diff --git a/refpolicy/Makefile b/refpolicy/Makefile index 34aad7e..f9a42fc 100644 --- a/refpolicy/Makefile +++ b/refpolicy/Makefile @@ -434,9 +434,6 @@ clean: rm -f $(FC) bare: clean - find . -name *~ -exec rm -f {} \; - find . -name "*#*" -exec rm -f {} \; - find . -name ".*#*" -exec rm -f {} \; rm -f $(POLXML) rm -f $(SUPPORT)/*.pyc rm -f $(FCSORT) diff --git a/refpolicy/policy/modules/admin/consoletype.if b/refpolicy/policy/modules/admin/consoletype.if index 7a45f5a..a23dc42 100644 --- a/refpolicy/policy/modules/admin/consoletype.if +++ b/refpolicy/policy/modules/admin/consoletype.if @@ -1,9 +1,9 @@ ####################################### # -# consoletype_transition(domain) +# consoletype_domtrans(domain) # -define(`consoletype_transition',` +define(`consoletype_domtrans',` requires_block_template(`$0'_depend) domain_auto_trans($1,consoletype_exec_t,consoletype_t) @@ -14,7 +14,7 @@ define(`consoletype_transition',` allow consoletype_t $1:process sigchld; ') -define(`consoletype_transition_depend',` +define(`consoletype_domtrans_depend',` type consoletype_t, consoletype_exec_t; class file rx_file_perms; @@ -25,16 +25,16 @@ define(`consoletype_transition_depend',` ####################################### # -# consoletype_execute(domain) +# consoletype_exec(domain) # -define(`consoletype_execute',` +define(`consoletype_exec',` requires_block_template(`$0'_depend) can_exec($1,consoletype_exec_t) ') -define(`consoletype_execute_depend',` +define(`consoletype_exec_depend',` type consoletype_exec_t; class file { getattr read execute execute_no_trans }; diff --git a/refpolicy/policy/modules/admin/consoletype.te b/refpolicy/policy/modules/admin/consoletype.te index a6db3cb..9f4348a 100644 --- a/refpolicy/policy/modules/admin/consoletype.te +++ b/refpolicy/policy/modules/admin/consoletype.te @@ -8,8 +8,8 @@ policy_module(consoletype, 1.0) type consoletype_t; type consoletype_exec_t; -init_make_init_domain(consoletype_t,consoletype_exec_t) -init_make_system_domain(consoletype_t,consoletype_exec_t) +init_domain(consoletype_t,consoletype_exec_t) +init_system_domain(consoletype_t,consoletype_exec_t) role system_r types consoletype_t; ######################################## @@ -39,27 +39,27 @@ fs_getattr_all_fs(consoletype_t) term_use_console(consoletype_t) term_use_unallocated_tty(consoletype_t) -init_use_file_descriptors(consoletype_t) -init_script_use_pseudoterminal(consoletype_t) -init_script_use_file_descriptors(consoletype_t) +init_use_fd(consoletype_t) +init_use_script_pty(consoletype_t) +init_use_script_fd(consoletype_t) -domain_use_widely_inheritable_file_descriptors(consoletype_t) +domain_use_wide_inherit_fd(consoletype_t) -files_ignore_read_rootfs_file(consoletype_t) +files_dontaudit_read_root_file(consoletype_t) -libraries_use_dynamic_loader(consoletype_t) -libraries_use_shared_libraries(consoletype_t) +libs_use_ld_so(consoletype_t) +libs_use_shared_libs(consoletype_t) ifdef(`distro_redhat', ` fs_use_tmpfs_character_devices(consoletype_t) ') optional_policy(`authlogin.te', ` - authlogin_pam_read_runtime_data(consoletype_t) + auth_read_pam_pid(consoletype_t) ') optional_policy(`userdomain.te',` - userdomain_use_all_unprivileged_users_file_descriptors(consoletype_t) + userdom_use_unpriv_users_fd(consoletype_t) ') ifdef(`TODO',` diff --git a/refpolicy/policy/modules/admin/dmesg.if b/refpolicy/policy/modules/admin/dmesg.if index 69e7872..7bf8885 100644 --- a/refpolicy/policy/modules/admin/dmesg.if +++ b/refpolicy/policy/modules/admin/dmesg.if @@ -2,7 +2,7 @@ ## Policy for dmesg. ######################################## -## +## ## ## Execute dmesg in the dmesg domain. ## @@ -11,7 +11,7 @@ ## ## # -define(`dmesg_transition',` +define(`dmesg_domtrans',` requires_block_template(`$0'_depend) allow $1 dmesg_exec_t:file rx_file_perms; @@ -25,7 +25,7 @@ define(`dmesg_transition',` allow dmesg_t $1:process sigchld; ') -define(`dmesg_transition_depend',` +define(`dmesg_domtrans_depend',` type dmesg_t, dmesg_exec_t; class file rx_file_perms; @@ -35,7 +35,7 @@ define(`dmesg_transition_depend',` ') ######################################## -## +## ## ## Execute dmesg in the caller domain. ## @@ -44,14 +44,14 @@ define(`dmesg_transition_depend',` ## ## # -define(`dmesg_execute',` +define(`dmesg_exec',` requires_block_template(`$0'_depend) can_exec($1,dmesg_exec_t) ') -define(`dmesg_execute_depend',` +define(`dmesg_exec_depend',` type dmesg_exec_t; class file { getattr read execute execute_no_trans }; diff --git a/refpolicy/policy/modules/admin/dmesg.te b/refpolicy/policy/modules/admin/dmesg.te index c559527..735d869 100644 --- a/refpolicy/policy/modules/admin/dmesg.te +++ b/refpolicy/policy/modules/admin/dmesg.te @@ -8,7 +8,7 @@ policy_module(dmesg, 1.0) type dmesg_t; type dmesg_exec_t; -init_make_system_domain(dmesg_t,dmesg_exec_t) +init_system_domain(dmesg_t,dmesg_exec_t) role system_r types dmesg_t; ######################################## @@ -29,30 +29,30 @@ kernel_change_ring_buffer_level(dmesg_t) term_dontaudit_use_console(dmesg_t) -domain_use_widely_inheritable_file_descriptors(dmesg_t) +domain_use_wide_inherit_fd(dmesg_t) -files_read_general_system_config_directory(dmesg_t) +files_read_generic_etc_files_directory(dmesg_t) # for when /usr is not mounted: -files_ignore_search_isid_type_dir(dmesg_t) +files_dontaudit_search_isid_type_dir(dmesg_t) -init_use_file_descriptors(dmesg_t) -init_script_use_pseudoterminal(dmesg_t) +init_use_fd(dmesg_t) +init_use_script_pty(dmesg_t) -libraries_use_dynamic_loader(dmesg_t) -libraries_use_shared_libraries(dmesg_t) +libs_use_ld_so(dmesg_t) +libs_use_shared_libs(dmesg_t) -logging_send_system_log_message(dmesg_t) -logging_write_system_logs(dmesg_t) +logging_send_syslog_msg(dmesg_t) +logging_write_generic_logs(dmesg_t) miscfiles_read_localization(dmesg_t) -userdomain_use_admin_terminals(dmesg_t) -userdomain_ignore_use_all_unprivileged_users_file_descriptors(dmesg_t) +userdom_use_sysadm_terms(dmesg_t) +userdom_dontaudit_use_unpriv_user_fd(dmesg_t) ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(dmesg_t) terminal_ignore_use_general_pseudoterminal(dmesg_t) - files_ignore_read_rootfs_file(dmesg_t) + files_dontaudit_read_root_file(dmesg_t) ') optional_policy(`selinux.te',` @@ -60,7 +60,7 @@ optional_policy(`selinux.te',` ') optional_policy(`udev.te', ` - udev_read_database(dmesg_t) + udev_read_db(dmesg_t) ') ifdef(`TODO',` diff --git a/refpolicy/policy/modules/admin/netutils.if b/refpolicy/policy/modules/admin/netutils.if index 72fc713..7b53ac3 100644 --- a/refpolicy/policy/modules/admin/netutils.if +++ b/refpolicy/policy/modules/admin/netutils.if @@ -1,9 +1,9 @@ ####################################### # -# netutils_transition(domain) +# netutils_domtrans(domain) # -define(`netutils_transition',` +define(`netutils_domtrans',` requires_block_template(`$0'_depend) allow $1 netutils_exec_t:file rx_file_perms; @@ -17,7 +17,7 @@ define(`netutils_transition',` allow netutils_t $1:process sigchld; ') -define(`netutils_transition_depend',` +define(`netutils_domtrans_depend',` type netutils_t, netutils_exec_t; class file rx_file_perms; @@ -28,16 +28,16 @@ define(`netutils_transition_depend',` ####################################### # -# netutils_execute(domain) +# netutils_exec(domain) # -define(`netutils_execute',` +define(`netutils_exec',` requires_block_template(`$0'_depend) can_exec($1,netutils_exec_t) ') -define(`netutils_execute_depend',` +define(`netutils_exec_depend',` type netutils_exec_t; class file { getattr read execute execute_no_trans }; diff --git a/refpolicy/policy/modules/admin/netutils.te b/refpolicy/policy/modules/admin/netutils.te index 166d8bf..6f9995b 100644 --- a/refpolicy/policy/modules/admin/netutils.te +++ b/refpolicy/policy/modules/admin/netutils.te @@ -8,20 +8,20 @@ policy_module(devices,1.0) type netutils_t; type netutils_exec_t; -init_make_system_domain(netutils_t,netutils_exec_t) +init_system_domain(netutils_t,netutils_exec_t) role system_r types netutils_t; type netutils_tmp_t; -files_make_temporary_file(netutils_tmp_t) +files_tmp_file(netutils_tmp_t) type ping_t; #, nscd_client_domain; type ping_exec_t; -init_make_system_domain(ping_t,ping_exec_t) +init_system_domain(ping_t,ping_exec_t) role system_r types ping_t; type traceroute_t; #, nscd_client_domain; type traceroute_exec_t; -init_make_system_domain(traceroute_t,traceroute_exec_t) +init_system_domain(traceroute_t,traceroute_exec_t) role system_r types traceroute_t; # @@ -44,7 +44,7 @@ allow netutils_t self:tcp_socket create_socket_perms; allow netutils_t netutils_tmp_t:dir create_dir_perms; allow netutils_t netutils_tmp_t:file create_file_perms; -files_create_private_tmp_data(netutils_t, netutils_tmp_t, { file dir }) +files_create_tmp_files(netutils_t, netutils_tmp_t, { file dir }) corenet_tcp_sendrecv_all_if(netutils_t) corenet_raw_sendrecv_all_if(netutils_t) @@ -59,19 +59,19 @@ corenet_udp_bind_all_nodes(netutils_t) fs_getattr_xattr_fs(netutils_t) -init_use_file_descriptors(netutils_t) -init_script_use_pseudoterminal(netutils_t) +init_use_fd(netutils_t) +init_use_script_pty(netutils_t) -domain_use_widely_inheritable_file_descriptors(netutils_t) +domain_use_wide_inherit_fd(netutils_t) -files_read_general_system_config(netutils_t) +files_read_generic_etc_files(netutils_t) # for nscd -files_ignore_search_system_state_data_directory(netutils_t) +files_dontaudit_search_var(netutils_t) -libraries_use_dynamic_loader(netutils_t) -libraries_use_shared_libraries(netutils_t) +libs_use_ld_so(netutils_t) +libs_use_shared_libs(netutils_t) -logging_send_system_log_message(netutils_t) +logging_send_syslog_msg(netutils_t) miscfiles_read_localization(netutils_t) @@ -117,17 +117,17 @@ corenet_tcp_bind_all_nodes(ping_t) fs_dontaudit_getattr_xattr_fs(ping_t) -domain_use_widely_inheritable_file_descriptors(ping_t) +domain_use_wide_inherit_fd(ping_t) -files_read_general_system_config(ping_t) -files_ignore_search_system_state_data_directory(ping_t) +files_read_generic_etc_files(ping_t) +files_dontaudit_search_var(ping_t) -libraries_use_dynamic_loader(ping_t) -libraries_use_shared_libraries(ping_t) +libs_use_ld_so(ping_t) +libs_use_shared_libs(ping_t) -sysnetwork_read_network_config(ping_t) +sysnet_read_config(ping_t) -logging_send_system_log_message(ping_t) +logging_send_syslog_msg(ping_t) if (user_ping) { term_use_all_user_ttys(ping_t) @@ -175,22 +175,22 @@ corenet_tcp_bind_all_nodes(traceroute_t) fs_dontaudit_getattr_xattr_fs(traceroute_t) -domain_use_widely_inheritable_file_descriptors(traceroute_t) +domain_use_wide_inherit_fd(traceroute_t) -files_read_general_system_config(traceroute_t) -files_ignore_search_system_state_data_directory(traceroute_t) +files_read_generic_etc_files(traceroute_t) +files_dontaudit_search_var(traceroute_t) -libraries_use_dynamic_loader(traceroute_t) -libraries_use_shared_libraries(traceroute_t) +libs_use_ld_so(traceroute_t) +libs_use_shared_libs(traceroute_t) -logging_send_system_log_message(traceroute_t) +logging_send_syslog_msg(traceroute_t) miscfiles_read_localization(traceroute_t) #rules needed for nmap dev_read_rand(traceroute_t) dev_read_urand(traceroute_t) -files_read_general_application_resources(traceroute_t) +files_read_usr_files(traceroute_t) if (user_ping) { term_use_all_user_ttys(traceroute_t) diff --git a/refpolicy/policy/modules/admin/rpm.if b/refpolicy/policy/modules/admin/rpm.if index 77832cb..82b9fe5 100644 --- a/refpolicy/policy/modules/admin/rpm.if +++ b/refpolicy/policy/modules/admin/rpm.if @@ -2,7 +2,7 @@ ## Policy for the RPM package manager. ######################################## -## +## ## ## Execute rpm programs in the rpm domain. ## @@ -11,7 +11,7 @@ ## ## # -define(`rpm_transition',` +define(`rpm_domtrans',` requires_block_template(`$0'_depend) allow $1 rpm_exec_t:file rx_file_perms; @@ -25,7 +25,7 @@ define(`rpm_transition',` allow rpm_t $1:process sigchld; ') -define(`rpm_transition_depend',` +define(`rpm_domtrans_depend',` type rpm_t, rpm_exec_t; class file rx_file_perms; @@ -35,7 +35,7 @@ define(`rpm_transition_depend',` ') ######################################## -## +## ## ## Execute RPM programs in the RPM domain. ## @@ -50,23 +50,23 @@ define(`rpm_transition_depend',` ## ## # -define(`rpm_transition_add_role_use_terminal',` +define(`rpm_run',` requires_block_template(`$0'_depend) - rpm_transition($1) + rpm_domtrans($1) role $2 types rpm_t; role $2 types rpm_script_t; allow rpm_t $3:chr_file { getattr read write ioctl }; ') -define(`rpm_transition_add_role_use_terminal_depend',` +define(`rpm_run_depend',` type rpm_t, rpm_script_t; class chr_file { getattr read write ioctl }; ') ######################################## -## +## ## ## Inherit and use file descriptors from RPM. ## @@ -75,13 +75,13 @@ define(`rpm_transition_add_role_use_terminal_depend',` ## ## # -define(`rpm_use_file_descriptors',` +define(`rpm_use_fd',` requires_block_template(`$0'_depend) allow $1 rpm_t:fd use; ') -define(`rpm_use_file_descriptors_depend',` +define(`rpm_use_fd_depend',` type rpm_t; class fd use; @@ -110,7 +110,7 @@ define(`rpm_read_pipe_depend',` ') ######################################## -## +## ## ## Read RPM package database. ## @@ -119,7 +119,7 @@ define(`rpm_read_pipe_depend',` ## ## # -define(`rpm_read_package_database',` +define(`rpm_read_db',` requires_block_template(`$0'_depend) allow $1 rpm_var_lib_t:dir r_dir_perms; @@ -127,7 +127,7 @@ define(`rpm_read_package_database',` allow $1 rpm_var_lib_t:lnk_file r_file_perms; ') -define(`rpm_read_package_database_depend',` +define(`rpm_read_db_depend',` type rpm_var_lib_t_t; class dir r_dir_perms; @@ -137,9 +137,9 @@ define(`rpm_read_package_database_depend',` ######################################## # -# rpm_manage_package_database(domain) +# rpm_manage_db(domain) # -define(`rpm_manage_package_database',` +define(`rpm_manage_db',` requires_block_template(`$0'_depend) allow $1 rpm_var_lib_t:dir rw_dir_perms; @@ -147,7 +147,7 @@ define(`rpm_manage_package_database',` allow $1 rpm_var_lib_t:lnk_file { getattr read write unlink }; ') -define(`rpm_manage_package_database_depend',` +define(`rpm_manage_db_depend',` type rpm_var_lib_t_t; class dir rw_dir_perms; diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te index 14e8ce2..2936e1c 100644 --- a/refpolicy/policy/modules/admin/rpm.te +++ b/refpolicy/policy/modules/admin/rpm.te @@ -8,47 +8,47 @@ policy_module(rpm,1.0) type rpm_t; #, admin, privmem, priv_system_role; type rpm_exec_t; -init_make_system_domain(rpm_t,rpm_exec_t) -kernel_make_object_identity_change_constraint_exception(rpm_t) -domain_make_file_descriptors_widely_inheritable(rpm_t) +init_system_domain(rpm_t,rpm_exec_t) +kernel_obj_id_change_exempt(rpm_t) +domain_wide_inherit_fd(rpm_t) role system_r types rpm_t; type rpm_file_t; -files_make_file(rpm_file_t) +files_file_type(rpm_file_t) type rpm_tmp_t; -files_make_temporary_file(rpm_tmp_t) +files_tmp_file(rpm_tmp_t) type rpm_tmpfs_t; -files_make_tmpfs_file(rpm_tmpfs_t) +files_tmpfs_file(rpm_tmpfs_t) type rpm_log_t; -logging_make_log_file(rpm_log_t) +logging_log_file(rpm_log_t) type rpm_var_lib_t; -files_make_file(rpm_var_lib_t) +files_file_type(rpm_var_lib_t) typealias rpm_var_lib_t alias var_lib_rpm_t; type rpm_script_t; #, admin, privmem, priv_system_role; type rpm_script_exec_t; -kernel_make_object_identity_change_constraint_exception(rpm_script_t) -corecommands_make_shell_entrypoint(rpm_script_t) -domain_make_domain(rpm_script_t) -domain_make_entrypoint_file(rpm_t,rpm_script_t) -domain_make_file_descriptors_widely_inheritable(rpm_script_t) +kernel_obj_id_change_exempt(rpm_script_t) +corecmd_shell_entry_type(rpm_script_t) +domain_type(rpm_script_t) +domain_entry_file(rpm_t,rpm_script_t) +domain_wide_inherit_fd(rpm_script_t) role system_r types rpm_script_t; type rpm_script_tmp_t; -files_make_temporary_file(rpm_script_tmp_t) +files_tmp_file(rpm_script_tmp_t) type rpm_script_tmpfs_t; -files_make_tmpfs_file(rpm_script_tmpfs_t) +files_tmpfs_file(rpm_script_tmpfs_t) type rpmbuild_t; -domain_make_domain(rpmbuild_t) +domain_type(rpmbuild_t) type rpmbuild_exec_t; -domain_make_entrypoint_file(rpmbuild_t,rpmbuild_exec_t) +domain_entry_file(rpmbuild_t,rpmbuild_exec_t) ######################################## # @@ -75,11 +75,11 @@ allow rpm_t self:dir search; allow rpm_t self:file rw_file_perms;; allow rpm_t rpm_log_t:file create_file_perms; -logging_create_private_log(rpm_t,rpm_log_t) +logging_create_log(rpm_t,rpm_log_t) allow rpm_t rpm_tmp_t:dir create_dir_perms; allow rpm_t rpm_tmp_t:file create_file_perms; -files_create_private_tmp_data(rpm_t, rpm_tmp_t, { file dir }) +files_create_tmp_files(rpm_t, rpm_tmp_t, { file dir }) allow rpm_t rpm_tmpfs_t:dir create_dir_perms; allow rpm_t rpm_tmpfs_t:file create_file_perms; @@ -126,35 +126,35 @@ storage_raw_read_fixed_disk(rpm_t) term_list_ptys(rpm_t) -authlogin_ignore_read_shadow_passwords(rpm_t) +auth_dontaudit_read_shadow(rpm_t) -corecommands_execute_general_programs(rpm_t) -corecommands_execute_system_programs(rpm_t) -corecommands_shell_transition(rpm_t,rpm_script_t) +corecmd_exec_bin(rpm_t) +corecmd_exec_sbin(rpm_t) +corecmd_domtrans_shell(rpm_t,rpm_script_t) -domain_execute_all_entrypoint_programs(rpm_t) -domain_read_all_domains_process_state(rpm_t) -domain_use_widely_inheritable_file_descriptors(rpm_t) +domain_exec_all_entry_files(rpm_t) +domain_read_all_domains_state(rpm_t) +domain_use_wide_inherit_fd(rpm_t) -files_execute_system_config_script(rpm_t) +files_exec_generic_etc_files(rpm_t) -init_script_transition(rpm_t) +init_domtrans_script(rpm_t) -libraries_use_dynamic_loader(rpm_t) -libraries_use_shared_libraries(rpm_t) -libraries_execute_dynamic_loader(rpm_t) -libraries_execute_library_scripts(rpm_t) -libraries_ldconfig_transition(rpm_t) +libs_use_ld_so(rpm_t) +libs_use_shared_libs(rpm_t) +libs_exec_ld_so(rpm_t) +libs_exec_lib_files(rpm_t) +libs_domtrans_ldconfig(rpm_t) -logging_send_system_log_message(rpm_t) +logging_send_syslog_msg(rpm_t) # allow compiling and loading new policy -selinux_manage_source_policy(rpm_t) -selinux_manage_binary_policy(rpm_t) +selinux_manage_src_pol(rpm_t) +selinux_manage_binary_pol(rpm_t) -sysnetwork_read_network_config(rpm_t) +sysnet_read_config(rpm_t) -userdomain_use_all_unprivileged_users_file_descriptors(rpm_t) +userdom_use_unpriv_users_fd(rpm_t) #cron_transition_from(rpm,rpm_exec_t) @@ -235,11 +235,11 @@ allow rpm_script_t rpm_tmp_t:file r_file_perms; allow rpm_script_t rpm_script_tmp_t:dir mounton; allow rpm_script_t