8 +433,14 @@ interface(`init_script_file_entry_type',` ') ######################################## -# -# init_domtrans_script(domain) +## +## Execute init scripts with a domain transition. +## +## +## +## Domain allowed access. +## +## # interface(`init_domtrans_script',` gen_require(` @@ -503,8 +566,14 @@ interface(`init_getattr_script_files',` ') ######################################## -# -# init_exec_script_files(domain) +## +## Execute init scripts in the caller domain. +## +## +## +## Domain allowed access. +## +## # interface(`init_exec_script_files',` gen_require(` @@ -543,8 +612,14 @@ interface(`init_read_script_state',` ') ######################################## -# -# init_use_script_fds(domain) +## +## Inherit and use init script file descriptors. +## +## +## +## Domain allowed access. +## +## # interface(`init_use_script_fds',` gen_require(` @@ -555,8 +630,15 @@ interface(`init_use_script_fds',` ') ######################################## -# -# init_dontaudit_use_script_fds(domain) +## +## Do not audit attempts to inherit +## init script file descriptors. +## +## +## +## Domain allowed access. +## +## # interface(`init_dontaudit_use_script_fds',` gen_require(` @@ -567,8 +649,14 @@ interface(`init_dontaudit_use_script_fds',` ') ######################################## -# -# init_getpgid_script(domain) +## +## Get the process group ID of init scripts. +## +## +## +## Domain allowed access. +## +## # interface(`init_getpgid_script',` gen_require(` @@ -864,8 +952,14 @@ interface(`init_getattr_utmp',` ') ######################################## -# -# init_read_utmp(domain) +## +## Read utmp. +## +## +## +## Domain allowed access. +## +## # interface(`init_read_utmp',` gen_require(` @@ -877,8 +971,14 @@ interface(`init_read_utmp',` ') ######################################## -# -# init_dontaudit_write_utmp(domain) +## +## Do not audit attempts to write utmp. +## +## +## +## Domain allowed access. +## +## # interface(`init_dontaudit_write_utmp',` gen_require(` @@ -927,8 +1027,14 @@ interface(`init_dontaudit_lock_utmp',` ') ######################################## -# -# init_rw_utmp(domain) +## +## Read and write utmp. +## +## +## +## Domain allowed access. +## +## # interface(`init_rw_utmp',` gen_require(` @@ -940,8 +1046,14 @@ interface(`init_rw_utmp',` ') ######################################## -# -# init_dontaudit_rw_utmp(domain) +## +## Do not audit attempts to read and write utmp. +## +## +## +## Domain allowed access. +## +## # interface(`init_dontaudit_rw_utmp',` gen_require(` diff --git a/refpolicy/policy/modules/system/logging.if b/refpolicy/policy/modules/system/logging.if index 3a5eb64..05f05b1 100644 --- a/refpolicy/policy/modules/system/logging.if +++ b/refpolicy/policy/modules/system/logging.if @@ -72,7 +72,7 @@ interface(`logging_domtrans_auditctl',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## @@ -102,7 +102,7 @@ interface(`logging_run_auditctl',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -121,8 +121,25 @@ interface(`logging_domtrans_syslog',` ') ######################################## -# -# logging_log_filetrans(domain,privatetype,[class(es)]) +## +## Create an object in the log directory, with a private +## type using a type transition. +## +## +## +## Domain allowed access. +## +## +## +## +## The type of the object to be created. +## +## +## +## +## The object class of the object being created. +## +## # interface(`logging_log_filetrans',` gen_require(` @@ -134,9 +151,15 @@ interface(`logging_log_filetrans',` type_transition $1 var_log_t:$3 $2; ') -####################################### -# -# logging_send_syslog_msg(domain) +######################################## +## +## Send system log messages. +## +## +## +## Domain allowed access. +## +## # interface(`logging_send_syslog_msg',` gen_require(` @@ -183,7 +206,7 @@ interface(`logging_read_audit_config',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -239,7 +262,7 @@ interface(`logging_list_logs',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -252,9 +275,16 @@ interface(`logging_rw_generic_log_dirs',` allow $1 var_log_t:dir rw_dir_perms; ') -####################################### -# -# logging_dontaudit_getattr_all_logs(domain) +######################################## +## +## Do not audit attempts to get the atttributes +## of any log files. +## +## +## +## Domain allowed access. +## +## # interface(`logging_dontaudit_getattr_all_logs',` gen_require(` @@ -264,9 +294,15 @@ interface(`logging_dontaudit_getattr_all_logs',` dontaudit $1 logfile:file getattr; ') -####################################### -# -# logging_append_all_logs(domain) +######################################## +## +## Append to all log files. +## +## +## +## Domain allowed access. +## +## # interface(`logging_append_all_logs',` gen_require(` @@ -279,9 +315,15 @@ interface(`logging_append_all_logs',` allow $1 logfile:file { getattr append }; ') -####################################### -# -# logging_read_all_logs(domain) +######################################## +## +## Read all log files. +## +## +## +## Domain allowed access. +## +## # interface(`logging_read_all_logs',` gen_require(` @@ -300,7 +342,7 @@ interface(`logging_read_all_logs',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -316,9 +358,15 @@ interface(`logging_exec_all_logs',` can_exec($1,logfile) ') -####################################### -# -# logging_manage_all_logs(domain) +######################################## +## +## Create, read, write, and delete all log files. +## +## +## +## Domain allowed access. +## +## # interface(`logging_manage_all_logs',` gen_require(` @@ -331,9 +379,15 @@ interface(`logging_manage_all_logs',` allow $1 logfile:file create_file_perms; ') -####################################### -# -# logging_read_generic_logs(domain) +######################################## +## +## Read generic log files. +## +## +## +## Domain allowed access. +## +## # interface(`logging_read_generic_logs',` gen_require(` @@ -345,9 +399,15 @@ interface(`logging_read_generic_logs',` allow $1 var_log_t:file r_file_perms; ') -####################################### -# -# logging_write_generic_logs(domain) +######################################## +## +## Write generic log files. +## +## +## +## Domain allowed access. +## +## # interface(`logging_write_generic_logs',` gen_require(` diff --git a/refpolicy/policy/modules/system/modutils.if b/refpolicy/policy/modules/system/modutils.if index 0523843..b1dca23 100644 --- a/refpolicy/policy/modules/system/modutils.if +++ b/refpolicy/policy/modules/system/modutils.if @@ -6,7 +6,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -26,7 +26,7 @@ interface(`modutils_read_module_deps',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -50,7 +50,7 @@ interface(`modutils_read_module_config',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -68,7 +68,7 @@ interface(`modutils_rename_module_config',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -94,7 +94,7 @@ interface(`modutils_domtrans_insmod_uncond',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -117,7 +117,7 @@ interface(`modutils_domtrans_insmod',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## @@ -142,8 +142,14 @@ interface(`modutils_run_insmod',` ') ######################################## -# -# modutils_exec_insmod(domain) +## +## Execute insmod in the caller domain. +## +## +## +## Domain allowed access. +## +## # interface(`modutils_exec_insmod',` gen_require(` @@ -160,7 +166,7 @@ interface(`modutils_exec_insmod',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -184,7 +190,7 @@ interface(`modutils_domtrans_depmod',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## @@ -209,8 +215,14 @@ interface(`modutils_run_depmod',` ') ######################################## -# -# modutils_exec_depmod(domain) +## +## Execute depmod in the caller domain. +## +## +## +## Domain allowed access. +## +## # interface(`modutils_exec_depmod',` gen_require(` @@ -227,7 +239,7 @@ interface(`modutils_exec_depmod',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -251,7 +263,7 @@ interface(`modutils_domtrans_update_mods',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## @@ -276,8 +288,14 @@ interface(`modutils_run_update_mods',` ') ######################################## -# -# modutils_exec_update_mods(domain) +## +## Execute