rpm_script_tmp_t:dir create_dir_perms; allow rpm_script_t rpm_script_tmp_t:file create_file_perms; -files_create_private_tmp_data(rpm_script_t, rpm_script_tmp_t, { file dir }) +files_create_tmp_files(rpm_script_t, rpm_script_tmp_t, { file dir }) -allow rpm_script_t rpm_script_tmpfs_t:dir rw_dir_perms; +allow rpm_script_t rpm_script_tmpfs_t:dir create_dir_perms; allow rpm_script_t rpm_script_tmpfs_t:file create_file_perms; -allow rpm_script_t rpm_script_tmpfs_t:lnk_file create_file_perms; +allow rpm_script_t rpm_script_tmpfs_t:lnk_file create_lnk_perms; allow rpm_script_t rpm_script_tmpfs_t:sock_file create_file_perms; allow rpm_script_t rpm_script_tmpfs_t:fifo_file create_file_perms; fs_create_tmpfs_data(rpm_script_t,rpm_script_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) @@ -272,41 +272,41 @@ storage_raw_write_fixed_disk(rpm_script_t) term_getattr_unallocated_ttys(rpm_script_t) term_list_ptys(rpm_script_t) -authlogin_ignore_get_shadow_passwords_attributes(rpm_script_t) +auth_dontaudit_getattr_shadow(rpm_script_t) # ideally we would not need this -authlogin_manage_all_files_except_shadow(rpm_script_t) +auth_manage_all_files_except_shadow(rpm_script_t) -corecommands_execute_general_programs(rpm_script_t) -corecommands_execute_system_programs(rpm_script_t) +corecmd_exec_bin(rpm_script_t) +corecmd_exec_sbin(rpm_script_t) -domain_read_all_domains_process_state(rpm_script_t) -domain_use_widely_inheritable_file_descriptors(rpm_script_t) -domain_execute_all_entrypoint_programs(rpm_script_t) +domain_read_all_domains_state(rpm_script_t) +domain_use_wide_inherit_fd(rpm_script_t) +domain_exec_all_entry_files(rpm_script_t) domain_signal_all_domains(rpm_script_t) domain_signull_all_domains(rpm_script_t) -files_execute_system_config_script(rpm_script_t) -files_read_runtime_system_config(rpm_script_t) +files_exec_generic_etc_files(rpm_script_t) +files_read_etc_runtime_files(rpm_script_t) -init_script_transition(rpm_script_t) +init_domtrans_script(rpm_script_t) -libraries_use_dynamic_loader(rpm_script_t) -libraries_use_shared_libraries(rpm_script_t) -libraries_execute_dynamic_loader(rpm_script_t) -libraries_execute_library_scripts(rpm_script_t) -libraries_ldconfig_transition(rpm_script_t) +libs_use_ld_so(rpm_script_t) +libs_use_shared_libs(rpm_script_t) +libs_exec_ld_so(rpm_script_t) +libs_exec_lib_files(rpm_script_t) +libs_domtrans_ldconfig(rpm_script_t) -logging_send_system_log_message(rpm_script_t) +logging_send_syslog_msg(rpm_script_t) miscfiles_read_localization(rpm_script_t) -modutils_depmod_transition(rpm_script_t) -modutils_insmod_transition(rpm_script_t) +modutils_domtrans_depmod(rpm_script_t) +modutils_domtrans_insmod(rpm_script_t) -selinux_load_policy_transition(rpm_script_t) -selinux_restorecon_transition(rpm_script_t) +selinux_domtrans_loadpol(rpm_script_t) +selinux_domtrans_restorecon(rpm_script_t) -userdomain_use_all_users_file_descriptors(rpm_script_t) +userdom_use_all_user_fd(rpm_script_t) optional_policy(`bootloader.te', ` bootloader_domtrans(rpm_script_t) @@ -354,7 +354,7 @@ kernel_compute_create_context(rpmbuild_t) kernel_compute_relabel_context(rpmbuild_t) kernel_compute_reachable_user_contexts(rpmbuild_t) -selinux_read_source_policy(rpmbuild_t) +selinux_read_src_pol(rpmbuild_t) ifdef(`TODO',` diff --git a/refpolicy/policy/modules/admin/usermanage.if b/refpolicy/policy/modules/admin/usermanage.if index 1ebfcdb..a7a9037 100644 --- a/refpolicy/policy/modules/admin/usermanage.if +++ b/refpolicy/policy/modules/admin/usermanage.if @@ -2,7 +2,7 @@ ## Policy for managing user accounts. ######################################## -## +## ## ## Execute chfn in the chfn domain. ## @@ -11,7 +11,7 @@ ## ## # -define(`usermanage_chfn_transition',` +define(`usermanage_domtrans_chfn',` requires_block_template(`$0'_depend) allow $1 chfn_exec_t:file rx_file_perms; @@ -25,7 +25,7 @@ define(`usermanage_chfn_transition',` allow chfn_t $1:process sigchld; ') -define(`usermanage_chfn_transition_depend',` +define(`usermanage_domtrans_chfn_depend',` type chfn_t, chfn_exec_t; class file rx_file_perms; @@ -35,7 +35,7 @@ define(`usermanage_chfn_transition_depend',` ') ######################################## -## +## ## ## Execute chfn in the chfn domain, and ## allow the specified role the chfn domain. @@ -51,22 +51,22 @@ define(`usermanage_chfn_transition_depend',` ## ## # -define(`usermanage_chfn_transition_add_role_use_terminal',` +define(`usermanage_run_chfn',` requires_block_template(`$0'_depend) - usermanage_chfn_transition($1) + usermanage_domtrans_chfn($1) role $2 types chfn_t; allow chfn_t $3:chr_file { getattr read write ioctl }; ') -define(`usermanage_chfn_transition_add_role_use_terminal_depend',` +define(`usermanage_run_chfn_depend',` type chfn_t; class chr_file { getattr read write ioctl }; ') ######################################## -## +## ## ## Execute groupadd in the groupadd domain. ## @@ -75,7 +75,7 @@ define(`usermanage_chfn_transition_add_role_use_terminal_depend',` ## ## # -define(`usermanage_groupadd_transition',` +define(`usermanage_domtrans_groupadd',` requires_block_template(`$0'_depend) domain_auto_trans($1,groupadd_exec_t,groupadd_t) @@ -86,7 +86,7 @@ define(`usermanage_groupadd_transition',` allow groupadd_t $1:process sigchld; ') -define(`usermanage_groupadd_transition_depend',` +define(`usermanage_domtrans_groupadd_depend',` type groupadd_t, groupadd_exec_t; class file rx_file_perms; @@ -96,7 +96,7 @@ define(`usermanage_groupadd_transition_depend',` ') ######################################## -## +## ## ## Execute groupadd in the groupadd domain, and ## allow the specified role the groupadd domain. @@ -112,22 +112,22 @@ define(`usermanage_groupadd_transition_depend',` ## ## # -define(`usermanage_groupadd_transition_add_role_use_terminal',` +define(`usermanage_run_groupadd',` requires_block_template(`$0'_depend) - usermanage_groupadd_transition($1) + usermanage_domtrans_groupadd($1) role $2 types groupadd_t; allow groupadd_t $3:chr_file { getattr read write ioctl }; ') -define(`usermanage_groupadd_transition_add_role_use_terminal_depend',` +define(`usermanage_run_groupadd_depend',` type groupadd_t; class chr_file { getattr read write ioctl }; ') ######################################## -## +## ## ## Execute passwd in the passwd domain. ## @@ -136,7 +136,7 @@ define(`usermanage_groupadd_transition_add_role_use_terminal_depend',` ## ## # -define(`usermanage_passwd_transition',` +define(`usermanage_domtrans_passwd',` requires_block_template(`$0'_depend) allow $1 passwd_exec_t:file rx_file_perms; @@ -150,7 +150,7 @@ define(`usermanage_passwd_transition',` allow passwd_t $1:process sigchld; ') -define(`usermanage_passwd_transition_depend',` +define(`usermanage_domtrans_passwd_depend',` type passwd_t, passwd_exec_t; class file rx_file_perms; @@ -160,7 +160,7 @@ define(`usermanage_passwd_transition_depend',` ') ######################################## -## +## ## ## Execute passwd in the passwd domain, and ## allow the specified role the passwd domain. @@ -176,22 +176,22 @@ define(`usermanage_passwd_transition_depend',` ## ## # -define(`usermanage_passwd_transition_add_role_use_terminal',` +define(`usermanage_run_passwd',` requires_block_template(`$0'_depend) - usermanage_passwd_transition($1) + usermanage_domtrans_passwd($1) role $2 types passwd_t; allow passwd_t $3:chr_file { getattr read write ioctl }; ') -define(`usermanage_passwd_transition_add_role_use_terminal_depend',` +define(`usermanage_run_passwd_depend',` type passwd_t; class chr_file { getattr read write ioctl }; ') ######################################## -## +## ## ## Execute useradd in the useradd domain. ## @@ -200,7 +200,7 @@ define(`usermanage_passwd_transition_add_role_use_terminal_depend',` ## ## # -define(`usermanage_useradd_transition',` +define(`usermanage_domtrans_useradd',` requires_block_template(`$0'_depend) allow $1 useradd_exec_t:file rx_file_perms; @@ -214,7 +214,7 @@ define(`usermanage_useradd_transition',` allow useradd_t $1:process sigchld; ') -define(`usermanage_useradd_transition_depend',` +define(`usermanage_domtrans_useradd_depend',` type useradd_t, useradd_exec_t; class file rx_file_perms; @@ -224,7 +224,7 @@ define(`usermanage_useradd_transition_depend',` ') ######################################## -## +## ## ## Execute useradd in the useradd domain, and ## allow the specified role the useradd domain. @@ -240,15 +240,15 @@ define(`usermanage_useradd_transition_depend',` ## ## # -define(`usermanage_useradd_transition_add_role_use_terminal',` +define(`usermanage_run_useradd',` requires_block_template(`$0'_depend) - usermanage_useradd_transition($1) + usermanage_domtrans_useradd($1) role $2 types useradd_t; allow useradd_t $3:chr_file { getattr read write ioctl }; ') -define(`usermanage_useradd_transition_add_role_use_terminal_depend',` +define(`usermanage_run_useradd_depend',` type useradd_t; class chr_file { getattr read write ioctl }; diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te index 5da06a4..1e41365 100644 --- a/refpolicy/policy/modules/admin/usermanage.te +++ b/refpolicy/policy/modules/admin/usermanage.te @@ -7,54 +7,54 @@ policy_module(usermanage,1.0) # type admin_passwd_exec_t; -files_make_file(admin_passwd_exec_t) +files_file_type(admin_passwd_exec_t) type chfn_t; -kernel_make_object_identity_change_constraint_exception(chfn_t) -domain_make_domain(chfn_t) +kernel_obj_id_change_exempt(chfn_t) +domain_type(chfn_t) role system_r types chfn_t; type chfn_exec_t; -domain_make_entrypoint_file(chfn_t,chfn_exec_t) +domain_entry_file(chfn_t,chfn_exec_t) type crack_t; role system_r types crack_t; type crack_exec_t; -domain_make_entrypoint_file(crack_t,crack_exec_t) +domain_entry_file(crack_t,crack_exec_t) type crack_db_t; #, usercanread; -files_make_file(crack_db_t) +files_file_type(crack_db_t) type crack_tmp_t; -files_make_temporary_file(crack_tmp_t) +files_tmp_file(crack_tmp_t) type groupadd_t; #, nscd_client_domain; type groupadd_exec_t; -kernel_make_object_identity_change_constraint_exception(groupadd_t) -init_make_system_domain(groupadd_t,groupadd_exec_t) +kernel_obj_id_change_exempt(groupadd_t) +init_system_domain(groupadd_t,groupadd_exec_t) role system_r types groupadd_t; type passwd_t; -kernel_make_object_identity_change_constraint_exception(passwd_t) -domain_make_domain(passwd_t) +kernel_obj_id_change_exempt(passwd_t) +domain_type(passwd_t) role system_r types passwd_t; type passwd_exec_t; -domain_make_entrypoint_file(passwd_t,passwd_exec_t) +domain_entry_file(passwd_t,passwd_exec_t) type sysadm_passwd_t; -kernel_make_object_identity_change_constraint_exception(sysadm_passwd_t) -domain_make_domain(sysadm_passwd_t) -domain_make_entrypoint_file(sysadm_passwd_t,admin_passwd_exec_t) +kernel_obj_id_change_exempt(sysadm_passwd_t) +domain_type(sysadm_passwd_t) +domain_entry_file(sysadm_passwd_t,admin_passwd_exec_t) type sysadm_passwd_tmp_t; -files_make_file(sysadm_passwd_tmp_t) +files_file_type(sysadm_passwd_tmp_t) type useradd_t; # nscd_client_domain; type useradd_exec_t; -kernel_make_object_identity_change_constraint_exception(useradd_t) -init_make_system_domain(useradd_t,useradd_exec_t) +kernel_obj_id_change_exempt(useradd_t) +init_system_domain(useradd_t,useradd_exec_t) role system_r types useradd_t; ######################################## @@ -94,22 +94,22 @@ dev_read_urand(chfn_t) # /usr/bin/passwd asks for w access to utmp, but it will operate # correctly without it. Do not audit write denials to utmp. -init_script_ignore_modify_runtime_data(chfn_t) +init_dontaudit_rw_script_pid(chfn_t) -domain_use_widely_inheritable_file_descriptors(chfn_t) +domain_use_wide_inherit_fd(chfn_t) -files_manage_general_system_config(chfn_t) -files_read_runtime_system_config(chfn_t) +files_manage_generic_etc_files(chfn_t) +files_read_etc_runtime_files(chfn_t) -libraries_use_dynamic_loader(chfn_t) -libraries_use_shared_libraries(chfn_t) +libs_use_ld_so(chfn_t) +libs_use_shared_libs(chfn_t) miscfiles_read_localization(chfn_t) -logging_send_system_log_message(chfn_t) +logging_send_syslog_msg(chfn_t) -authlogin_check_password_transition(chfn_t) -authlogin_ignore_read_shadow_passwords(chfn_t) +auth_domtrans_chk_passwd(chfn_t) +auth_dontaudit_read_shadow(chfn_t) ifdef(`TODO',` role sysadm_r types chfn_t; @@ -152,11 +152,11 @@ allow crack_t self:fifo_file rw_file_perms; allow crack_t crack_db_t:dir rw_dir_perms; allow crack_t crack_db_t:file create_file_perms; allow crack_t crack_db_t:lnk_file create_file_perms; -files_search_system_state_data_directory(crack_t) +files_search_var(crack_t) allow crack_t crack_tmp_t:dir create_dir_perms; allow crack_t crack_tmp_t:file create_file_perms; -files_create_private_tmp_data(crack_t, crack_tmp_t, { file dir }) +files_create_tmp_files(crack_t, crack_tmp_t, { file dir }) kernel_read_system_state(crack_t) @@ -165,17 +165,17 @@ dev_read_urand(crack_t) fs_getattr_xattr_fs(crack_t) -files_read_general_system_config(crack_t) -files_read_runtime_system_config(crack_t) +files_read_generic_etc_files(crack_t) +files_read_etc_runtime_files(crack_t) # for dictionaries -files_read_general_application_resources(crack_t) +files_read_usr_files(crack_t) -corecommands_execute_general_programs(crack_t) +corecmd_exec_bin(crack_t) -libraries_use_dynamic_loader(crack_t) -libraries_use_shared_libraries(crack_t) +libs_use_ld_so(crack_t) +libs_use_shared_libs(crack_t) -logging_send_system_log_message(crack_t) +logging_send_syslog_msg(crack_t) ifdef(`TODO',` ifdef(`crond.te', ` @@ -222,26 +222,26 @@ fs_getattr_xattr_fs(groupadd_t) term_use_all_user_ttys(groupadd_t) term_use_all_user_ptys(groupadd_t) -init_use_file_descriptors(groupadd_t) -init_script_read_runtime_data(groupadd_t) +init_use_fd(groupadd_t) +init_read_script_pid(groupadd_t) -domain_use_widely_inheritable_file_descriptors(groupadd_t) +domain_use_wide_inherit_fd(groupadd_t) -files_manage_general_system_config(groupadd_t) +files_manage_generic_etc_files(groupadd_t) -libraries_use_dynamic_loader(groupadd_t) -libraries_use_shared_libraries(groupadd_t) +libs_use_ld_so(groupadd_t) +libs_use_shared_libs(groupadd_t) # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}. -corecommands_execute_general_programs(groupadd_t) -corecommands_execute_system_programs(groupadd_t) +corecmd_exec_bin(groupadd_t) +corecmd_exec_sbin(groupadd_t) -logging_send_system_log_message(groupadd_t) +logging_send_syslog_msg(groupadd_t) miscfiles_read_localization(groupadd_t) -authlogin_manage_shadow_passwords(groupadd_t) -authlogin_modify_last_login_log(groupadd_t) +auth_manage_shadow(groupadd_t) +auth_rw_lastlog(groupadd_t) selinux_read_config(groupadd_t) @@ -299,21 +299,21 @@ fs_getattr_xattr_fs(passwd_t) # /usr/bin/passwd asks for w access to utmp, but it will operate # correctly without it. Do not audit write denials to utmp. -init_script_ignore_modify_runtime_data(passwd_t) +init_dontaudit_rw_script_pid(passwd_t) -domain_use_widely_inheritable_file_descriptors(passwd_t) +domain_use_wide_inherit_fd(passwd_t) -files_read_runtime_system_config(passwd_t) -files_manage_general_system_config(passwd_t) +files_read_etc_runtime_files(passwd_t) +files_manage_generic_etc_files(passwd_t) -libraries_use_dynamic_loader(passwd_t) -libraries_use_shared_libraries(passwd_t) +libs_use_ld_so(passwd_t) +libs_use_shared_libs(passwd_t) -logging_send_system_log_message(passwd_t) +logging_send_syslog_msg(passwd_t) miscfiles_read_localization(passwd_t) -authlogin_manage_shadow_passwords(passwd_t) +auth_manage_shadow(passwd_t) ifdef(`TODO',` @@ -379,8 +379,8 @@ allow sysadm_passwd_t self:msg { send receive }; # allow vipw to create temporary files under /var/tmp/vi.recover allow sysadm_passwd_t sysadm_passwd_tmp_t:dir create_dir_perms; allow sysadm_passwd_t sysadm_passwd_tmp_t:file create_file_perms; -files_create_private_tmp_data(sysadm_passwd_t, sysadm_passwd_tmp_t, { file dir }) -files_search_system_state_data_directory(sysadm_passwd_t) +files_create_tmp_files(sysadm_passwd_t, sysadm_passwd_tmp_t, { file dir }) +files_search_var(sysadm_passwd_t) kernel_get_selinuxfs_mount_point(sysadm_passwd_t) kernel_validate_context(sysadm_passwd_t) @@ -401,26 +401,26 @@ term_use_all_user_ptys(sysadm_passwd_t) # /usr/bin/passwd asks for w access to utmp, but it will operate # correctly without it. Do not audit write denials to utmp. -init_script_ignore_modify_runtime_data(sysadm_passwd_t) +init_dontaudit_rw_script_pid(sysadm_passwd_t) -domain_use_widely_inheritable_file_descriptors(sysadm_passwd_t) +domain_use_wide_inherit_fd(sysadm_passwd_t) -files_manage_general_system_config(sysadm_passwd_t) -files_read_runtime_system_config(sysadm_passwd_t) +files_manage_generic_etc_files(sysadm_passwd_t) +files_read_etc_runtime_files(sysadm_passwd_t) # allow vipw to exec the editor -corecommands_execute_general_programs(sysadm_passwd_t) -corecommands_execute_shell(sysadm_passwd_t) -files_read_general_application_resources(sysadm_passwd_t) +corecmd_exec_bin(sysadm_passwd_t) +corecmd_exec_shell(sysadm_passwd_t) +files_read_usr_files(sysadm_passwd_t) -libraries_use_dynamic_loader(sysadm_passwd_t) -libraries_use_shared_libraries(sysadm_passwd_t) +libs_use_ld_so(sysadm_passwd_t) +libs_use_shared_libs(sysadm_passwd_t) miscfiles_read_localization(sysadm_passwd_t) -logging_send_system_log_message(sysadm_passwd_t) +logging_send_syslog_msg(sysadm_passwd_t) -authlogin_manage_shadow_passwords(sysadm_passwd_t) +auth_manage_shadow(sysadm_passwd_t) ifdef(`TODO',` role sysadm_r types sysadm_passwd_t; @@ -488,29 +488,29 @@ fs_getattr_xattr_fs(useradd_t) term_use_all_user_ttys(useradd_t) term_use_all_user_ptys(useradd_t) -init_use_file_descriptors(useradd_t) -init_script_modify_runtime_data(useradd_t) +init_use_fd(useradd_t) +init_rw_script_pid(useradd_t) -domain_use_widely_inheritable_file_descriptors(useradd_t) +domain_use_wide_inherit_fd(useradd_t) -files_manage_general_system_config(useradd_t) +files_manage_generic_etc_files(useradd_t) -libraries_use_dynamic_loader(useradd_t) -libraries_use_shared_libraries(useradd_t) +libs_use_ld_so(useradd_t) +libs_use_shared_libs(useradd_t) -corecommands_execute_shell(useradd_t) +corecmd_exec_shell(useradd_t) # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}. -corecommands_execute_general_programs(useradd_t) -corecommands_execute_system_programs(useradd_t) +corecmd_exec_bin(useradd_t) +corecmd_exec_sbin(useradd_t) miscfiles_read_localization(useradd_t) selinux_read_config(useradd_t) -logging_send_system_log_message(useradd_t) +logging_send_syslog_msg(useradd_t) -authlogin_manage_shadow_passwords(useradd_t) -authlogin_modify_last_login_log(useradd_t) +auth_manage_shadow(useradd_t) +auth_rw_lastlog(useradd_t) ifdef(`TODO',` diff --git a/refpolicy/policy/modules/apps/gpg.if b/refpolicy/policy/modules/apps/gpg.if index 3aec203..6e25d42 100644 --- a/refpolicy/policy/modules/apps/gpg.if +++ b/refpolicy/policy/modules/apps/gpg.if @@ -14,27 +14,27 @@ define(`gpg_per_userdomain_template',` # type $1_gpg_t; - domain_make_domain($1_gpg_t) - domain_make_entrypoint_file($1_gpg_t,gpg_exec_t) + domain_type($1_gpg_t) + domain_entry_file($1_gpg_t,gpg_exec_t) role $1_r types $1_gpg_t; type $1_gpg_agent_t; - domain_make_domain($1_gpg_agent_t) - domain_make_entrypoint_file($1_gpg_agent_t,gpg_agent_exec_t) + domain_type($1_gpg_agent_t) + domain_entry_file($1_gpg_agent_t,gpg_agent_exec_t) role $1_r types $1_gpg_agent_t; type $1_gpg_agent_tmp_t; - files_make_temporary_file($1_gpg_agent_tmp_t) + files_tmp_file($1_gpg_agent_tmp_t) type $1_gpg_secret_t; #, $1_file_type; - files_make_file($1_gpg_secret_t) + files_file_type($1_gpg_secret_t) type $1_gpg_helper_t; - domain_make_domain($1_gpg_helper_t) + domain_type($1_gpg_helper_t) role $1_r types $1_gpg_helper_t; type $1_gpg_pinentry_t; - domain_make_domain($1_gpg_pinentry_t) + domain_type($1_gpg_pinentry_t) role $1_r types $1_gpg_pinentry_t; ######################################## @@ -81,23 +81,23 @@ define(`gpg_per_userdomain_template',` fs_getattr_xattr_fs($1_gpg_t) - files_read_general_system_config($1_gpg_t) - files_read_general_application_resources($1_gpg_t) + files_read_generic_etc_files($1_gpg_t) + files_read_usr_files($1_gpg_t) - libraries_use_shared_libraries($1_gpg_t) - libraries_use_dynamic_loader($1_gpg_t) + libs_use_shared_libs($1_gpg_t) + libs_use_ld_so($1_gpg_t) miscfiles_read_localization($1_gpg_t) - logging_send_system_log_message($1_gpg_t) + logging_send_syslog_msg($1_gpg_t) - sysnetwork_read_network_config($1_gpg_t) + sysnet_read_config($1_gpg_t) # Legacy if (allow_gpg_execstack) { allow $1_gpg_t self:process execmem; - libraries_legacy_use_shared_libraries($1_gpg_t) - libraries_legacy_use_dynamic_loader($1_gpg_t) + libs_legacy_use_shared_libs($1_gpg_t) + libs_legacy_use_ld_so($1_gpg_t) miscfiles_legacy_read_localization($1_gpg_t) # Not quite sure why this is needed... allow $1_gpg_t gpg_exec_t:file execmod; @@ -188,14 +188,14 @@ define(`gpg_per_userdomain_template',` dev_read_urand($1_gpg_helper_t) - files_read_general_system_config($1_gpg_helper_t) + files_read_generic_etc_files($1_gpg_helper_t) # for nscd - files_ignore_search_system_state_data_directory($1_gpg_helper_t) + files_dontaudit_search_var($1_gpg_helper_t) - libraries_use_dynamic_loader($1_gpg_helper_t) - libraries_use_shared_libraries($1_gpg_helper_t) + libs_use_ld_so($1_gpg_helper_t) + libs_use_shared_libs($1_gpg_helper_t) - sysnetwork_read_network_config($1_gpg_helper_t) + sysnet_read_config($1_gpg_helper_t) ifdef(`TODO',` @@ -230,12 +230,12 @@ define(`gpg_per_userdomain_template',` allow $1_t $1_gpg_agent_tmp_t:dir create_dir_perms; allow $1_t $1_gpg_agent_tmp_t:file create_file_perms; allow $1_t $1_gpg_agent_tmp_t:sock_file create_file_perms; - files_create_private_tmp_data($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir }) + files_create_tmp_files($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir }) - domain_use_widely_inheritable_file_descriptors($1_gpg_agent_t) + domain_use_wide_inherit_fd($1_gpg_agent_t) - libraries_use_dynamic_loader($1_gpg_agent_t) - libraries_use_shared_libraries($1_gpg_agent_t) + libs_use_ld_so($1_gpg_agent_t) + libs_use_shared_libs($1_gpg_agent_t) miscfiles_read_localization($1_gpg_agent_t) @@ -297,12 +297,12 @@ define(`gpg_per_userdomain_template',` # read /proc/meminfo kernel_read_system_state($1_gpg_pinentry_t) - files_read_general_application_resources($1_gpg_pinentry_t) + files_read_usr_files($1_gpg_pinentry_t) # read /etc/X11/qtrc - files_read_general_system_config($1_gpg_pinentry_t) + files_read_generic_etc_files($1_gpg_pinentry_t) - libraries_use_dynamic_loader($1_gpg_pinentry_t) - libraries_use_shared_libraries($1_gpg_pinentry_t) + libs_use_ld_so($1_gpg_pinentry_t) + libs_use_shared_libs($1_gpg_pinentry_t) miscfiles_read_fonts($1_gpg_pinentry_t) miscfiles_read_localization($1_gpg_pinentry_t) diff --git a/refpolicy/policy/modules/apps/gpg.te b/refpolicy/policy/modules/apps/gpg.te index 112b554..0bc46d2 100644 --- a/refpolicy/policy/modules/apps/gpg.te +++ b/refpolicy/policy/modules/apps/gpg.te @@ -12,16 +12,16 @@ bool allow_gpg_execstack false; # Type for gpg or pgp executables. type gpg_exec_t; type gpg_helper_exec_t; -files_make_file(gpg_exec_t) -files_make_file(gpg_helper_exec_t) +files_file_type(gpg_exec_t) +files_file_type(gpg_helper_exec_t) # Type for the gpg-agent executable. type gpg_agent_exec_t; -files_make_file(gpg_agent_exec_t) +files_file_type(gpg_agent_exec_t) # type for the pinentry executable type pinentry_exec_t; -files_make_file(pinentry_exec_t) +files_file_type(pinentry_exec_t) #allow sysadm_gpg_t { home_root_t user_home_dir_t }:dir search; #allow sysadm_gpg_t ptyfile:chr_file rw_file_perms; diff --git a/refpolicy/policy/modules/kernel/bootloader.if b/refpolicy/policy/modules/kernel/bootloader.if index 4e8befc..ffbfd27 100644 --- a/refpolicy/policy/modules/kernel/bootloader.if +++ b/refpolicy/policy/modules/kernel/bootloader.if @@ -412,11 +412,11 @@ define(`bootloader_write_kernel_modules',` allow $1 modules_object_t:dir r_dir_perms; allow $1 modules_object_t:file { write append }; - typeattribute $1 can_modify_kernel_modules; + typeattribute $1 rw_kern_modules; ') define(`bootloader_write_kernel_modules_depend',` - attribute can_modify_kernel_modules; + attribute rw_kern_modules; type modules_object_t; @@ -441,11 +441,11 @@ define(`bootloader_manage_kernel_modules',` allow $1 modules_object_t:file { rw_file_perms create setattr unlink }; allow $1 modules_object_t:dir rw_dir_perms; - typeattribute $1 can_modify_kernel_modules; + typeattribute $1 rw_kern_modules; ') define(`bootloader_manage_kernel_modules_depend',` - attribute can_modify_kernel_modules; + attribute rw_kern_modules; type modules_object_t; diff --git a/refpolicy/policy/modules/kernel/bootloader.te b/refpolicy/policy/modules/kernel/bootloader.te index 4abffc5..3e4ea33 100644 --- a/refpolicy/policy/modules/kernel/bootloader.te +++ b/refpolicy/policy/modules/kernel/bootloader.te @@ -6,14 +6,14 @@ policy_module(bootloader,1.0) # Declarations # -attribute can_modify_kernel_modules; +attribute rw_kern_modules; # # boot_t is the type for files in /boot # type boot_t; -files_make_file(boot_t) -files_make_mountpoint(boot_t) +files_file_type(boot_t) +files_mountpoint(boot_t) # # boot_runtime_t is the type for /boot/kernel.h, @@ -21,41 +21,41 @@ files_make_mountpoint(boot_t) # only for Red Hat # type boot_runtime_t; -files_make_file(boot_runtime_t) +files_file_type(boot_runtime_t) type bootloader_t; -domain_make_domain(bootloader_t) +domain_type(bootloader_t) role system_r types bootloader_t; type bootloader_exec_t; -domain_make_entrypoint_file(bootloader_t,bootloader_exec_t) +domain_entry_file(bootloader_t,bootloader_exec_t) # # bootloader_etc_t is the configuration file, # grub.conf, lilo.conf, etc. # type bootloader_etc_t alias etc_bootloader_t; -files_make_file(bootloader_etc_t) +files_file_type(bootloader_etc_t) # # The temp file is used for initrd creation; # it consists of files and device nodes # type bootloader_tmp_t; -files_make_temporary_file(bootloader_tmp_t) +files_tmp_file(bootloader_tmp_t) dev_node(bootloader_tmp_t) # kernel modules type modules_object_t; -files_make_file(modules_object_t) +files_file_type(modules_object_t) -neverallow ~can_modify_kernel_modules modules_object_t:file { create append write }; +neverallow ~rw_kern_modules modules_object_t:file { create append write }; # # system_map_t is for the system.map files in /boot # type system_map_t; -files_make_file(system_map_t) +files_file_type(system_map_t) ######################################## # @@ -73,16 +73,16 @@ allow bootloader_t boot_t:lnk_file { r_file_perms create unlink }; allow bootloader_t bootloader_etc_t:file r_file_perms; # uncomment the following lines if you use "lilo -p" #allow bootloader_t bootloader_etc_t:file { create ioctl read getattr lock write setattr append link unlink rename }; -#files_create_private_config(bootloader_t,bootloader_etc_t) +#files_create_etc_config(bootloader_t,bootloader_etc_t) allow bootloader_t bootloader_tmp_t:dir create_dir_perms; allow bootloader_t bootloader_tmp_t:file create_file_perms; allow bootloader_t bootloader_tmp_t:chr_file create_file_perms; allow bootloader_t bootloader_tmp_t:blk_file create_file_perms; allow bootloader_t bootloader_tmp_t:lnk_file create_lnk_perms; -files_create_private_tmp_data(bootloader_t,bootloader_tmp_t,{ dir file lnk_file chr_file blk_file }) +files_create_tmp_files(bootloader_t,bootloader_tmp_t,{ dir file lnk_file chr_file blk_file }) # for tune2fs (cjp: ?) -files_create_private_root_dir_entry(bootloader_t,bootloader_tmp_t) +files_create_root(bootloader_t,bootloader_tmp_t) allow bootloader_t modules_object_t:dir r_dir_perms; allow bootloader_t modules_object_t:file r_file_perms; @@ -110,34 +110,34 @@ fs_getattr_xattr_fs(bootloader_t) term_getattr_all_user_ttys(bootloader_t) -init_get_control_channel_attributes(bootloader_t) -init_script_use_pseudoterminal(bootloader_t) -init_script_use_file_descriptors(bootloader_t) +init_getattr_initctl(bootloader_t) +init_use_script_pty(bootloader_t) +init_use_script_fd(bootloader_t) -domain_use_widely_inheritable_file_descriptors(bootloader_t) +domain_use_wide_inherit_fd(bootloader_t) -libraries_use_dynamic_loader(bootloader_t) -libraries_use_shared_libraries(bootloader_t) -libraries_read_library_resources(bootloader_t) +libs_use_ld_so(bootloader_t) +libs_use_shared_libs(bootloader_t) +libs_read_lib(bootloader_t) -files_read_general_system_config(bootloader_t) -files_read_runtime_system_config(bootloader_t) -files_read_system_source_code(bootloader_t) -files_read_general_application_resources(bootloader_t) +files_read_generic_etc_files(bootloader_t) +files_read_etc_runtime_files(bootloader_t) +files_read_usr_src(bootloader_t) +files_read_usr_files(bootloader_t) # for nscd -files_ignore_search_runtime_data_directory(bootloader_t) +files_dontaudit_search_pids(bootloader_t) -corecommands_execute_general_programs(bootloader_t) -corecommands_execute_system_programs(bootloader_t) -corecommands_execute_shell(bootloader_t) +corecmd_exec_bin(bootloader_t) +corecmd_exec_sbin(bootloader_t) +corecmd_exec_shell(bootloader_t) -logging_send_system_log_message(bootloader_t) -logging_modify_system_logs(bootloader_t) +logging_send_syslog_msg(bootloader_t) +logging_rw_generic_logs(bootloader_t) miscfiles_read_localization(bootloader_t) -selinux_read_binary_policy(bootloader_t) -selinux_read_load_policy_binary(bootloader_t) +selinux_read_binary_pol(bootloader_t) +selinux_read_loadpol(bootloader_t) ifdef(`distro_debian', ` allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto }; @@ -153,10 +153,10 @@ ifdef(`distro_redhat', ` allow bootloader_t boot_runtime_t:file { r_file_perms unlink }; # mkinitrd mount initrd on bootloader temp dir - files_make_mountpoint(bootloader_tmp_t) + files_mountpoint(bootloader_tmp_t) # for mke2fs - mount_transition(bootloader_t) + mount_domtrans(bootloader_t) ') optional_policy(`filesystemtools.te', ` @@ -168,17 +168,17 @@ optional_policy(`filesystemtools.te', ` optional_policy(`lvm.te', ` dev_rw_lvm_control(bootloader_t) - lvm_transition(bootloader_t) + lvm_domtrans(bootloader_t) lvm_read_config(bootloader_t) ') optional_policy(`modutils.te',` - modutils_insmod_execute(insmod_t) + modutils_exec_insmod(insmod_t) modutils_read_kernel_module_dependencies(bootloader_t) - modutils_read_kernel_module_loading_config(bootloader_t) - modutils_insmod_execute(bootloader_t) - modutils_depmod_execute(bootloader_t) - modutils_update_modules_execute(bootloader_t) + modutils_read_module_conf(bootloader_t) + modutils_exec_insmod(bootloader_t) + modutils_exec_depmod(bootloader_t) + modutils_exec_update_mods(bootloader_t) ') ifdef(`TODO',` diff --git a/refpolicy/policy/modules/kernel/corenetwork.te.in b/refpolicy/policy/modules/kernel/corenetwork.te.in index 57e90d9..250bd01 100644 --- a/refpolicy/policy/modules/kernel/corenetwork.te.in +++ b/refpolicy/policy/modules/kernel/corenetwork.te.in @@ -7,13 +7,13 @@ attribute port_type; attribute reserved_port_type; type ppp_device_t; -devices_make_device_node(ppp_device_t) +dev_node(ppp_device_t) # # tun_tap_device_t is the type of /dev/net/tun/* and /dev/net/tap/* # type tun_tap_device_t; -devices_make_device_node(tun_tap_device_t) +dev_node(tun_tap_device_t) ######################################## # diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if index 4678fe3..a1d9555 100644 --- a/refpolicy/policy/modules/kernel/devices.if +++ b/refpolicy/policy/modules/kernel/devices.if @@ -154,6 +154,28 @@ define(`dev_create_dir_depend',` ') ######################################## +## +## +## Allow full relabeling (to and from) of directories in /dev. +## +## +## Domain allowed to relabel. +## +## +# +define(`dev_relabel_dev_dirs',` + requires_block_template(`$0'_depend) + + allow $1 device_t:dir { r_dir_perms relabelfrom relabelto }; +') + +define(`dev_relabel_dev_dirs_depend',` + type device_t; + + class dir { r_dir_perms relabelfrom relabelto }; +') + +######################################## ## ## ## Dontaudit getattr on generic pipes. @@ -209,13 +231,13 @@ define(`ddev_getattr_generic_blk_file_depend',` ## ## # -define(`ddev_dontaudit_getattr_generic_blk_files',` +define(`dev_dontaudit_getattr_generic_blk_file',` requires_block_template(`$0'_depend) dontaudit $1 device_t:blk_file getattr; ') -define(`dev_dontaudit_getattr_generic_blk_files_depend',` +define(`dev_dontaudit_getattr_generic_blk_file_depend',` type device_t; class blk_file getattr; @@ -258,7 +280,7 @@ define(`dev_manage_generic_blk_file_depend',` define(`dev_create_generic_chr_file',` requires_block_template(`$0'_depend) - allow $1 device_t:dir { getattr search read write add_name }; + allow $1 device_t:dir ra_dir_perms; allow $1 device_t:chr_file create; allow $1 self:capability mknod; @@ -267,7 +289,7 @@ define(`dev_create_generic_chr_file',` define(`dev_create_generic_chr_file_depend',` type device_t; - class dir { getattr search read write add_name }; + class dir ra_dir_perms; class chr_file create; class capability mknod; ') @@ -312,7 +334,7 @@ define(`dev_dontaudit_getattr_generic_chr_file',` dontaudit $1 device_t:chr_file getattr; ') -define(`dev_dontaudit_getattr_generic_chr_file',` +define(`dev_dontaudit_getattr_generic_chr_file_depend',` type device_t; class chr_file getattr; @@ -369,7 +391,7 @@ define(`dev_manage_generic_symlinks_depend',` ') ######################################## -## +## ## ## Create, delete, read, and write device nodes in device directories. ## @@ -378,7 +400,7 @@ define(`dev_manage_generic_symlinks_depend',` ## ## # -define(`dev_manage_all_dev_nodes',` +define(`dev_manage_dev_nodes',` requires_block_template(`$0'_depend) allow $1 device_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto }; @@ -398,7 +420,7 @@ define(`dev_manage_all_dev_nodes',` typeattribute $1 memory_raw_write; ') -define(`dev_manage_all_dev_nodes_depend',` +define(`dev_manage_dev_nodes_depend',` attribute device_node, memory_raw_read, memory_raw_write; type device_t; diff --git a/refpolicy/policy/modules/kernel/devices.te b/refpolicy/policy/modules/kernel/devices.te index ec67e7a..b69faa2 100644 --- a/refpolicy/policy/modules/kernel/devices.te +++ b/refpolicy/policy/modules/kernel/devices.te @@ -9,8 +9,8 @@ attribute memory_raw_write; # device_t is the type of /dev. # type device_t; -files_make_file(device_t) -files_make_mountpoint(device_t) +files_file_type(device_t) +files_mountpoint(device_t) fs_associate_tmpfs(device_t) # Only directories and symlinks should be labeled device_t. diff --git a/refpolicy/policy/modules/kernel/filesystem.te b/refpolicy/policy/modules/kernel/filesystem.te index 3f46cbb..5a8b530 100644 --- a/refpolicy/policy/modules/kernel/filesystem.te +++ b/refpolicy/policy/modules/kernel/filesystem.te @@ -62,7 +62,7 @@ genfscon rpc_pipefs / context_template(system_u:object_r:rpc_pipefs_t,s0) # tmpfs_t is the type for tmpfs filesystems # type tmpfs_t, fs_type; -files_make_file(tmpfs_t) +files_file_type(tmpfs_t) # Use a transition SID based on the allocating task SID and the # filesystem SID to label inodes in the following filesystem types, @@ -124,7 +124,7 @@ allow removable_t noxattrfs:filesystem associate; # and their files. # type nfs_t, fs_type, noxattrfs; -files_make_mountpoint(nfs_t) +files_mountpoint(nfs_t) allow nfs_t self:filesystem associate; genfscon nfs / context_template(system_u:object_r:nfs_t,s0) genfscon nfs4 / context_template(system_u:object_r:nfs_t,s0) diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if index 4087a5b..1284c68 100644 --- a/refpolicy/policy/modules/kernel/kernel.if +++ b/refpolicy/policy/modules/kernel/kernel.if @@ -130,7 +130,7 @@ define(`kernel_dontaudit_use_fd_depend',` ') ######################################## -## +## ## ## Makes caller an exception to the constraint preventing ## changing of user identity. @@ -140,18 +140,18 @@ define(`kernel_dontaudit_use_fd_depend',` ## ## # -define(`kernel_make_process_identity_change_constraint_exception',` +define(`kernel_subj_id_change_exempt',` requires_block_template(`$0'_depend) typeattribute $1 can_change_process_identity; ') -define(`kernel_make_process_identity_change_constraint_exception_depend',` +define(`kernel_subj_id_change_exempt_depend',` attribute can_change_process_identity; ') ######################################## -## +## ## ## Makes caller an exception to the constraint preventing ## changing of role. @@ -161,18 +161,18 @@ define(`kernel_make_process_identity_change_constraint_exception_depend',` ## ## # -define(`kernel_make_role_change_constraint_exception',` +define(`kernel_role_change_exempt',` requires_block_template(`$0'_depend) typeattribute $1 can_change_process_role; ') -define(`kernel_make_role_change_constraint_exception_depend',` +define(`kernel_role_change_exempt_depend',` attribute can_change_process_role; ') ######################################## -## +## ## ## Makes caller an exception to the constraint preventing ## changing the user identity in object contexts. @@ -182,13 +182,13 @@ define(`kernel_make_role_change_constraint_exception_depend',` ## ## # -define(`kernel_make_object_identity_change_constraint_exception',` +define(`kernel_obj_id_change_exempt',` requires_block_template(`$0'_depend) typeattribute $1 can_change_object_identity; ') -define(`kernel_make_object_identity_change_constraint_exception_depend',` +define(`kernel_obj_id_change_exempt_depend',` attribute can_change_object_identity; ') diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te index 1ec123f..8881b13 100644 --- a/refpolicy/policy/modules/kernel/kernel.te +++ b/refpolicy/policy/modules/kernel/kernel.te @@ -19,7 +19,7 @@ attribute can_change_object_identity; # type kernel_t, can_load_kernmodule, can_load_policy; role system_r types kernel_t; -domain_make_domain(kernel_t) +domain_type(kernel_t) sid kernel context_template(system_u:system_r:kernel_t,s0 - s9:c0.c127) # @@ -63,7 +63,7 @@ genfscon selinuxfs / context_template(system_u:object_r:security_t,s0) # sysfs_t is the type for /sys # type sysfs_t; -files_make_mountpoint(sysfs_t) +files_mountpoint(sysfs_t) fs_make_fs(sysfs_t) genfscon sysfs / context_template(system_u:object_r:sysfs_t,s0) @@ -72,7 +72,7 @@ genfscon sysfs / context_template(system_u:object_r:sysfs_t,s0) # type proc_t; -files_make_mountpoint(proc_t) +files_mountpoint(proc_t) fs_make_fs(proc_t) genfscon proc / context_template(system_u:object_r:proc_t,s0) genfscon proc /sysvipc context_template(system_u:object_r:proc_t,s0) @@ -107,13 +107,13 @@ genfscon proc /net/rpc context_template(system_u:object_r:sysctl_rpc_t,s0) # /proc/sys directory, base directory of sysctls type sysctl_t; -files_make_mountpoint(sysctl_t) +files_mountpoint(sysctl_t) sid sysctl context_template(system_u:object_r:sysctl_t,s0) genfscon proc /sys context_template(system_u:object_r:sysctl_t,s0) # /proc/sys/fs directory and files type sysctl_fs_t; -files_make_mountpoint(sysctl_fs_t) +files_mountpoint(sysctl_fs_t) genfscon proc /sys/fs context_template(system_u:object_r:sysctl_fs_t,s0) # /proc/sys/kernel directory and files @@ -148,7 +148,7 @@ genfscon proc /sys/dev context_template(system_u:object_r:sysctl_dev_t,s0) # usbfs_t is the type for /proc/bus/usb # type usbfs_t alias usbdevfs_t; -files_make_mountpoint(usbfs_t) +files_mountpoint(usbfs_t) fs_make_noxattr_fs(usbfs_t) genfscon usbfs / context_template(system_u:object_r:usbfs_t,s0) genfscon usbdevfs / context_template(system_u:object_r:usbfs_t,s0) @@ -206,26 +206,26 @@ term_use_console(kernel_t) # from initrd, then mounting the root filesystem fs_mount_all_fs(kernel_t) -corecommands_execute_shell(kernel_t) -corecommands_read_system_programs_directory(kernel_t) +corecmd_exec_shell(kernel_t) +corecmd_list_sbin(kernel_t) # /proc/sys/kernel/modprobe is set to /bin/true if not using modules. -corecommands_execute_general_programs(kernel_t) +corecmd_exec_bin(kernel_t) domain_signal_all_domains(kernel_t) -files_read_root_dir(kernel_t) -files_list_home_directories(kernel_t) -files_read_general_application_resources(kernel_t) +files_list_root(kernel_t) +files_list_home(kernel_t) +files_read_usr_files(kernel_t) init_sigchld(kernel_t) -libraries_use_dynamic_loader(kernel_t) -libraries_use_shared_libraries(kernel_t) +libs_use_ld_so(kernel_t) +libs_use_shared_libs(kernel_t) -logging_send_system_log_message(kernel_t) +logging_send_syslog_msg(kernel_t) selinux_read_config(kernel_t) -selinux_read_binary_policy(kernel_t) +selinux_read_binary_pol(kernel_t) neverallow ~can_load_policy security_t:security load_policy; neverallow ~can_setenforce security_t:security setenforce; diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if index 7bc26ea..d497365 100644 --- a/refpolicy/policy/modules/kernel/terminal.if +++ b/refpolicy/policy/modules/kernel/terminal.if @@ -33,6 +33,9 @@ define(`term_pty_depend',` ## pty type. This allows it to be relabeled via ## type change by login programs such as ssh. ## +## +## The type of the user domain associated with +## this pty. ## ## An object type that will applied to a pty. ## @@ -42,7 +45,7 @@ define(`term_user_pty',` requires_block_template(`$0'_depend) term_pty($1) - typeattribute $1 server_ptynode; + type_change $1 server_ptynode:chr_file $2; ') define(`term_user_pty_depend',` @@ -683,7 +686,7 @@ define(`term_dontaudit_getattr_all_user_ttys_depend',` define(`term_setattr_all_user_ttys',` requires_block_template(`$0'_depend) - devices_list_device_nodes($1) + dev_list_all_dev_nodes($1) allow $1 ttynode:chr_file setattr; ') diff --git a/refpolicy/policy/modules/kernel/terminal.te b/refpolicy/policy/modules/kernel/terminal.te index 5b94446..83bedfc 100644 --- a/refpolicy/policy/modules/kernel/terminal.te +++ b/refpolicy/policy/modules/kernel/terminal.te @@ -21,7 +21,7 @@ dev_node(console_device_t) # the type of the root directory of the file system. # type devpts_t; -files_make_mountpoint(devpts_t) +files_mountpoint(devpts_t) fs_make_fs(devpts_t) fs_use_trans devpts context_template(system_u:object_r:devpts_t,s0); diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if index c4fa652..a1f9c7c 100644 --- a/refpolicy/policy/modules/services/cron.if +++ b/refpolicy/policy/modules/services/cron.if @@ -8,16 +8,16 @@ define(`cron_per_userdomain_template',` # Type of user crontabs once moved to cron spool. type $1_cron_spool_t; - files_make_file($1_cron_spool_t) + files_file_type($1_cron_spool_t) type $1_crond_t; # user_crond_domain; - domain_make_domain($1_crond_t); - corecommands_make_shell_entrypoint($1_crond_t) + domain_type($1_crond_t); + corecmd_shell_entry_type($1_crond_t) role $1_r types $1_crond_t; type $1_crontab_t; - domain_make_domain($1_crontab_t) - domain_make_entrypoint_file($1_crontab_t,crontab_exec_t) + domain_type($1_crontab_t) + domain_entry_file($1_crontab_t,crontab_exec_t) role $1_r types $1_crontab_t; ############################## @@ -72,24 +72,24 @@ define(`cron_per_userdomain_template',` fs_getattr_all_fs($1_crond_t) - domain_execute_all_entrypoint_programs($1_crond_t) + domain_exec_all_entry_files($1_crond_t) - files_read_general_application_resources($1_crond_t) - files_execute_system_config_script($1_crond_t) + files_read_usr_files($1_crond_t) + files_exec_generic_etc_files($1_crond_t) # for nscd: - files_ignore_search_runtime_data_directory($1_crond_t) + files_dontaudit_search_pids($1_crond_t) - corecommands_execute_general_programs($1_crond_t) - corecommands_execute_system_programs($1_crond_t) + corecmd_exec_bin($1_crond_t) + corecmd_exec_sbin($1_crond_t) - libraries_use_dynamic_loader($1_crond_t) - libraries_use_shared_libraries($1_crond_t) - libraries_execute_library_scripts($1_crond_t) - libraries_execute_dynamic_loader($1_crond_t) + libs_use_ld_so($1_crond_t) + libs_use_shared_libs($1_crond_t) + libs_exec_lib_files($1_crond_t) + libs_exec_ld_so($1_crond_t) - files_read_runtime_system_config($1_crond_t) + files_read_etc_runtime_files($1_crond_t) - logging_search_system_log_directory($1_crond_t) + logging_search_logs($1_crond_t) selinux_read_config($1_crond_t) @@ -155,14 +155,14 @@ define(`cron_per_userdomain_template',` fs_getattr_xattr_fs($1_crontab_t) - domain_use_widely_inheritable_file_descriptors($1_crontab_t) + domain_use_wide_inherit_fd($1_crontab_t) - files_read_general_system_config($1_crontab_t) + files_read_generic_etc_files($1_crontab_t) - libraries_use_dynamic_loader($1_crontab_t) - libraries_use_shared_libraries($1_crontab_t) + libs_use_ld_so($1_crontab_t) + libs_use_shared_libs($1_crontab_t) - logging_send_system_log_message($1_crontab_t) + logging_send_syslog_msg($1_crontab_t) miscfiles_read_localization($1_crontab_t) @@ -218,7 +218,7 @@ define(`cron_per_userdomain_template',` # define(`cron_admin_template',` - logging_read_system_logs($1_crond_t) + logging_read_generic_logs($1_crond_t) # Allow our crontab domain to unlink a user cron spool file. #allow $1_crontab_t user_cron_spool_t:file unlink; @@ -241,15 +241,15 @@ define(`cron_admin_template',` ######################################## # -# cron_modify_log(domain) +# cron_rw_log(domain) # -define(`cron_modify_log',` +define(`cron_rw_log',` requires_block_template(`$0'_depend) allow $1 crond_log_t:file rw_file_perms; ') -define(`cron_modify_log_depend',` +define(`cron_rw_log_depend',` type crond_log_t; class file rw_file_perms; diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te index e5e35fd..525fff2 100644 --- a/refpolicy/policy/modules/services/cron.te +++ b/refpolicy/policy/modules/services/cron.te @@ -10,39 +10,39 @@ policy_module(cron, 1.0) bool cron_can_relabel false; type anacron_exec_t; -files_make_file(anacron_exec_t) +files_file_type(anacron_exec_t) type cron_spool_t; -files_make_file(cron_spool_t) +files_file_type(cron_spool_t) type crond_t; #, privmail, nscd_client_domain type crond_exec_t; -init_make_daemon_domain(crond_t,crond_exec_t) -domain_make_file_descriptors_widely_inheritable(crond_t) +init_daemon_domain(crond_t,crond_exec_t) +domain_wide_inherit_fd(crond_t) type crond_log_t; -logging_make_log_file(crond_log_t) +logging_log_file(crond_log_t) type crond_tmp_t; -files_make_temporary_file(crond_tmp_t) +files_tmp_file(crond_tmp_t) type crond_var_run_t; -files_make_daemon_runtime_file(crond_var_run_t) +files_pid_file(crond_var_run_t) type crontab_exec_t; -files_make_file(crontab_exec_t) +files_file_type(crontab_exec_t) type system_cron_spool_t; type system_crond_t; #, privmail, nscd_client_domain; -init_make_daemon_domain(system_crond_t,anacron_exec_t) -corecommands_make_shell_entrypoint(system_crond_t) +init_daemon_domain(system_crond_t,anacron_exec_t) +corecmd_shell_entry_type(system_crond_t) role system_r types system_crond_t; type system_crond_lock_t; -files_make_lock_file(system_crond_lock_t) +files_lock_file(system_crond_lock_t) type system_crond_tmp_t; -files_make_temporary_file(system_crond_tmp_t) +files_tmp_file(system_crond_tmp_t) ######################################## # @@ -67,11 +67,11 @@ allow crond_t self:msg { send receive }; allow crond_t crond_log_t:file create_file_perms; allow crond_t crond_var_run_t:file create_file_perms; -files_create_daemon_runtime_data(crond_t,crond_var_run_t) +files_create_pid(crond_t,crond_var_run_t) allow crond_t crond_tmp_t:dir create_dir_perms; allow crond_t crond_tmp_t:file create_file_perms; -files_create_private_tmp_data(crond_t, crond_tmp_t, { file dir }) +files_create_tmp_files(crond_t, crond_tmp_t, { file dir }) allow crond_t cron_spool_t:dir r_dir_perms; allow crond_t cron_spool_t:file r_file_perms; @@ -94,23 +94,23 @@ fs_getattr_all_fs(crond_t) term_dontaudit_use_console(crond_t) # need auth_chkpwd to check for locked accounts. -authlogin_check_password_transition(crond_t) +auth_domtrans_chk_passwd(crond_t) -corecommands_execute_shell(crond_t) -corecommands_read_system_programs_directory(crond_t) +corecmd_exec_shell(crond_t) +corecmd_list_sbin(crond_t) -domain_use_widely_inheritable_file_descriptors(crond_t) +domain_use_wide_inherit_fd(crond_t) -files_read_general_system_config(crond_t) -files_read_system_spools(crond_t) +files_read_generic_etc_files(crond_t) +files_read_spools(crond_t) -init_use_file_descriptors(crond_t) -init_script_use_pseudoterminal(crond_t) +init_use_fd(crond_t) +init_use_script_pty(crond_t) -libraries_use_dynamic_loader(crond_t) -libraries_use_shared_libraries(crond_t) +libs_use_ld_so(crond_t) +libs_use_shared_libs(crond_t) -logging_send_system_log_message(crond_t) +logging_send_syslog_msg(crond_t) selinux_read_config(crond_t) selinux_read_default_contexts(crond_t) @@ -118,7 +118,7 @@ selinux_newrole_sigchld(crond_t) miscfiles_read_localization(crond_t) -userdomain_use_all_unprivileged_users_file_descriptors(crond_t) +userdom_use_unpriv_users_fd(crond_t) tunable_policy(`fcron_crond', ` allow crond_t system_cron_spool_t:file create_file_perms; @@ -127,11 +127,11 @@ tunable_policy(`fcron_crond', ` ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(crond_t) terminal_ignore_use_general_pseudoterminal(crond_t) - files_ignore_read_rootfs_file(crond_t) + files_dontaudit_read_root_file(crond_t) ') optional_policy(`udev.te', ` - udev_read_database(crond_t) + udev_read_db(crond_t) ') ifdef(`TODO',` @@ -212,11 +212,11 @@ allow system_crond_t crond_t:process sigchld; # Write /var/lock/makewhatis.lock. allow system_crond_t system_crond_lock_t:file create_file_perms; -files_create_private_lock_file(system_crond_t,system_crond_lock_t) +files_create_lock_file(system_crond_t,system_crond_lock_t) # write temporary files allow system_crond_t system_crond_tmp_t:file create_file_perms; -files_create_private_tmp_data(system_crond_t,system_crond_tmp_t) +files_create_tmp_files(system_crond_t,system_crond_tmp_t) # write temporary files in crond tmp dir: allow system_crond_t crond_tmp_t:dir rw_dir_perms; @@ -228,7 +228,7 @@ allow system_crond_t cron_spool_t:file r_file_perms; # Access crond log files allow system_crond_t crond_log_t:file create_file_perms; -logging_create_private_log(system_crond_t,crond_log_t) +logging_create_log(system_crond_t,crond_log_t) kernel_read_kernel_sysctl(system_crond_t) kernel_read_system_state(system_crond_t) @@ -255,45 +255,45 @@ dev_read_urand(system_crond_t) fs_getattr_all_fs(system_crond_t) fs_getattr_all_files(system_crond_t) -init_use_file_descriptors(system_crond_t) -init_script_use_file_descriptors(system_crond_t) -init_script_use_pseudoterminal(system_crond_t) -init_script_read_runtime_data(system_crond_t) -init_script_ignore_modify_runtime_data(system_crond_t) +init_use_fd(system_crond_t) +init_use_script_fd(system_crond_t) +init_use_script_pty(system_crond_t) +init_read_script_pid(system_crond_t) +init_dontaudit_rw_script_pid(system_crond_t) -domain_execute_all_entrypoint_programs(system_crond_t) +domain_exec_all_entry_files(system_crond_t) -files_execute_system_config_script(system_crond_t) -files_read_general_system_config(system_crond_t) -files_read_runtime_system_config(system_crond_t) -files_read_all_directories(system_crond_t) -files_get_all_file_attributes(system_crond_t) -files_read_general_application_resources(system_crond_t) +files_exec_generic_etc_files(system_crond_t) +files_read_generic_etc_files(system_crond_t) +files_read_etc_runtime_files(system_crond_t) +files_list_all_dirs(system_crond_t) +files_getattr_all_files(system_crond_t) +files_read_usr_files(system_crond_t) # for nscd: -files_ignore_search_runtime_data_directory(system_crond_t) +files_dontaudit_search_pids(system_crond_t) # Access other spool directories like # /var/spool/anacron and /var/spool/slrnpull. -files_manage_system_spools(system_crond_t) +files_manage_spools(system_crond_t) -corecommands_execute_general_programs(system_crond_t) -corecommands_execute_system_programs(system_crond_t) +corecmd_exec_bin(system_crond_t) +corecmd_exec_sbin(system_crond_t) -libraries_use_dynamic_loader(system_crond_t) -libraries_use_shared_libraries(system_crond_t) -libraries_execute_library_scripts(system_crond_t) -libraries_execute_dynamic_loader(system_crond_t) +libs_use_ld_so(system_crond_t) +libs_use_shared_libs(system_crond_t) +libs_exec_lib_files(system_crond_t) +libs_exec_ld_so(system_crond_t) -logging_read_system_logs(system_crond_t) -logging_send_system_log_message(system_crond_t) +logging_read_generic_logs(system_crond_t) +logging_send_syslog_msg(system_crond_t) miscfiles_read_localization(system_crond_t) miscfiles_read_man_pages(system_crond_t) -miscfiles_manage_man_page_cache(system_crond_t) +miscfiles_rw_man_cache(system_crond_t) selinux_read_config(system_crond_t) if (cron_can_relabel) { - selinux_setfiles_transition(system_crond_t) + selinux_domtrans_setfiles(system_crond_t) } else { kernel_get_selinuxfs_mount_point(system_crond_t) kernel_validate_context(system_crond_t) diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if index f68b726..61978f4 100644 --- a/refpolicy/policy/modules/services/mta.if +++ b/refpolicy/policy/modules/services/mta.if @@ -11,11 +11,11 @@ define(`mta_per_userdomain_template',` requires_block_template(`$0'_depend) type $1_mail_t; # , user_mail_domain, nscd_client_domain; - domain_make_domain($1_mail_t) + domain_type($1_mail_t) role $1_r types $1_mail_t; type $1_mail_tmp_t; - files_make_temporary_file($1_mail_tmp_t) + files_tmp_file($1_mail_tmp_t) ############################## # @@ -50,20 +50,20 @@ define(`mta_per_userdomain_template',` corenet_tcp_sendrecv_all_ports($1_mail_t) corenet_tcp_bind_all_nodes($1_mail_t) - domain_use_widely_inheritable_file_descriptors($1_mail_t) + domain_use_wide_inherit_fd($1_mail_t) - libraries_use_dynamic_loader($1_mail_t) - libraries_use_shared_libraries($1_mail_t) + libs_use_ld_so($1_mail_t) + libs_use_shared_libs($1_mail_t) - corecommands_execute_general_programs($1_mail_t) + corecmd_exec_bin($1_mail_t) - files_read_general_system_config($1_mail_t) + files_read_generic_etc_files($1_mail_t) - logging_send_system_log_message($1_mail_t) + logging_send_syslog_msg($1_mail_t) miscfiles_read_localization($1_mail_t) - sysnetwork_read_network_config($1_mail_t) + sysnet_read_config($1_mail_t) tunable_policy(`use_dns',` allow $1_mail_t self:udp_socket create_socket_perms; @@ -142,30 +142,30 @@ define(`mta_per_userdomain_template_depend',` ####################################### # -# mta_make_mailserver_domain(domain,entrypointtype) +# mta_mailserver(domain,entrypointtype) # -define(`mta_make_mailserver_domain',` +define(`mta_mailserver',` requires_block_template(`$0'_depend) - init_make_daemon_domain($1,$2) + init_daemon_domain($1,$2) typeattribute $1 mailserver_domain; ') -define(`mta_make_mailserver_domain_depend',` +define(`mta_mailserver_depend',` attribute mailserver_domain; ') ####################################### # -# mta_make_sendmail_mailserver_domain(domain,entrypointtype) +# mta_sendmail_mailserver(domain,entrypointtype) # -define(`mta_make_sendmail_mailserver_domain',` +define(`mta_sendmail_mailserver',` requires_block_template(`$0'_depend) - mta_make_mailserver_domain($1,sendmail_exec_t) + mta_mailserver($1,sendmail_exec_t) ') -define(`mta_make_sendmail_mailserver_domain_depend',` +define(`mta_sendmail_mailserver_depend',` type sendmail_exec_t; ') @@ -197,22 +197,22 @@ define(`mta_send_mail_depend',` ####################################### # -# mta_execute(domain) +# mta_exec(domain) # -define(`mta_execute',` +define(`mta_exec',` requires_block_template(`$0'_depend) can_exec($1, sendmail_exec_t) ') -define(`mta_execute_depend',` +define(`mta_exec_depend',` type