update_modules in the caller domain. +## +## +## +## Domain allowed access. +## +## # interface(`modutils_exec_update_mods',` gen_require(` diff --git a/refpolicy/policy/modules/system/selinuxutil.if b/refpolicy/policy/modules/system/selinuxutil.if index c812f6b..4e2f51b 100644 --- a/refpolicy/policy/modules/system/selinuxutil.if +++ b/refpolicy/policy/modules/system/selinuxutil.if @@ -6,7 +6,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -33,7 +33,7 @@ interface(`seutil_domtrans_checkpolicy',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## @@ -57,9 +57,15 @@ interface(`seutil_run_checkpolicy',` allow checkpolicy_t $3:chr_file rw_term_perms; ') -####################################### -# -# seutil_exec_checkpolicy(domain) +######################################## +## +## Execute checkpolicy in the caller domain. +## +## +## +## Domain allowed access. +## +## # interface(`seutil_exec_checkpolicy',` gen_require(` @@ -77,7 +83,7 @@ interface(`seutil_exec_checkpolicy',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -100,11 +106,10 @@ interface(`seutil_domtrans_loadpolicy',` ## Execute load_policy in the load_policy domain, and ## allow the specified role the load_policy domain, ## and use the caller's terminal. -## Has a SIGCHLD signal backchannel. ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## @@ -128,9 +133,15 @@ interface(`seutil_run_loadpolicy',` allow load_policy_t $3:chr_file rw_term_perms; ') -####################################### -# -# seutil_exec_loadpolicy(domain) +######################################## +## +## Execute load_policy in the caller domain. +## +## +## +## Domain allowed access. +## +## # interface(`seutil_exec_loadpolicy',` gen_require(` @@ -141,9 +152,15 @@ interface(`seutil_exec_loadpolicy',` can_exec($1,load_policy_exec_t) ') -####################################### -# -# seutil_read_loadpolicy(domain) +######################################## +## +## Read the load_policy program file. +## +## +## +## Domain allowed access. +## +## # interface(`seutil_read_loadpolicy',` gen_require(` @@ -160,7 +177,7 @@ interface(`seutil_read_loadpolicy',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -187,7 +204,7 @@ interface(`seutil_domtrans_newrole',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## @@ -211,9 +228,15 @@ interface(`seutil_run_newrole',` allow newrole_t $3:chr_file rw_term_perms; ') -####################################### -# -# seutil_exec_newrole(domain) +######################################## +## +## Execute newrole in the caller domain. +## +## +## +## Domain allowed access. +## +## # interface(`seutil_exec_newrole',` gen_require(` @@ -232,7 +255,7 @@ interface(`seutil_exec_newrole',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -244,9 +267,15 @@ interface(`seutil_dontaudit_signal_newrole',` dontaudit $1 newrole_t:process signal; ') -####################################### -# -# seutil_sigchld_newrole(domain) +######################################## +## +## Send a SIGCHLD signal to newrole. +## +## +## +## Domain allowed access. +## +## # interface(`seutil_sigchld_newrole',` gen_require(` @@ -256,9 +285,15 @@ interface(`seutil_sigchld_newrole',` allow $1 newrole_t:process sigchld; ') -####################################### -# -# seutil_use_newrole_fds(domain) +######################################## +## +## Inherit and use newrole file descriptors. +## +## +## +## Domain allowed access. +## +## # interface(`seutil_use_newrole_fds',` gen_require(` @@ -274,7 +309,7 @@ interface(`seutil_use_newrole_fds',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -300,7 +335,7 @@ interface(`seutil_domtrans_restorecon',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## @@ -324,9 +359,15 @@ interface(`seutil_run_restorecon',` allow restorecon_t $3:chr_file rw_term_perms; ') -####################################### -# -# seutil_exec_restorecon(domain) +######################################## +## +## Execute restorecon in the caller domain. +## +## +## +## Domain allowed access. +## +## # interface(`seutil_exec_restorecon',` gen_require(` @@ -343,7 +384,7 @@ interface(`seutil_exec_restorecon',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -399,7 +440,7 @@ interface(`seutil_init_script_domtrans_runinit',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## @@ -443,7 +484,7 @@ interface(`seutil_run_runinit',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## @@ -470,8 +511,14 @@ interface(`seutil_init_script_run_runinit',` ') ######################################## -# -# seutil_use_runinit_fds(domain) +## +## Inherit and use run_init file descriptors. +## +## +## +## Domain allowed access. +## +## # interface(`seutil_use_runinit_fds',` gen_require(` @@ -487,7 +534,7 @@ interface(`seutil_use_runinit_fds',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -514,7 +561,7 @@ interface(`seutil_domtrans_setfiles',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## @@ -538,9 +585,15 @@ interface(`seutil_run_setfiles',` allow setfiles_t $3:chr_file rw_term_perms; ') -####################################### -# -# seutil_exec_setfiles(domain) +######################################## +## +## Execute setfiles in the caller domain. +## +## +## +## Domain allowed access. +## +## # interface(`seutil_exec_setfiles',` gen_require(` @@ -592,8 +645,14 @@ interface(`seutil_dontaudit_read_config',` ') ######################################## -# -# seutil_read_config(domain) +## +## Read the general SELinux configuration files. +## +## +## +## Domain allowed access. +## +## # interface(`seutil_read_config',` gen_require(` @@ -613,7 +672,7 @@ interface(`seutil_read_config',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -634,7 +693,7 @@ interface(`seutil_manage_selinux_config',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -649,8 +708,14 @@ interface(`seutil_search_default_contexts',` ######################################## -# -# seutil_read_default_contexts(domain) +## +## Read the default_contexts files. +## +## +## +## Domain allowed access. +## +## # interface(`seutil_read_default_contexts',` gen_require(` @@ -665,8 +730,14 @@ interface(`seutil_read_default_contexts',` ') ######################################## -# -# seutil_read_file_contexts(domain) +## +## Read the file_contexts files. +## +## +## +## Domain allowed access. +## +## # interface(`seutil_read_file_contexts',` gen_require(` @@ -724,8 +795,14 @@ interface(`seutil_manage_file_contexts',` ') ######################################## -# -# seutil_read_bin_policy(domain) +## +## Read the SELinux binary policy. +## +## +## +## Domain allowed access. +## +## # interface(`seutil_read_bin_policy',` gen_require(` @@ -739,8 +816,14 @@ interface(`seutil_read_bin_policy',` ') ######################################## -# -# seutil_create_bin_policy(domain) +## +## Create the SELinux binary policy. +## +## +## +## Domain allowed access. +## +## # interface(`seutil_create_bin_policy',` gen_require(` @@ -761,7 +844,7 @@ interface(`seutil_create_bin_policy',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -776,8 +859,15 @@ interface(`seutil_relabelto_bin_policy',` ') ######################################## -# -# seutil_manage_bin_policy(domain) +## +## Create, read, write, and delete the SELinux +## binary policy. +## +## +## +## Domain allowed access. +## +## # interface(`seutil_manage_bin_policy',` gen_require(` @@ -793,8 +883,14 @@ interface(`seutil_manage_bin_policy',` ') ######################################## -# -# seutil_read_src_policy(domain) +## +## Read SELinux policy source files. +## +## +## +## Domain allowed access. +## +## # interface(`seutil_read_src_policy',` gen_require(` @@ -808,8 +904,15 @@ interface(`seutil_read_src_policy',` ') ######################################## -# -# seutil_manage_src_policy(domain) +## +## Create, read, write, and delete SELinux +## policy source files. +## +## +## +## Domain allowed access. +## +## # interface(`seutil_manage_src_policy',` gen_require(` @@ -855,7 +958,7 @@ interface(`seutil_domtrans_semanage',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## @@ -909,7 +1012,7 @@ interface(`seutil_manage_module_store',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -929,7 +1032,7 @@ interface(`seutil_get_semanage_read_lock',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## #