sendmail_exec_t; class file { getattr read execute execute_no_trans }; ') ######################################## -## +## ## ## Read mail address aliases. ## @@ -221,13 +221,13 @@ define(`mta_execute_depend',` ## ## # -define(`mta_read_mail_aliases',` +define(`mta_read_aliases',` requires_block_template(`$0'_depend) allow $1 etc_aliases_t:file r_file_perms; ') -define(`mta_read_mail_aliases_depend',` +define(`mta_read_aliases_depend',` type etc_aliases_t; class file r_file_perms; @@ -235,15 +235,15 @@ define(`mta_read_mail_aliases_depend',` ####################################### # -# mta_modify_mail_aliases(domain) +# mta_rw_aliases(domain) # -define(`mta_modify_mail_aliases',` +define(`mta_rw_aliases',` requires_block_template(`$0'_depend) allow sendmail_t etc_aliases_t:file { rw_file_perms setattr }; ') -define(`mta_modify_mail_aliases_depend',` +define(`mta_rw_aliases_depend',` type etc_aliases_t; class file { rw_file_perms setattr }; @@ -251,18 +251,18 @@ define(`mta_modify_mail_aliases_depend',` ####################################### # -# mta_get_mail_spool_attributes(domain) +# mta_getattr_spool(domain) # -define(`mta_get_mail_spool_attributes',` +define(`mta_getattr_spool',` requires_block_template(`$0'_depend) - files_search_system_spool_directory($1) + files_search_spool($1) allow $1 mail_spool_t:dir r_dir_perms; allow $1 mail_spool_t:lnk_file read; allow $1 mail_spool_t:file getattr; ') -define(`mta_get_mail_spool_attributes_depend',` +define(`mta_getattr_spool_depend',` type mail_spool_t; class dir r_dir_perms; @@ -272,17 +272,17 @@ define(`mta_get_mail_spool_attributes_depend',` ####################################### # -# mta_modify_mail_spool(domain) +# mta_rw_spool(domain) # -define(`mta_modify_mail_spool',` +define(`mta_rw_spool',` requires_block_template(`$0'_depend) - files_search_system_spool_directory($1) + files_search_spool($1) allow $1 mail_spool_t:dir rw_dir_perms; allow $1 mail_spool_t:file { rw_file_perms setattr }; ') -define(`mta_modify_mail_spool_depend',` +define(`mta_rw_spool_depend',` type mail_spool_t; class dir rw_dir_perms; @@ -291,17 +291,17 @@ define(`mta_modify_mail_spool_depend',` ####################################### # -# mta_manage_mail_spool(domain) +# mta_manage_spool(domain) # -define(`mta_manage_mail_spool',` +define(`mta_manage_spool',` requires_block_template(`$0'_depend) - files_search_system_spool_directory($1) + files_search_spool($1) allow $1 mail_spool_t:dir rw_dir_perms; allow $1 mail_spool_t:file create_file_perms; ') -define(`mta_manage_mail_spool_depend',` +define(`mta_manage_spool_depend',` type mail_spool_t; class dir rw_dir_perms; @@ -310,16 +310,16 @@ define(`mta_manage_mail_spool_depend',` ####################################### # -# mta_manage_mail_queue(domain) +# mta_manage_queue(domain) # -define(`mta_manage_mail_queue',` +define(`mta_manage_queue',` requires_block_template(`$0'_depend) allow $1 mqueue_spool_t:dir rw_dir_perms; allow $1 mqueue_spool_t:file create_file_perms; ') -define(`mta_manage_mail_queue_depend',` +define(`mta_manage_queue_depend',` type mqueue_spool_t; class dir rw_dir_perms; diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te index bbd9cf2..29ca2ea 100644 --- a/refpolicy/policy/modules/services/mta.te +++ b/refpolicy/policy/modules/services/mta.te @@ -7,31 +7,31 @@ policy_module(mta,1.0) # type etc_aliases_t; -files_make_file(etc_aliases_t) +files_file_type(etc_aliases_t) type etc_mail_t; -files_make_file(etc_mail_t) +files_file_type(etc_mail_t) attribute mailserver_domain; type mqueue_spool_t; -files_make_file(mqueue_spool_t) +files_file_type(mqueue_spool_t) type mail_spool_t; -files_make_file(mail_spool_t) +files_file_type(mail_spool_t) type sendmail_exec_t; -files_make_file(sendmail_exec_t) +files_file_type(sendmail_exec_t) type system_mail_t; #, user_mail_domain, nscd_client_domain; -domain_make_domain(system_mail_t) +domain_type(system_mail_t) role system_r types system_mail_t; ifdef(`targeted_policy',`',` optional_policy(`sendmail.te', ` -domain_make_entrypoint_file(system_mail_t,sendmail_exec_t) +domain_entry_file(system_mail_t,sendmail_exec_t) ', ` -init_make_system_domain(system_mail_t,sendmail_exec_t) +init_system_domain(system_mail_t,sendmail_exec_t) ') dnl end if sendmail ') dnl end targeted_policy @@ -64,23 +64,23 @@ dev_read_urand(system_mail_t) fs_getattr_xattr_fs(system_mail_t) -init_script_use_pseudoterminal(system_mail_t) +init_use_script_pty(system_mail_t) -files_read_runtime_system_config(system_mail_t) -files_read_general_system_config(system_mail_t) +files_read_etc_runtime_files(system_mail_t) +files_read_generic_etc_files(system_mail_t) # It wants to check for nscd -files_ignore_search_runtime_data_directory(system_mail_t) +files_dontaudit_search_pids(system_mail_t) -corecommands_execute_general_programs(system_mail_t) +corecmd_exec_bin(system_mail_t) -libraries_use_dynamic_loader(system_mail_t) -libraries_use_shared_libraries(system_mail_t) +libs_use_ld_so(system_mail_t) +libs_use_shared_libs(system_mail_t) -logging_send_system_log_message(system_mail_t) +logging_send_syslog_msg(system_mail_t) miscfiles_read_localization(system_mail_t) -sysnetwork_read_network_config(system_mail_t) +sysnet_read_config(system_mail_t) tunable_policy(`use_dns',` allow system_mail_t self:udp_socket create_socket_perms; @@ -144,14 +144,14 @@ ifdef(`targeted_policy', ` # targeted policy. We could move these rules permanantly here. ifdef(`postfix.te', `', ` -domain_execute_all_entrypoint_programs(system_mail_t) -files_execute_system_config_script(system_mail_t) -corecommands_execute_general_programs(system_mail_t) -corecommands_execute_system_programs(system_mail_t) -libraries_use_dynamic_loader(system_mail_t) -libraries_use_shared_libraries(system_mail_t) -libraries_execute_dynamic_loader(system_mail_t) -libraries_execute_library_scripts(system_mail_t) +domain_exec_all_entry_files(system_mail_t) +files_exec_generic_etc_files(system_mail_t) +corecmd_exec_bin(system_mail_t) +corecmd_exec_sbin(system_mail_t) +libs_use_ld_so(system_mail_t) +libs_use_shared_libs(system_mail_t) +libs_exec_ld_so(system_mail_t) +libs_exec_lib_files(system_mail_t) ') allow system_mail_t { var_t var_spool_t }:dir getattr; diff --git a/refpolicy/policy/modules/services/remotelogin.if b/refpolicy/policy/modules/services/remotelogin.if index 9ba5235..6d41c70 100644 --- a/refpolicy/policy/modules/services/remotelogin.if +++ b/refpolicy/policy/modules/services/remotelogin.if @@ -14,7 +14,7 @@ define(`remotelogin_domtrans',` requires_block_template(`$0'_depend) - authlogin_login_program_transition($1,remote_login_t) + auth_domtrans_login_program($1,remote_login_t) ') define(`remotelogin_domtrans_depend',` diff --git a/refpolicy/policy/modules/services/remotelogin.te b/refpolicy/policy/modules/services/remotelogin.te index c99007c..bde3757 100644 --- a/refpolicy/policy/modules/services/remotelogin.te +++ b/refpolicy/policy/modules/services/remotelogin.te @@ -7,16 +7,16 @@ policy_module(authlogin,1.0) # type remote_login_t; #, nscd_client_domain; -kernel_make_object_identity_change_constraint_exception(remote_login_t) -kernel_make_process_identity_change_constraint_exception(remote_login_t) -kernel_make_role_change_constraint_exception(remote_login_t) -domain_make_domain(remote_login_t) -domain_make_file_descriptors_widely_inheritable(remote_login_t) -authlogin_make_login_program_entrypoint(remote_login_t) +kernel_obj_id_change_exempt(remote_login_t) +kernel_subj_id_change_exempt(remote_login_t) +kernel_role_change_exempt(remote_login_t) +domain_type(remote_login_t) +domain_wide_inherit_fd(remote_login_t) +auth_login_entry_type(remote_login_t) role system_r types remote_login_t; type remote_login_tmp_t; -files_make_temporary_file(remote_login_tmp_t) +files_tmp_file(remote_login_tmp_t) ######################################## # @@ -39,7 +39,7 @@ allow remote_login_t self:msg { send receive }; allow remote_login_t remote_login_tmp_t:dir create_dir_perms; allow remote_login_t remote_login_tmp_t:file create_file_perms; -files_create_private_tmp_data(remote_login_t, remote_login_tmp_t, { file dir }) +files_create_tmp_files(remote_login_t, remote_login_tmp_t, { file dir }) kernel_read_system_state(remote_login_t) kernel_read_kernel_sysctl(remote_login_t) @@ -55,29 +55,29 @@ dev_read_urand(remote_login_t) fs_getattr_xattr_fs(remote_login_t) -init_script_modify_runtime_data(remote_login_t) +init_rw_script_pid(remote_login_t) -domain_read_all_entrypoint_programs(remote_login_t) +domain_read_all_entry_files(remote_login_t) -files_read_general_system_config(remote_login_t) -files_read_runtime_system_config(remote_login_t) -files_list_home_directories(remote_login_t) -files_read_general_application_resources(remote_login_t) +files_read_generic_etc_files(remote_login_t) +files_read_etc_runtime_files(remote_login_t) +files_list_home(remote_login_t) +files_read_usr_files(remote_login_t) -libraries_use_dynamic_loader(remote_login_t) -libraries_use_shared_libraries(remote_login_t) +libs_use_ld_so(remote_login_t) +libs_use_shared_libs(remote_login_t) -logging_send_system_log_message(remote_login_t) +logging_send_syslog_msg(remote_login_t) selinux_read_config(remote_login_t) selinux_read_default_contexts(remote_login_t) -authlogin_check_password_transition(remote_login_t) -authlogin_ignore_read_shadow_passwords(remote_login_t) -authlogin_modify_login_records(remote_login_t) -authlogin_modify_last_login_log(remote_login_t) -authlogin_pam_execute(remote_login_t) -authlogin_pam_console_manage_runtime_data(remote_login_t) +auth_domtrans_chk_passwd(remote_login_t) +auth_dontaudit_read_shadow(remote_login_t) +auth_rw_login_records(remote_login_t) +auth_rw_lastlog(remote_login_t) +auth_exec_pam(remote_login_t) +auth_manage_pam_console_data(remote_login_t) miscfiles_read_localization(remote_login_t) diff --git a/refpolicy/policy/modules/services/sendmail.te b/refpolicy/policy/modules/services/sendmail.te index 03308e2..4fe5d0c 100644 --- a/refpolicy/policy/modules/services/sendmail.te +++ b/refpolicy/policy/modules/services/sendmail.te @@ -7,16 +7,16 @@ policy_module(sendmail,1.0) # type sendmail_t; # , nscd_client_domain, mta_delivery_agent, mail_server_sender', nosysadm) -mta_make_sendmail_mailserver_domain(sendmail_t) +mta_sendmail_mailserver(sendmail_t) type sendmail_log_t; -logging_make_log_file(sendmail_log_t) +logging_log_file(sendmail_log_t) type sendmail_tmp_t; -files_make_temporary_file(sendmail_tmp_t) +files_tmp_file(sendmail_tmp_t) type sendmail_var_run_t; -files_make_daemon_runtime_file(sendmail_var_run_t) +files_pid_file(sendmail_var_run_t) ######################################## # @@ -30,14 +30,14 @@ allow sendmail_t self:unix_dgram_socket create_socket_perms; allow sendmail_t sendmail_log_t:file create_file_perms; allow sendmail_t sendmail_log_t:dir { rw_dir_perms setattr }; -logging_create_private_log(sendmail_t,sendmail_log_t,{ file dir }) +logging_create_log(sendmail_t,sendmail_log_t,{ file dir }) allow sendmail_t sendmail_tmp_t:dir create_dir_perms; allow sendmail_t sendmail_tmp_t:file create_file_perms; -files_create_private_tmp_data(sendmail_t, sendmail_tmp_t, { file dir }) +files_create_tmp_files(sendmail_t, sendmail_tmp_t, { file dir }) allow sendmail_t sendmail_var_run_t:file { getattr create read write append setattr unlink }; -files_create_daemon_runtime_data(sendmail_t,sendmail_var_run_t) +files_create_pid(sendmail_t,sendmail_var_run_t) kernel_read_kernel_sysctl(sendmail_t) kernel_read_hardware_state(sendmail_t) @@ -60,38 +60,38 @@ fs_getattr_all_fs(sendmail_t) term_dontaudit_use_console(sendmail_t) -init_use_file_descriptors(sendmail_t) -init_script_use_pseudoterminal(sendmail_t) +init_use_fd(sendmail_t) +init_use_script_pty(sendmail_t) # sendmail wants to read /var/run/utmp if the controlling tty is /dev/console -init_script_read_runtime_data(sendmail_t) -init_script_ignore_write_runtime_data(sendmail_t) +init_read_script_pid(sendmail_t) +init_dontaudit_write_script_pid(sendmail_t) -domain_use_widely_inheritable_file_descriptors(sendmail_t) +domain_use_wide_inherit_fd(sendmail_t) -files_read_general_system_config(sendmail_t) -files_search_system_spool_directory(sendmail_t) +files_read_generic_etc_files(sendmail_t) +files_search_spool(sendmail_t) -logging_send_system_log_message(sendmail_t) +logging_send_syslog_msg(sendmail_t) -libraries_use_dynamic_loader(sendmail_t) -libraries_use_shared_libraries(sendmail_t) +libs_use_ld_so(sendmail_t) +libs_use_shared_libs(sendmail_t) # Read /usr/lib/sasl2/.* -libraries_read_library_resources(sendmail_t) +libs_read_lib(sendmail_t) miscfiles_read_localization(sendmail_t) # Write to /etc/aliases and /etc/mail. -mta_modify_mail_aliases(sendmail_t) +mta_rw_aliases(sendmail_t) # Write to /var/spool/mail and /var/spool/mqueue. -mta_manage_mail_queue(sendmail_t) -mta_manage_mail_spool(sendmail_t) +mta_manage_queue(sendmail_t) +mta_manage_spool(sendmail_t) -sysnetwork_read_network_config(sendmail_t) +sysnet_read_config(sendmail_t) ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(sendmail_t) terminal_ignore_use_general_pseudoterminal(sendmail_t) - files_ignore_read_rootfs_file(sendmail_t) + files_dontaudit_read_root_file(sendmail_t) ') optional_policy(`selinux.te',` @@ -99,7 +99,7 @@ optional_policy(`selinux.te',` ') optional_policy(`udev.te', ` - udev_read_database(sendmail_t) + udev_read_db(sendmail_t) ') ifdef(`TODO',` @@ -143,7 +143,7 @@ dontaudit system_mail_t { staff_home_dir_t sysadm_home_dir_t}:dir { getattr sear # Run procmail in its own domain, if defined. ifdef(`procmail.te',` -corecommands_search_general_programs_directory(sendmail_t) +corecmd_search_bin(sendmail_t) procmail_transition(sendmail_t) domain_auto_trans(system_mail_t, procmail_exec_t, procmail_t) ') diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if index 4c80d38..ad00964 100644 --- a/refpolicy/policy/modules/system/authlogin.if +++ b/refpolicy/policy/modules/system/authlogin.if @@ -26,15 +26,15 @@ define(`authlogin_per_userdomain_template',` requires_block_template(`$0'_depend) type $1_chkpwd_t, can_read_shadow_passwords; # , nscd_client_domain; - domain_make_domain($1_chkpwd_t) - domain_make_entrypoint_file($1_chkpwd_t,chkpwd_exec_t) + domain_type($1_chkpwd_t) + domain_entry_file($1_chkpwd_t,chkpwd_exec_t) role $1_r types $1_chkpwd_t; role $1_r types system_chkpwd_t; allow $1_chkpwd_t self:capability setuid; allow $1_chkpwd_t self:process getattr; - files_read_general_system_config_directory($1_chkpwd_t) + files_read_generic_etc_files_directory($1_chkpwd_t) allow $1_chkpwd_t shadow_t:file { getattr read }; # is_selinux_enabled @@ -42,16 +42,16 @@ define(`authlogin_per_userdomain_template',` fs_dontaudit_getattr_xattr_fs($1_chkpwd_t) - domain_use_widely_inheritable_file_descriptors($1_chkpwd_t) + domain_use_wide_inherit_fd($1_chkpwd_t) - libraries_use_dynamic_loader($1_chkpwd_t) - libraries_use_shared_libraries($1_chkpwd_t) + libs_use_ld_so($1_chkpwd_t) + libs_use_shared_libs($1_chkpwd_t) - files_read_general_system_config($1_chkpwd_t) + files_read_generic_etc_files($1_chkpwd_t) # for nscd - files_ignore_search_system_state_data_directory($1_chkpwd_t) + files_dontaudit_search_var($1_chkpwd_t) - logging_send_system_log_message($1_chkpwd_t) + logging_send_syslog_msg($1_chkpwd_t) miscfiles_read_localization($1_chkpwd_t) @@ -84,11 +84,11 @@ define(`authlogin_per_userdomain_template',` corenet_raw_sendrecv_all_nodes($1_chkpwd_t) corenet_udp_bind_all_nodes($1_chkpwd_t) corenet_udp_sendrecv_dns_port($1_chkpwd_t) - sysnetwork_read_network_config($1_chkpwd_t) + sysnet_read_config($1_chkpwd_t) ') optional_policy(`selinux.te',` - selinux_newrole_use_file_descriptors($1_chkpwd_t) + selinux_use_newrole_fd($1_chkpwd_t) ') ') dnl end authlogin_per_userdomain_template @@ -108,7 +108,7 @@ define(`authlogin_per_userdomain_template_depend',` ') ######################################## -## +## ## ## ## @@ -123,20 +123,20 @@ define(`authlogin_per_userdomain_template_depend',` ####################################### # -# authlogin_make_login_program_entrypoint(domain) +# auth_login_entry_type(domain) # -define(`authlogin_make_login_program_entrypoint',` +define(`auth_login_entry_type',` requires_block_template(`$0'_depend) - domain_make_entrypoint_file($1,login_exec_t) + domain_entry_file($1,login_exec_t) ') -define(`authlogin_make_login_program_entrypoint_depend',` +define(`auth_login_entry_type_depend',` type login_exec_t; ') ######################################## -## +## ## ## Execute a login_program in the target domain. ## @@ -148,7 +148,7 @@ define(`authlogin_make_login_program_entrypoint_depend',` ## ## # -define(`authlogin_login_program_transition',` +define(`auth_domtrans_login_program',` requires_block_template(`$0'_depend) # FIXME: search bin_t @@ -163,7 +163,7 @@ define(`authlogin_login_program_transition',` allow $2 $1:process sigchld; ') -define(`authlogin_login_program_transition_depend',` +define(`auth_domtrans_login_program_depend',` type login_exec_t; class file rx_file_perms; @@ -173,7 +173,7 @@ define(`authlogin_login_program_transition_depend',` ') ######################################## -## +## ## ## ## @@ -187,9 +187,9 @@ define(`authlogin_login_program_transition_depend',` # ####################################### # -# authlogin_check_password_transition(domain) +# auth_domtrans_chk_passwd(domain) # -define(`authlogin_check_password_transition',` +define(`auth_domtrans_chk_passwd',` requires_block_template(`$0'_depend) domain_auto_trans($1,chkpwd_exec_t,system_chkpwd_t) @@ -213,11 +213,11 @@ define(`authlogin_check_password_transition',` corenet_raw_sendrecv_all_nodes($1) corenet_udp_bind_all_nodes($1) corenet_udp_sendrecv_dns_port($1) - sysnetwork_read_network_config($1) + sysnet_read_config($1) ') ') -define(`authlogin_check_password_transition_depend',` +define(`auth_domtrans_chk_passwd_depend',` type system_chkpwd_t, chkpwd_exec_t, shadow_t; class file rx_file_perms; @@ -228,7 +228,7 @@ define(`authlogin_check_password_transition_depend',` ') ######################################## -## +## ## ## ## @@ -242,22 +242,22 @@ define(`authlogin_check_password_transition_depend',` # ####################################### # -# authlogin_ignore_get_shadow_passwords_attributes(domain) +# auth_dontaudit_getattr_shadow(domain) # -define(`authlogin_ignore_get_shadow_passwords_attributes',` +define(`auth_dontaudit_getattr_shadow',` requires_block_template(`$0'_depend) dontaudit $1 shadow_t:file getattr; ') -define(`authlogin_ignore_get_shadow_passwords_attributes_depend',` +define(`auth_dontaudit_getattr_shadow_depend',` type shadow_t; class file stat_file_perms; ') ######################################## -## +## ## ## ## @@ -271,17 +271,17 @@ define(`authlogin_ignore_get_shadow_passwords_attributes_depend',` # ####################################### # -# authlogin_read_shadow_passwords(domain) +# auth_read_shadow(domain) # -define(`authlogin_read_shadow_passwords',` +define(`auth_read_shadow',` requires_block_template(`$0'_depend) - files_read_general_system_config_directory($1) + files_read_generic_etc_files_directory($1) allow $1 shadow_t:file r_file_perms; typeattribute $1 can_read_shadow_passwords; ') -define(`authlogin_read_shadow_passwords_depend',` +define(`auth_read_shadow_depend',` attribute can_read_shadow_passwords; type shadow_t; @@ -290,7 +290,7 @@ define(`authlogin_read_shadow_passwords_depend',` ') ######################################## -## +## ## ## ## @@ -304,22 +304,22 @@ define(`authlogin_read_shadow_passwords_depend',` # ####################################### # -# authlogin_ignore_read_shadow_passwords(domain) +# auth_dontaudit_read_shadow(domain) # -define(`authlogin_ignore_read_shadow_passwords',` +define(`auth_dontaudit_read_shadow',` requires_block_template(`$0'_depend) dontaudit $1 shadow_t:file { getattr read }; ') -define(`authlogin_ignore_read_shadow_passwords_depend',` +define(`auth_dontaudit_read_shadow_depend',` type shadow_t; class file r_file_perms; ') ######################################## -## +## ## ## ## @@ -333,17 +333,17 @@ define(`authlogin_ignore_read_shadow_passwords_depend',` # ####################################### # -# authlogin_modify_shadow_passwords(domain) +# auth_rw_shadow(domain) # -define(`authlogin_modify_shadow_passwords',` +define(`auth_rw_shadow',` requires_block_template(`$0'_depend) - files_read_general_system_config_directory($1) + files_read_generic_etc_files_directory($1) allow $1 shadow_t:file rw_file_perms; typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords; ') -define(`authlogin_modify_shadow_passwords_depend',` +define(`auth_rw_shadow_depend',` attribute can_read_shadow_passwords, can_write_shadow_passwords; type shadow_t; @@ -352,18 +352,18 @@ define(`authlogin_modify_shadow_passwords_depend',` ####################################### # -# authlogin_manage_shadow_passwords(domain) +# auth_manage_shadow(domain) # -define(`authlogin_manage_shadow_passwords',` +define(`auth_manage_shadow',` requires_block_template(`$0'_depend) allow $1 shadow_t:file create_file_perms; - files_create_private_config($1,shadow_t,file) + files_create_etc_config($1,shadow_t,file) typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords; ') -define(`authlogin_manage_shadow_passwords_depend',` +define(`auth_manage_shadow_depend',` attribute can_read_shadow_passwords, can_write_shadow_passwords; type shadow_t; @@ -373,17 +373,17 @@ define(`authlogin_manage_shadow_passwords_depend',` ####################################### # -# authlogin_relabel_to_shadow_passwords(domain) +# auth_relabelto_shadow(domain) # -define(`authlogin_relabel_to_shadow_passwords',` +define(`auth_relabelto_shadow',` requires_block_template(`$0'_depend) - files_search_general_system_config_directory($1) + files_search_etc($1) allow $1 shadow_t:file relabelto; typeattribute $1 can_relabelto_shadow_passwords; ') -define(`authlogin_relabel_to_shadow_passwords_depend',` +define(`auth_relabelto_shadow_depend',` attribute can_relabelto_shadow_passwords; type shadow_t; @@ -393,16 +393,16 @@ define(`authlogin_relabel_to_shadow_passwords_depend',` ####################################### # -# authlogin_modify_login_failure_records(domain) +# auth_rw_faillog(domain) # -define(`authlogin_modify_login_failure_records',` +define(`auth_rw_faillog',` requires_block_template(`$0'_depend) allow $1 faillog_t:file rw_file_perms; - logging_search_system_log_directory($1) + logging_search_logs($1) ') -define(`authlogin_modify_login_failure_records_depend',` +define(`auth_rw_faillog_depend',` type faillog_t; class file rw_file_perms; @@ -410,23 +410,23 @@ define(`authlogin_modify_login_failure_records_depend',` ####################################### # -# authlogin_modify_last_login_log(domain) +# auth_rw_lastlog(domain) # -define(`authlogin_modify_last_login_log',` +define(`auth_rw_lastlog',` requires_block_template(`$0'_depend) - logging_search_system_log_directory($1) + logging_search_logs($1) allow $1 lastlog_t:file { getattr read write setattr }; ') -define(`authlogin_modify_last_login_log_depend',` +define(`auth_rw_lastlog_depend',` type lastlog_t; class file { getattr read write setattr }; ') ######################################## -## +## ## ## Execute pam programs in the pam domain. ## @@ -435,7 +435,7 @@ define(`authlogin_modify_last_login_log_depend',` ## ## # -define(`authlogin_pam_transition',` +define(`auth_domtrans_pam',` requires_block_template(`$0'_depend) domain_auto_trans($1,pam_exec_t,pam_t) @@ -446,7 +446,7 @@ define(`authlogin_pam_transition',` allow pam_t $1:process sigchld; ') -define(`authlogin_pam_transition_depend',` +define(`auth_domtrans_pam_depend',` type pam_t, pam_exec_t; class file rx_file_perms; @@ -456,7 +456,7 @@ define(`authlogin_pam_transition_depend',` ') ######################################## -## +## ## ## Execute pam programs in the PAM domain. ## @@ -471,22 +471,22 @@ define(`authlogin_pam_transition_depend',` ## ## # -define(`authlogin_pam_transition_add_role_use_terminal',` +define(`auth_run_pam',` requires_block_template(`$0'_depend) - authlogin_pam_transition($1) + auth_domtrans_pam($1) role $2 types pam_t; allow pam_t $3:chr_file rw_file_perms; ') -define(`authlogin_pam_transition_add_role_use_terminal_depend',` +define(`auth_run_pam_depend',` type pam_t; class chr_file rw_file_perms; ') ######################################## -## +## ## ## ## @@ -500,15 +500,15 @@ define(`authlogin_pam_transition_add_role_use_terminal_depend',` # ####################################### # -# authlogin_pam_execute(domain) +# auth_exec_pam(domain) # -define(`authlogin_pam_execute',` +define(`auth_exec_pam',` requires_block_template(`$0'_depend) can_exec($1,pam_exec_t) ') -define(`authlogin_pam_execute_depend',` +define(`auth_exec_pam_depend',` type pam_exec_t; class file { getattr read execute execute_no_trans }; @@ -516,18 +516,18 @@ define(`authlogin_pam_execute_depend',` ####################################### # -# authlogin_pam_read_runtime_data(domain) +# auth_read_pam_pid(domain) # -define(`authlogin_pam_read_runtime_data',` +define(`auth_read_pam_pid',` requires_block_template(`$0'_depend) - files_search_system_state_data_directory($1) - files_search_runtime_data_directory($1) + files_search_var($1) + files_search_pids($1) allow $1 pam_var_run_t:dir r_dir_perms; allow $1 pam_var_run_t:file r_file_perms; ') -define(`authlogin_pam_read_runtime_data_depend',` +define(`auth_read_pam_pid_depend',` type pam_var_run_t; class dir r_dir_perms; @@ -535,7 +535,7 @@ define(`authlogin_pam_read_runtime_data_depend',` ') ######################################## -## +## ## ## ## @@ -549,18 +549,18 @@ define(`authlogin_pam_read_runtime_data_depend',` # ####################################### # -# authlogin_pam_remove_runtime_data(domain) +# auth_delete_pam_pid(domain) # -define(`authlogin_pam_remove_runtime_data',` +define(`auth_delete_pam_pid',` requires_block_template(`$0'_depend) - files_search_system_state_data_directory($1) - files_search_runtime_data_directory($1) + files_search_var($1) + files_search_pids($1) allow $1 pam_var_run_t:dir { getattr search read write remove_name }; allow $1 pam_var_run_t:file { getattr unlink }; ') -define(`authlogin_pam_remove_runtime_data_depend',` +define(`auth_delete_pam_pid_depend',` type pam_var_run_t; class dir { getattr search read write remove_name }; @@ -569,9 +569,9 @@ define(`authlogin_pam_remove_runtime_data_depend',` ####################################### # -# authlogin_pam_console_transition(domain) +# auth_domtrans_pam_console(domain) # -define(`authlogin_pam_console_transition',` +define(`auth_domtrans_pam_console',` requires_block_template(`$0'_depend) domain_auto_trans($1,pam_console_exec_t,pam_console_t) @@ -582,7 +582,7 @@ define(`authlogin_pam_console_transition',` allow pam_console_t $1:process sigchld; ') -define(`authlogin_pam_console_transition_depend',` +define(`auth_domtrans_pam_console_depend',` type pam_console_t, pam_console_exec_t; class file rx_file_perms; @@ -592,7 +592,7 @@ define(`authlogin_pam_console_transition_depend',` ') ######################################## -## +## ## ## ## @@ -606,17 +606,17 @@ define(`authlogin_pam_console_transition_depend',` # ####################################### # -# authlogin_pam_console_read_runtime_data_dir(domain) +# auth_list_pam_console_data(domain) # -define(`authlogin_pam_console_read_runtime_data_dir',` +define(`auth_list_pam_console_data',` requires_block_template(`$0'_depend) - files_search_system_state_data_directory($1) - files_search_runtime_data_directory($1) + files_search_var($1) + files_search_pids($1) allow $1 pam_var_console_t:dir r_dir_perms; ') -define(`authlogin_pam_console_read_runtime_data_dir_depend',` +define(`auth_list_pam_console_data_depend',` type pam_var_console_t; class dir r_dir_perms; @@ -624,18 +624,18 @@ define(`authlogin_pam_console_read_runtime_data_dir_depend',` ####################################### # -# authlogin_pam_console_read_runtime_data(domain) +# auth_read_pam_console_data(domain) # -define(`authlogin_pam_console_read_runtime_data',` +define(`auth_read_pam_console_data',` requires_block_template(`$0'_depend) - files_search_system_state_data_directory($1) - files_search_runtime_data_directory($1) + files_search_var($1) + files_search_pids($1) allow $1 pam_var_console_t:dir r_dir_perms; allow $1 pam_var_console_t:file r_file_perms; ') -define(`authlogin_pam_console_read_runtime_data_depend',` +define(`auth_read_pam_console_data_depend',` type pam_var_console_t; class dir r_dir_perms; @@ -644,19 +644,19 @@ define(`authlogin_pam_console_read_runtime_data_depend',` ####################################### # -# authlogin_pam_console_manage_runtime_data(domain) +# auth_manage_pam_console_data(domain) # -define(`authlogin_pam_console_manage_runtime_data',` +define(`auth_manage_pam_console_data',` requires_block_template(`$0'_depend) - files_search_system_state_data_directory($1) - files_search_runtime_data_directory($1) + files_search_var($1) + files_search_pids($1) allow $1 pam_var_console_t:dir rw_dir_perms; allow $1 pam_var_console_t:file create_file_perms; allow $1 pam_var_console_t:lnk_file create_lnk_perms; ') -define(`authlogin_pam_console_manage_runtime_data_depend',` +define(`auth_manage_pam_console_data_depend',` type pam_var_console_t; class dir rw_dir_perms; @@ -665,7 +665,7 @@ define(`authlogin_pam_console_manage_runtime_data_depend',` ') ######################################## -## +## ## ## Relabel all files on the filesystem, except ## the shadow passwords and listed exceptions. @@ -680,18 +680,18 @@ define(`authlogin_pam_console_manage_runtime_data_depend',` ## # -define(`authlogin_relabel_all_files_except_shadow',` +define(`auth_relabel_all_files_except_shadow',` requires_block_template(`$0'_depend) files_relabel_all_files($1,$2 -shadow_t) ') -define(`authlogin_relabel_all_files_except_shadow_depend',` +define(`auth_relabel_all_files_except_shadow_depend',` type shadow_t; ') ######################################## -## +## ## ## Manage all files on the filesystem, except ## the shadow passwords and listed exceptions. @@ -706,18 +706,18 @@ define(`authlogin_relabel_all_files_except_shadow_depend',` ## # -define(`authlogin_manage_all_files_except_shadow',` +define(`auth_manage_all_files_except_shadow',` requires_block_template(`$0'_depend) files_manage_all_files($1,$2 -shadow_t) ') -define(`authlogin_manage_all_files_except_shadow_depend',` +define(`auth_manage_all_files_except_shadow_depend',` type shadow_t; ') ######################################## -## +## ## ## Execute utempter programs in the utempter domain. ## @@ -726,7 +726,7 @@ define(`authlogin_manage_all_files_except_shadow_depend',` ## ## # -define(`authlogin_utempter_transition',` +define(`auth_domtrans_utempter',` requires_block_template(`$0'_depend) domain_auto_trans($1,utempter_exec_t,utempter_t) @@ -737,7 +737,7 @@ define(`authlogin_utempter_transition',` allow utempter_t $1:process sigchld; ') -define(`authlogin_utempter_transition_depend',` +define(`auth_domtrans_utempter_depend',` type utempter_t, utempter_exec_t; class file rx_file_perms; @@ -747,7 +747,7 @@ define(`authlogin_utempter_transition_depend',` ') ######################################## -## +## ## ## Execute utempter programs in the utempter domain. ## @@ -762,22 +762,22 @@ define(`authlogin_utempter_transition_depend',` ## ## # -define(`authlogin_utempter_transition_add_role_use_terminal',` +define(`auth_run_utempter',` requires_block_template(`$0'_depend) - authlogin_utempter_transition($1) + auth_domtrans_utempter($1) role $2 types utempter_t; allow utempter_t $3:chr_file rw_file_perms; ') -define(`authlogin_utempter_transition_add_role_use_terminal_depend',` +define(`auth_run_utempter_depend',` type utempter_t; class chr_file rw_file_perms; ') ######################################## -## +## ## ## ## @@ -791,23 +791,23 @@ define(`authlogin_utempter_transition_add_role_use_terminal_depend',` # ####################################### # -# authlogin_read_login_records(domain) +# auth_read_login_records(domain) # -define(`authlogin_read_login_records',` +define(`auth_read_login_records',` requires_block_template(`$0'_depend) - logging_search_system_log_directory($1) + logging_search_logs($1) allow $1 wtmp_t:file r_file_perms; ') -define(`authlogin_read_login_records_depend',` +define(`auth_read_login_records_depend',` type wtmp_t; class file r_file_perms; ') ######################################## -## +## ## ## ## @@ -818,15 +818,15 @@ define(`authlogin_read_login_records_depend',` # ####################################### # -# authlogin_ignore_write_login_records(domain) +# auth_dontaudit_write_login_records(domain) # -define(`authlogin_ignore_write_login_records',` +define(`auth_dontaudit_write_login_records',` requires_block_template(`$0'_depend) dontaudit $1 wtmp_t:file write; ') -define(`authlogin_read_login_records_depend',` +define(`auth_read_login_records_depend',` type wtmp_t; class file write; @@ -834,16 +834,16 @@ define(`authlogin_read_login_records_depend',` ####################################### # -# authlogin_modify_login_records(domain) +# auth_rw_login_records(domain) # -define(`authlogin_modify_login_records',` +define(`auth_rw_login_records',` requires_block_template(`$0'_depend) allow $1 wtmp_t:file rw_file_perms; - logging_search_system_log_directory($1) + logging_search_logs($1) ') -define(`authlogin_modify_login_records_depend',` +define(`auth_rw_login_records_depend',` type wtmp_t; class file rw_file_perms; ') diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te index e530bf8..5af1281 100644 --- a/refpolicy/policy/modules/system/authlogin.te +++ b/refpolicy/policy/modules/system/authlogin.te @@ -11,59 +11,59 @@ attribute can_write_shadow_passwords; attribute can_relabelto_shadow_passwords; type chkpwd_exec_t; -files_make_file(chkpwd_exec_t) +files_file_type(chkpwd_exec_t) type faillog_t; -logging_make_log_file(faillog_t) +logging_log_file(faillog_t) type lastlog_t; -logging_make_log_file(lastlog_t) +logging_log_file(lastlog_t) type login_exec_t; -files_make_file(login_exec_t) +files_file_type(login_exec_t) type pam_console_t; type pam_console_exec_t; -init_make_system_domain(pam_console_t,pam_console_exec_t) +init_system_domain(pam_console_t,pam_console_exec_t) role system_r types pam_console_t; -domain_make_entrypoint_file(pam_console_t,pam_console_exec_t) +domain_entry_file(pam_console_t,pam_console_exec_t) type pam_t; #, nscd_client_domain; -domain_make_domain(pam_t) +domain_type(pam_t) role system_r types pam_t; type pam_exec_t; -domain_make_entrypoint_file(pam_t,pam_exec_t) +domain_entry_file(pam_t,pam_exec_t) type pam_tmp_t; -files_make_temporary_file(pam_tmp_t) +files_tmp_file(pam_tmp_t) type pam_var_console_t; #, nscd_client_domain -files_make_file(pam_var_console_t) +files_file_type(pam_var_console_t) type pam_var_run_t; -files_make_daemon_runtime_file(pam_var_run_t) +files_pid_file(pam_var_run_t) type shadow_t; -files_make_file(shadow_t) +files_file_type(shadow_t) neverallow ~can_read_shadow_passwords shadow_t:file read; neverallow ~can_write_shadow_passwords shadow_t:file { create write }; neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto; type system_chkpwd_t, can_read_shadow_passwords; # , nscd_client_domain; -domain_make_domain(system_chkpwd_t) -domain_make_entrypoint_file(system_chkpwd_t,chkpwd_exec_t) +domain_type(system_chkpwd_t) +domain_entry_file(system_chkpwd_t,chkpwd_exec_t) role system_r types system_chkpwd_t; type utempter_t; #, nscd_client_domain; -domain_make_domain(utempter_t) +domain_type(utempter_t) type utempter_exec_t; -domain_make_entrypoint_file(utempter_t,utempter_exec_t) +domain_entry_file(utempter_t,utempter_exec_t) type wtmp_t; -logging_make_log_file(wtmp_t) +logging_log_file(wtmp_t) ######################################## # @@ -89,27 +89,27 @@ allow pam_t pam_var_run_t:file { getattr read unlink }; allow pam_t pam_tmp_t:dir create_dir_perms; allow pam_t pam_tmp_t:file create_file_perms; -files_create_private_tmp_data(pam_t, pam_tmp_t, { file dir }) +files_create_tmp_files(pam_t, pam_tmp_t, { file dir }) kernel_read_system_state(pam_t) term_use_all_user_ttys(pam_t) term_use_all_user_ptys(pam_t) -init_script_ignore_modify_runtime_data(pam_t) +init_dontaudit_rw_script_pid(pam_t) -files_read_general_system_config(pam_t) -files_read_runtime_data_directory(pam_t) +files_read_generic_etc_files(pam_t) +files_list_pids(pam_t) -libraries_use_dynamic_loader(pam_t) -libraries_use_shared_libraries(pam_t) +libs_use_ld_so(pam_t) +libs_use_shared_libs(pam_t) -logging_send_system_log_message(pam_t) +logging_send_syslog_msg(pam_t) -userdomain_use_all_unprivileged_users_file_descriptors(pam_t) +userdom_use_unpriv_users_fd(pam_t) optional_policy(`locallogin.te',` - locallogin_use_file_descriptors(pam_t) + locallogin_use_fd(pam_t) ') ifdef(`TODO',` @@ -151,38 +151,38 @@ term_use_console(pam_console_t) term_getattr_unallocated_ttys(pam_console_t) term_setattr_unallocated_ttys(pam_console_t) -init_use_file_descriptors(pam_console_t) -init_use_file_descriptors(pam_console_t) -init_script_use_pseudoterminal(pam_console_t) +init_use_fd(pam_console_t) +init_use_fd(pam_console_t) +init_use_script_pty(pam_console_t) -domain_use_widely_inheritable_file_descriptors(pam_console_t) +domain_use_wide_inherit_fd(pam_console_t) -files_read_general_system_config(pam_console_t) -files_search_runtime_data_directory(pam_console_t) -files_read_mnt_dir(pam_console_t) +files_read_generic_etc_files(pam_console_t) +files_search_pids(pam_console_t) +files_list_mnt(pam_console_t) -libraries_use_dynamic_loader(pam_console_t) -libraries_use_shared_libraries(pam_console_t) +libs_use_ld_so(pam_console_t) +libs_use_shared_libs(pam_console_t) -logging_send_system_log_message(pam_console_t) +logging_send_syslog_msg(pam_console_t) selinux_read_file_contexts(pam_console_t) -userdomain_ignore_use_all_unprivileged_users_file_descriptors(pam_console_t) +userdom_dontaudit_use_unpriv_user_fd(pam_console_t) ifdef(`direct_sysadm_daemon', ` - userdomain_dontaudit_use_admin_terminals(pam_console_t) + userdom_dontaudit_use_sysadm_terms(pam_console_t) ') ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(pam_console_t) terminal_ignore_use_general_pseudoterminal(pam_console_t) - files_ignore_read_rootfs_file(pam_console_t) + files_dontaudit_read_root_file(pam_console_t) ') optional_policy(`hotplug.te', ` - hotplug_use_file_descriptors(pam_console_t) - hotplug_ignore_search_config_directory(pam_console_t) + hotplug_use_fd(pam_console_t) + hotplug_dontaudit_search_config(pam_console_t) ') optional_policy(`selinux.te',` @@ -190,7 +190,7 @@ selinux_newrole_sigchld(pam_console_t) ') optional_policy(`udev.te', ` - udev_read_database(pam_console_t) + udev_read_db(pam_console_t) ') ifdef(`TODO',` @@ -240,14 +240,14 @@ fs_dontaudit_getattr_xattr_fs(system_chkpwd_t) term_use_unallocated_tty(system_chkpwd_t) -files_read_general_system_config(system_chkpwd_t) +files_read_generic_etc_files(system_chkpwd_t) # for nscd -files_ignore_search_system_state_data_directory(system_chkpwd_t) +files_dontaudit_search_var(system_chkpwd_t) -libraries_use_dynamic_loader(system_chkpwd_t) -libraries_use_shared_libraries(system_chkpwd_t) +libs_use_ld_so(system_chkpwd_t) +libs_use_shared_libs(system_chkpwd_t) -logging_send_system_log_message(system_chkpwd_t) +logging_send_syslog_msg(system_chkpwd_t) miscfiles_read_localization(system_chkpwd_t) @@ -261,7 +261,7 @@ tunable_policy(`use_dns',` corenet_raw_sendrecv_all_nodes(system_chkpwd_t) corenet_udp_bind_all_nodes(system_chkpwd_t) corenet_udp_sendrecv_dns_port(system_chkpwd_t) - sysnetwork_read_network_config(system_chkpwd_t) + sysnet_read_config(system_chkpwd_t) ') ifdef(`TODO',` @@ -288,16 +288,16 @@ term_dontaudit_use_all_user_ttys(utempter_t) term_dontaudit_use_all_user_ptys(utempter_t) term_dontaudit_use_ptmx(utempter_t) -init_script_modify_runtime_data(utempter_t) +init_rw_script_pid(utempter_t) -files_read_general_system_config(utempter_t) +files_read_generic_etc_files(utempter_t) -domain_use_widely_inheritable_file_descriptors(utempter_t) +domain_use_wide_inherit_fd(utempter_t) -libraries_use_dynamic_loader(utempter_t) -libraries_use_shared_libraries(utempter_t) +libs_use_ld_so(utempter_t) +libs_use_shared_libs(utempter_t) -logging_search_system_log_directory(utempter_t) +logging_search_logs(utempter_t) ifdef(`TODO',` # Allow utemper to write to /tmp/.xses-* diff --git a/refpolicy/policy/modules/system/clock.if b/refpolicy/policy/modules/system/clock.if index d370d8c..01af3c6 100644 --- a/refpolicy/policy/modules/system/clock.if +++ b/refpolicy/policy/modules/system/clock.if @@ -2,7 +2,7 @@ ## Policy for reading and setting the hardware clock. ######################################## -## +## ## ## Execute hwclock in the clock domain. ## @@ -11,7 +11,7 @@ ## ## # -define(`clock_transition',` +define(`clock_domtrans',` requires_block_template(`$0'_depend) domain_auto_trans($1,hwclock_exec_t,hwclock_t) @@ -22,7 +22,7 @@ define(`clock_transition',` allow hwclock_t $1:process sigchld; ') -define(`clock_transition_depend',` +define(`clock_domtrans_depend',` type hwclock_t, hwclock_exec_t; class file rx_file_perms; @@ -32,7 +32,7 @@ define(`clock_transition_depend',` ') ######################################## -## +## ## ## Execute hwclock in the clock domain, and ## allow the specified role the hwclock domain. @@ -48,22 +48,22 @@ define(`clock_transition_depend',` ## ## # -define(`clock_transition_add_role_use_terminal',` +define(`clock_run',` requires_block_template(`$0'_depend) - clock_transition($1) + clock_domtrans($1) role $2 types hwclock_t; allow hwclock_t $3:chr_file { getattr read write ioctl }; ') -define(`clock_transition_add_role_use_terminal_depend',` +define(`clock_run_depend',` type hwclock_t; class chr_file { getattr read write ioctl }; ') ######################################## -## +## ## ## Execute hwclock ## @@ -72,20 +72,20 @@ define(`clock_transition_add_role_use_terminal_depend',` ## ## # -define(`clock_execute',` +define(`clock_exec',` requires_block_template(`$0'_depend) can_exec($1,hwclock_exec_t) ') -define(`clock_execute_depend',` +define(`clock_exec_depend',` type hwclock_exec_t; class file { getattr read execute execute_no_trans }; ') ######################################## -## +## ## ## Allow executing domain to modify clock drift ## @@ -94,14 +94,14 @@ define(`clock_execute_depend',` ## ## # -define(`clock_modify_drift_records',` +define(`clock_rw_adjtime',` requires_block_template(`$0'_depend) allow $1 adjtime_t:file rw_file_perms; - files_read_general_system_config_directory($1) + files_read_generic_etc_files_directory($1) ') -define(`clock_modify_drift_records_depend',` +define(`clock_rw_adjtime_depend',` type adjtime_t; class file rw_file_perms; diff --git a/refpolicy/policy/modules/system/clock.te b/refpolicy/policy/modules/system/clock.te index 96e4097..6cad75b 100644 --- a/refpolicy/policy/modules/system/clock.te +++ b/refpolicy/policy/modules/system/clock.te @@ -7,11 +7,11 @@ policy_module(clock,1.0) # type adjtime_t; -files_make_file(adjtime_t) +files_file_type(adjtime_t) type hwclock_t; type hwclock_exec_t; -init_make_system_domain(hwclock_t,hwclock_exec_t) +init_system_domain(hwclock_t,hwclock_exec_t) role system_r types hwclock_t; ######################################## @@ -41,26 +41,26 @@ term_use_unallocated_tty(hwclock_t) term_use_all_user_ttys(hwclock_t) term_use_all_user_ptys(hwclock_t) -init_use_file_descriptors(hwclock_t) -init_script_use_pseudoterminal(hwclock_t) +init_use_fd(hwclock_t) +init_use_script_pty(hwclock_t) -domain_use_widely_inheritable_file_descriptors(hwclock_t) +domain_use_wide_inherit_fd(hwclock_t) -files_read_general_system_config_directory(hwclock_t) +files_read_generic_etc_files_directory(hwclock_t) # for when /usr is not mounted: -files_ignore_search_isid_type_dir(hwclock_t) +files_dontaudit_search_isid_type_dir(hwclock_t) -libraries_use_dynamic_loader(hwclock_t) -libraries_use_shared_libraries(hwclock_t) +libs_use_ld_so(hwclock_t) +libs_use_shared_libs(hwclock_t) -logging_send_system_log_message(hwclock_t) +logging_send_syslog_msg(hwclock_t) miscfiles_read_localization(hwclock_t) ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(hwclock_t) terminal_ignore_use_general_pseudoterminal(hwclock_t) - files_ignore_read_rootfs_file(hwclock_t) + files_dontaudit_read_root_file(hwclock_t) ') optional_policy(`selinux.te',` @@ -68,11 +68,11 @@ optional_policy(`selinux.te',` ') optional_policy(`udev.te', ` - udev_read_database(hwclock_t) + udev_read_db(hwclock_t) ') optional_policy(`userdomain.te',` - userdomain_ignore_use_all_unprivileged_users_file_descriptors(hwclock_t) + userdom_dontaudit_use_unpriv_user_fd(hwclock_t) ') ifdef(`TODO',` diff --git a/refpolicy/policy/modules/system/corecommands.if b/refpolicy/policy/modules/system/corecommands.if index 579d489..529a4c6 100644 --- a/refpolicy/policy/modules/system/corecommands.if +++ b/refpolicy/policy/modules/system/corecommands.if @@ -6,29 +6,29 @@ ####################################### # -# corecommands_make_shell_entrypoint(domain) +# corecmd_shell_entry_type(domain) # -define(`corecommands_make_shell_entrypoint',` +define(`corecmd_shell_entry_type',` requires_block_template(`$0'_depend) - domain_make_entrypoint_file($1,shell_exec_t) + domain_entry_file($1,shell_exec_t) ') -define(`corecommands_make_shell_entrypoint_depend',` +define(`corecmd_shell_entry_type_depend',` type shell_exec_t; ') ######################################## # -# corecommands_search_general_programs_directory(domain) +# corecmd_search_bin(domain) # -define(`corecommands_search_general_programs_directory',` +define(`corecmd_search_bin',` requires_block_template(`$0'_depend) allow $1 bin_t:dir search; ') -define(`corecommands_search_general_programs_directory_depend',` +define(`corecmd_search_bin_depend',` type bin_t; class dir search; @@ -36,15 +36,15 @@ define(`corecommands_search_general_programs_directory_depend',` ######################################## # -# corecommands_read_general_programs_directory(domain) +# corecmd_list_bin(domain) # -define(`corecommands_read_general_programs_directory',` +define(`corecmd_list_bin',` requires_block_template(`$0'_depend) allow $1 bin_t:dir r_dir_perms; ') -define(`corecommands_read_general_programs_directory_depend',` +define(`corecmd_list_bin_depend',` type bin_t; class dir r_dir_perms; @@ -52,9 +52,9 @@ define(`corecommands_read_general_programs_directory_depend',` ######################################## # -# corecommands_execute_general_programs(domain) +# corecmd_exec_bin(domain) # -define(`corecommands_execute_general_programs',` +define(`corecmd_exec_bin',` requires_block_template(`$0'_depend) allow $1 bin_t:dir r_dir_perms; @@ -63,7 +63,7 @@ define(`corecommands_execute_general_programs',` ') -define(`corecommands_execute_general_programs_depend',` +define(`corecmd_exec_bin_depend',` type bin_t; class dir r_dir_perms; @@ -73,15 +73,15 @@ define(`corecommands_execute_general_programs_depend',` ######################################## # -# corecommands_search_system_programs_directory(domain) +# corecmd_search_sbin(domain) # -define(`corecommands_search_system_programs_directory',` +define(`corecmd_search_sbin',` requires_block_template(`$0'_depend) allow $1 sbin_t:dir search; ') -define(`corecommands_search_system_programs_directory_depend',` +define(`corecmd_search_sbin_depend',` type sbin_t; class dir search; @@ -89,15 +89,15 @@ define(`corecommands_search_system_programs_directory_depend',` ######################################## # -# corecommands_read_system_programs_directory(domain) +# corecmd_list_sbin(domain) # -define(`corecommands_read_system_programs_directory',` +define(`corecmd_list_sbin',` requires_block_template(`$0'_depend) allow $1 sbin_t:dir r_dir_perms; ') -define(`corecommands_read_system_programs_directory_depend',` +define(`corecmd_list_sbin_depend',` type sbin_t; class dir r_dir_perms; @@ -105,15 +105,15 @@ define(`corecommands_read_system_programs_directory_depend',` ######################################## # -# corecommands_ignore_get_system_programs_attributes(domain) +# corecmd_dontaudit_getattr_sbin_file(domain) # -define(`corecommands_ignore_get_system_programs_attributes',` +define(`corecmd_dontaudit_getattr_sbin_file',` requires_block_template(`$0'_depend) allow $1 sbin_t:file getattr; ') -define(`corecommands_ignore_get_system_programs_attributes_depend',` +define(`corecmd_dontaudit_getattr_sbin_file_depend',` type sbin_t; class file getattr; @@ -121,9 +121,9 @@ define(`corecommands_ignore_get_system_programs_attributes_depend',` ######################################## # -# corecommands_execute_system_programs(domain) +# corecmd_exec_sbin(domain) # -define(`corecommands_execute_system_programs',` +define(`corecmd_exec_sbin',` requires_block_template(`$0'_depend) allow $1 sbin_t:dir r_dir_perms; @@ -132,7 +132,7 @@ define(`corecommands_execute_system_programs',` ') -define(`corecommands_execute_system_programs_depend',` +define(`corecmd_exec_sbin_depend',` type sbin_t; class dir r_dir_perms; @@ -142,9 +142,9 @@ define(`corecommands_execute_system_programs_depend',` ######################################## # -# corecommands_execute_shell(domain) +# corecmd_exec_shell(domain) # -define(`corecommands_execute_shell',` +define(`corecmd_exec_shell',` requires_block_template(`$0'_depend) allow $1 bin_t:dir r_dir_perms; @@ -152,7 +152,7 @@ define(`corecommands_execute_shell',` can_exec($1,shell_exec_t) ') -define(`corecommands_execute_shell_depend',` +define(`corecmd_exec_shell_depend',` type bin_t, shell_exec_t; class dir r_dir_perms; @@ -162,9 +162,9 @@ define(`corecommands_execute_shell_depend',` ######################################## # -# corecommands_execute_ls(domain) +# corecmd_exec_ls(domain) # -define(`corecommands_execute_ls',` +define(`corecmd_exec_ls',` requires_block_template(`$0'_depend) allow $1 bin_t:dir r_dir_perms; @@ -172,7 +172,7 @@ define(`corecommands_execute_ls',` can_exec($1,ls_exec_t) ') -define(`corecommands_execute_shell_depend',` +define(`corecmd_exec_shell_depend',` type bin_t, ls_exec_t; class dir r_dir_perms; @@ -181,7 +181,7 @@ define(`corecommands_execute_shell_depend',` ') ######################################## -## +## ## ## Execute a shell in the target domain. This ## is an explicit transition, requiring the @@ -195,7 +195,7 @@ define(`corecommands_execute_shell_depend',` ## ## # -define(`corecommands_shell_explicit_transition',` +define(`corecmd_shell_spec_domtrans',` requires_block_template(`$0'_depend) allow $1 bin_t:dir r_dir_perms; @@ -209,7 +209,7 @@ define(`corecommands_shell_explicit_transition',` allow $2 $1:process sigchld; ') -define(`corecommands_shell_explicit_transition_depend',` +define(`corecmd_shell_spec_domtrans_depend',` type bin_t, shell_exec_t; class dir r_dir_perms; @@ -221,7 +221,7 @@ define(`corecommands_shell_explicit_transition_depend',` ') ######################################## -## +## ## ## Execute a shell in the target domain. ## @@ -233,29 +233,29 @@ define(`corecommands_shell_explicit_transition_depend',` ## ## # -define(`corecommands_shell_transition',` +define(`corecmd_domtrans_shell',` requires_block_template(`$0'_depend) - corecommands_shell_explicit_transition($1,$2) + corecmd_shell_spec_domtrans($1,$2) type_transition $1 shell_exec_t:process $2; ') -define(`corecommands_shell_transition_depend',` +define(`corecmd_domtrans_shell_depend',` type shell_exec_t; ') ######################################## # -# corecommands_chroot(domain) +# corecmd_chroot_exec_chroot(domain) # -define(`corecommands_chroot',` +define(`corecmd_chroot_exec_chroot',` requires_block_template(`$0'_depend) allow $1 chroot_exec_t:file { getattr read execute execute_no_trans }; allow $1 self:capability sys_chroot; ') -define(`corecommands_chroot_depend',` +define(`corecmd_chroot_exec_chroot_depend',` type chroot_exec_t; class file { getattr read execute execute_no_trans }; diff --git a/refpolicy/policy/modules/system/corecommands.te b/refpolicy/policy/modules/system/corecommands.te index 47d960d..8c49c97 100644 --- a/refpolicy/policy/modules/system/corecommands.te +++ b/refpolicy/policy/modules/system/corecommands.te @@ -5,25 +5,25 @@ policy_module(corecommands,1.0) # bin_t is the type of files in the system bin directories. # type bin_t; -files_make_file(bin_t) +files_file_type(bin_t) # # sbin_t is the type of files in the system sbin directories. # type sbin_t; -files_make_file(sbin_t) +files_file_type(sbin_t) # # ls_exec_t is the type of the ls program. # type ls_exec_t; -files_make_file(ls_exec_t) +files_file_type(ls_exec_t) # # shell_exec_t is the type of user shells such as /bin/bash. # type shell_exec_t; -files_make_file(shell_exec_t) +files_file_type(shell_exec_t) type chroot_exec_t; -files_make_file(chroot_exec_t) +files_file_type(chroot_exec_t) diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if index e92f28d..ab6cc0d 100644 --- a/refpolicy/policy/modules/system/domain.if +++ b/refpolicy/policy/modules/system/domain.if @@ -3,9 +3,9 @@ ######################################## # -# domain_make_base_domain(domain) +# domain_base_domain_type(domain) # -define(`domain_make_base_domain',` +define(`domain_base_domain_type',` requires_block_template(`$0'_depend) # mark as a domain @@ -19,7 +19,7 @@ define(`domain_make_base_domain',` allow $1 self:process { fork sigchld }; ') -define(`domain_make_base_domain_depend',` +define(`domain_base_domain_type_depend',` attribute domain; class dir r_dir_perms; @@ -29,11 +29,11 @@ define(`domain_make_base_domain_depend',` ######################################## # -# domain_make_domain(domain) +# domain_type(domain) # -define(`domain_make_domain',` +define(`domain_type',` # start with basic domain - domain_make_base_domain($1) + domain_base_domain_type($1) # Use trusted objects in /dev dev_rw_null_dev($1) @@ -41,31 +41,31 @@ define(`domain_make_domain',` term_use_controlling_term($1) # read the root directory - files_read_root_dir($1) + files_list_root($1) # send init a sigchld init_sigchld($1) # this seems highly questionable: optional_policy(`rpm.te',` - rpm_use_file_descriptors($1) + rpm_use_fd($1) rpm_read_pipe($1) ') ') ######################################## # -# domain_make_entrypoint_file(domain,entrypointfile) +# domain_entry_file(domain,entrypointfile) # -define(`domain_make_entrypoint_file',` +define(`domain_entry_file',` requires_block_template(`$0'_depend) - files_make_file($2) + files_file_type($2) allow $1 $2:file entrypoint; typeattribute $2 entry_type; ') -define(`domain_make_entrypoint_file_depend',` +define(`domain_entry_file_depend',` attribute entry_type; class file entrypoint; @@ -73,29 +73,29 @@ define(`domain_make_entrypoint_file_depend',` ######################################## # -# domain_make_file_descriptors_widely_inheritable(domain) +# domain_wide_inherit_fd(domain) # -define(`domain_make_file_descriptors_widely_inheritable',` +define(`domain_wide_inherit_fd',` requires_block_template(`$0'_depend) typeattribute $1 privfd; ') -define(`domain_make_file_descriptors_widely_inheritable_depend',` +define(`domain_wide_inherit_fd_depend',` attribute privfd; ') ######################################## # -# domain_use_widely_inheritable_file_descriptors(domain) +# domain_use_wide_inherit_fd(domain) # -define(`domain_use_widely_inheritable_file_descriptors',` +define(`domain_use_wide_inherit_fd',` requires_block_template(`$0'_depend) allow $1 privfd:fd use; ') -define(`domain_use_widely_inheritable_file_descriptors_depend',` +define(`domain_use_wide_inherit_fd_depend',` attribute privfd; class fd use; @@ -103,15 +103,15 @@ define(`domain_use_widely_inheritable_file_descriptors_depend',` ######################################## # -# domain_ignore_use_widely_inheritable_file_descriptors(domain) +# domain_dontaudit_use_wide_inherit_fd(domain) # -define(`domain_ignore_use_widely_inheritable_file_descriptors',` +define(`domain_dontaudit_use_wide_inherit_fd',` requires_block_template(`$0'_depend) dontaudit $1 privfd:fd use; ') -define(`domain_ignore_use_widely_inheritable_file_descriptors_depend',` +define(`domain_dontaudit_use_wide_inherit_fd_depend',` attribute privfd; class fd use; @@ -119,15 +119,15 @@ define(`domain_ignore_use_widely_inheritable_file_descriptors_depend',` ######################################## # -# domain_set_all_domains_priorities(domain) +# domain_setpriority_all_domains(domain) # -define(`domain_set_all_domains_priorities',` +define(`domain_setpriority_all_domains',` requires_block_template(`$0'_depend) allow $1 domain:process setsched; ') -define(`domain_set_all_domains_priorities_depend',` +define(`domain_setpriority_all_domains_depend',` attribute domain; class process setsched; @@ -246,7 +246,7 @@ define(`domain_kill_all_domains_depend',` ') ######################################## -## +## ## ## Read the process state (/proc/pid) of all domains. ## @@ -255,7 +255,7 @@ define(`domain_kill_all_domains_depend',` ## ## # -define(`domain_read_all_domains_process_state',` +define(`domain_read_all_domains_state',` requires_block_template(`$0'_depend) allow $1 domain:dir r_dir_perms; @@ -270,7 +270,7 @@ define(`domain_read_all_domains_process_state',` dontaudit $1 domain:process ptrace; ') -define(`domain_read_all_domains_process_state_depend',` +define(`domain_read_all_domains_state_depend',` attribute domain; class dir r_dir_perms; @@ -280,7 +280,7 @@ define(`domain_read_all_domains_process_state_depend',` ') ######################################## -## +## ## ## Do not audit attempts to read the process state ## directories of all domains. @@ -290,13 +290,13 @@ define(`domain_read_all_domains_process_state_depend',` ## ## # -define(`domain_ignore_read_all_domains_process_dirs',` +define(`domain_dontaudit_list_all_domains_proc',` requires_block_template(`$0'_depend) dontaudit $1 domain:dir r_dir_perms; ') -define(`domain_ignore_read_all_domains_process_dirs_depend',` +define(`domain_dontaudit_list_all_domains_proc_depend',` attribute domain; class dir r_dir_perms; @@ -304,7 +304,7 @@ define(`domain_ignore_read_all_domains_process_dirs_depend',` ######################################## -## +## ## ## Get the session ID of all domains. ## @@ -313,20 +313,20 @@ define(`domain_ignore_read_all_domains_process_dirs_depend',` ## ## # -define(`domain_get_all_domains_session_id',` +define(`domain_getsession_all_domains',` requires_block_template(`$0'_depend) allow $1 domain:process getsession; ') -define(`domain_get_all_domains_session_id_depend',` +define(`domain_getsession_all_domains_depend',` attribute domain; class process getsession; ') ######################################## -## +## ## ## Do not audit attempts to get the attributes ## of all domains UDP sockets. @@ -336,20 +336,20 @@ define(`domain_get_all_domains_session_id_depend',` ## ## # -define(`domain_ignore_get_all_domains_udp_socket_attributes',` +define(`domain_dontaudit_getattr_all_udp_sockets',` requires_block_template(`$0'_depend) dontaudit $1 domain:udp_socket getattr; ') -define(`domain_ignore_get_all_domains_udp_socket_attributes_depend',` +define(`domain_dontaudit_getattr_all_udp_sockets_depend',` attribute domain; class udp_socket getattr; ') ######################################## -## +## ## ## Do not audit attempts to get the attributes ## of all domains TCP sockets. @@ -359,20 +359,20 @@ define(`domain_ignore_get_all_domains_udp_socket_attributes_depend',` ## ## # -define(`domain_ignore_get_all_domains_tcp_socket_attributes',` +define(`domain_dontaudit_getattr_all_tcp_sockets',` requires_block_template(`$0'_depend) dontaudit $1 domain:tcp_socket getattr; ') -define(`domain_ignore_get_all_domains_tcp_socket_attributes_depend',` +define(`domain_dontaudit_getattr_all_tcp_sockets_depend',` attribute domain; class tcp_socket getattr; ') ######################################## -## +## ## ## Do not audit attempts to get the attributes ## of all domains unix datagram sockets. @@ -382,20 +382,20 @@ define(`domain_ignore_get_all_domains_tcp_socket_attributes_depend',` ## ## # -define(`domain_ignore_get_all_domains_unix_dgram_socket_attributes',` +define(`domain_dontaudit_getattr_all_unix_dgram_sockets',` requires_block_template(`$0'_depend) dontaudit $1 domain:unix_dgram_socket getattr; ') -define(`domain_ignore_get_all_domains_unix_dgram_socket_attributes_depend',` +define(`domain_dontaudit_getattr_all_unix_dgram_sockets_depend',` attribute domain; class unix_dgram_socket getattr; ') ######################################## -## +## ## ## Do not audit attempts to get the attributes ## of all domains unnamed pipes. @@ -405,13 +405,13 @@ define(`domain_ignore_get_all_domains_unix_dgram_socket_attributes_depend',` ## ## # -define(`domain_ignore_get_all_domains_pipe_attributes',` +define(`domain_dontaudit_getattr_all_unnamed_pipes',` requires_block_template(`$0'_depend) dontaudit $1 domain:fifo_file getattr; ') -define(`domain_ignore_get_all_domains_pipe_attributes_depend',` +define(`domain_dontaudit_getattr_all_unnamed_pipes_depend',` attribute domain; class fifo_file getattr; @@ -419,16 +419,16 @@ define(`domain_ignore_get_all_domains_pipe_attributes_depend',` ######################################## # -# domain_execute_all_entrypoint_programs(domain) +# domain_exec_all_entry_files(domain) # -define(`domain_execute_all_entrypoint_programs',` +define(`domain_exec_all_entry_files',` requires_block_template(`$0'_depend) can_exec($1,entry_type) ') -define(`domain_execute_all_entrypoint_programs_depend',` +define(`domain_exec_all_entry_files_depend',` attribute entry_type; class file { getattr read ioctl lock execute execute_no_trans }; @@ -436,16 +436,16 @@ define(`domain_execute_all_entrypoint_programs_depend',` ######################################## # -# domain_read_all_entrypoint_programs(domain) +# domain_read_all_entry_files(domain) # -define(`domain_read_all_entrypoint_programs',` +define(`domain_read_all_entry_files',` requires_block_template(`$0'_depend) allow $1 entry_type:lnk_file r_file_perms; allow $1 entry_type:file r_file_perms; ') -define(`domain_read_all_entrypoint_programs_depend',` +define(`domain_read_all_entry_files_depend',` attribute entry_type; class file r_file_perms; diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if index 4b633c3..6e8e673 100644 --- a/refpolicy/policy/modules/system/files.if +++ b/refpolicy/policy/modules/system/files.if @@ -3,9 +3,9 @@ ######################################## # -# files_make_file(type) +# files_file_type(type) # -define(`files_make_file',` +define(`files_file_type',` requires_block_template(`$0'_depend) fs_associate($1) @@ -13,72 +13,72 @@ define(`files_make_file',` typeattribute $1 file_type; ') -define(`files_make_file_depend',` +define(`files_file_type_depend',` attribute file_type; ') ######################################## # -# files_make_lock_file(type) +# files_lock_file(type) # -define(`files_make_lock_file',` +define(`files_lock_file',` requires_block_template(`$0'_depend) - files_make_file($1) + files_file_type($1) typeattribute $1 lockfile; ') -define(`files_make_lock_file_depend',` +define(`files_lock_file_depend',` attribute lockfile; ') ######################################## # -# files_make_mountpoint(type) +# files_mountpoint(type) # -define(`files_make_mountpoint',` +define(`files_mountpoint',` requires_block_template(`$0'_depend) - files_make_file($1) + files_file_type($1) typeattribute $1 mountpoint; ') -define(`files_make_mountpoint_depend',` +define(`files_mountpoint_depend',` attribute mountpoint; ') ######################################## # -# files_make_daemon_runtime_file(type) +# files_pid_file(type) # -define(`files_make_daemon_runtime_file',` +define(`files_pid_file',` requires_block_template(`$0'_depend) - files_make_file($1) + files_file_type($1) typeattribute $1 pidfile; ') -define(`files_make_daemon_runtime_file_depend',` +define(`files_pid_file_depend',` attribute pidfile; ') ######################################## # -# files_make_temporary_file(type) +# files_tmp_file(type) # -define(`files_make_temporary_file',` +define(`files_tmp_file',` requires_block_template(`$0'_depend) - files_make_file($1) + files_file_type($1) typeattribute $1 tmpfile; ') -define(`files_make_temporary_file_depend',` +define(`files_tmp_file_depend',` attribute tmpfile; ') ######################################## -## +## ## ## Transform the type into a file, for use on a ## virtual memory filesystem (tmpfs). @@ -88,23 +88,23 @@ define(`files_make_temporary_file_depend',` ## ## # -define(`files_make_tmpfs_file',` +define(`files_tmpfs_file',` requires_block_template(`$0'_depend) - files_make_file($1) + files_file_type($1) fs_associate_tmpfs($1) typeattribute $1 tmpfsfile; ') -define(`files_make_tmpfs_file_depend',` +define(`files_tmpfs_file_depend',` attribute tmpfsfile; ') ######################################## # -# files_get_all_file_attributes(domain) +# files_getattr_all_files(domain) -define(`files_get_all_file_attributes',` +define(`files_getattr_all_files',` requires_block_template(`$0'_depend) allow $1 file_type:dir { search getattr }; @@ -114,7 +114,7 @@ define(`files_get_all_file_attributes',` allow $1 file_type:sock_file getattr; ') -define(`files_get_all_file_attributes_depend',` +define(`files_getattr_all_files_depend',` attribute file_type; class dir { search getattr }; @@ -151,7 +151,7 @@ define(`files_relabel_all_files',` allow $1 { file_type $2 }:chr_file { getattr relabelfrom }; # satisfy the assertions: - selinux_relabelto_binary_policy($1) + selinux_relabelto_binary_pol($1) ') define(`files_relabel_all_files_depend',` @@ -191,7 +191,7 @@ define(`files_manage_all_files',` allow $1 { file_type $2 }:sock_file create_file_perms; # satisfy the assertions: - selinux_write_binary_policy($1) + selinux_write_binary_pol($1) bootloader_manage_kernel_modules($1) ') @@ -207,15 +207,15 @@ define(`files_manage_all_files_depend',` ######################################## # -# files_search_all_directories(domain) +# files_search_all_dirs(domain) # -define(`files_search_all_directories',` +define(`files_search_all_dirs',` requires_block_template(`$0'_depend) allow $1 file_type:dir search; ') -define(`files_search_all_directories_depend',` +define(`files_search_all_dirs_depend',` attribute file_type; class dir search; @@ -223,15 +223,15 @@ define(`files_search_all_directories_depend',` ######################################## # -# files_read_all_directories(domain) +# files_list_all_dirs(domain) # -define(`files_read_all_directories',` +define(`files_list_all_dirs',` requires_block_template(`$0'_depend) allow $1 file_type:dir r_dir_perms; ') -define(`files_read_all_directories_depend',` +define(`files_list_all_dirs_depend',` attribute file_type; class dir r_dir_perms; @@ -239,15 +239,15 @@ define(`files_read_all_directories_depend',` ######################################## # -# files_ignore_search_all_directories(domain) +# files_dontaudit_search_all_dirs(domain) # -define(`files_ignore_search_all_directories',` +define(`files_dontaudit_search_all_dirs',` requires_block_template(`$0'_depend) dontaudit $1 file_type:dir search; ') -define(`files_ignore_search_all_directories_depend',` +define(`files_dontaudit_search_all_dirs_depend',` attribute file_type; class dir search; @@ -303,15 +303,15 @@ define(`files_unmount_all_file_type_fs_depend',` ######################################## # -# files_mount_on_all_mountpoints(domain) +# files_mounton_all_mountpoints(domain) # -define(`files_mount_on_all_mountpoints',` +define(`files_mounton_all_mountpoints',` requires_block_template(`$0'_depend) allow $1 mountpoint:dir { getattr search mounton }; ') -define(`files_mount_on_all_mountpoints_depend',` +define(`files_mounton_all_mountpoints_depend',` attribute mountpoint; class dir { getattr search mounton }; @@ -319,16 +319,16 @@ define(`files_mount_on_all_mountpoints_depend',` ######################################## # -# files_read_root_dir(domain) +# files_list_root(domain) # -define(`files_read_root_dir',` +define(`files_list_root',` requires_block_template(`$0'_depend) allow $1 root_t:dir r_dir_perms; allow $1 root_t:lnk_file r_file_perms; ') -define(`files_read_root_dir_depend',` +define(`files_list_root_depend',` type root_t; class dir r_dir_perms; @@ -336,32 +336,69 @@ define(`files_read_root_dir_depend',` ') ######################################## +## +## +## Create an object in the root directory, with a private +## type. If no object class is specified, the +## default is file. +## +## +## The type of the process performing this action. +## +## +## The type of the object to be created. If no type +## is specified, the type of the root directory will +## be used. +## +## +## The object class of the object being created. If +## no class is specified, file will be used. +## +## # -# files_create_root_dir_entry(domain) -# -define(`files_create_root_dir_entry',` +define(`files_create_root',` requires_block_template(`$0'_depend) - allow $1 root_t:dir ra_dir_perms; + allow $1 root_t:dir rw_dir_perms; + + ifelse(`$3',`',` + ifelse(`$2',`',` + allow $1 root_t:file create_file_perms; + ',` + type_transition $1 root_t:file $2; + ') + ',` + ifelse(`$2',`',` + allow $1 root_t:$3 create_file_perms; + ',` + type_transition $1 root_t:$3 $2; + ') + ') ') -define(`files_create_root_dir_entry_depend',` +define(`files_create_root_depend',` type root_t; - class dir ra_dir_perms; + class dir create_dir_perms; + class file create_file_perms; + class lnk_file create_lnk_perms; + class fifo_file create_file_perms; + class sock_file create_file_perms; + class blk_file create_file_perms; + class chr_file create_file_perms; ') ######################################## # -# files_ignore_read_rootfs_file(domain) +# files_dontaudit_read_root_file(domain) # -define(`files_ignore_read_rootfs_file',` +define(`files_dontaudit_read_root_file',` requires_block_template(`$0'_depend) dontaudit $1 root_t:file read; ') -define(`files_ignore_read_rootfs_file_depend',` +define(`files_dontaudit_read_root_file_depend',` type root_t; class file read; @@ -369,15 +406,15 @@ define(`files_ignore_read_rootfs_file_depend',` ######################################## # -# files_ignore_modify_rootfs_file(domain) +# files_dontaudit_rw_root_file(domain) # -define(`files_ignore_modify_rootfs_file',` +define(`files_dontaudit_rw_root_file',` requires_block_template(`$0'_depend) dontaudit $1 root_t:file { read write }; ') -define(`files_ignore_modify_rootfs_file_depend',` +define(`files_dontaudit_rw_root_file_depend',` type root_t; class file { read write }; @@ -385,67 +422,31 @@ define(`files_ignore_modify_rootfs_file_depend',` ######################################## # -# files_ignore_modify_rootfs_device(domain) +# files_dontaudit_rw_root_chr_dev(domain) # -define(`files_ignore_modify_rootfs_device',` +define(`files_dontaudit_rw_root_chr_dev',` requires_block_template(`$0'_depend) dontaudit $1 root_t:chr_file { read write }; ') -define(`files_ignore_modify_rootfs_device_depend',` +define(`files_dontaudit_rw_root_chr_dev_depend',` type root_t; class chr_file { read write }; ') ######################################## -## -## -## Create an object in the root directory, with a private -## type. If no object class is specified, the -## default is file. -## -## -## The type of the process performing this action. -## -## -## The type of the object to be created. -## -## -## The type of the process performing this action. -## -## -# -define(`files_create_private_root_dir_entry',` - requires_block_template(`$0'_depend) - - allow $1 root_t:dir rw_dir_perms; - - ifelse(`$3',`',` - type_transition $1 root_t:file $2; - ',` - type_transition $1 root_t:$3 $2; - ') dnl end ifelse -') - -define(`files_create_private_root_dir_entry_depend',` -type root_t; - -class dir rw_dir_perms; -') - -######################################## # -# files_remove_root_dir_entry(domain) +# files_delete_root_dir_entry(domain) # -define(`files_remove_root_dir_entry',` +define(`files_delete_root_dir_entry',` requires_block_template(`$0'_depend) allow $1 root_t:dir rw_dir_perms; ') -define(`files_remove_root_dir_entry_depend',` +define(`files_delete_root_dir_entry_depend',` type root_t; class dir rw_dir_perms; @@ -453,15 +454,15 @@ define(`files_remove_root_dir_entry_depend',` ######################################## # -# files_unmount_root_fs(domain) +# files_unmount_rootfs(domain) # -define(`files_unmount_root_fs',` +define(`files_unmount_rootfs',` requires_block_template(`$0'_depend) allow $1 root_t:filesystem unmount; ') -define(`files_unmount_root_fs_depend',` +define(`files_unmount_rootfs_depend',` type root_t; class filesystem unmount; @@ -469,15 +470,15 @@ define(`files_unmount_root_fs_depend',` ######################################## # -# files_search_general_system_config_directory(domain) +# files_search_etc(domain) # -define(`files_search_general_system_config_directory',` +define(`files_search_etc',` requires_block_template(`$0'_depend) allow $1 etc_t:dir search; ') -define(`files_search_general_system_config_directory_depend',` +define(`files_search_etc_depend',` type etc_t; class dir search; @@ -485,15 +486,15 @@ define(`files_search_general_system_config_directory_depend',` ######################################## # -# files_read_general_system_config_directory(domain) +# files_read_generic_etc_files_directory(domain) # -define(`files_read_general_system_config_directory',` +define(`files_read_generic_etc_files_directory',` requires_block_template(`$0'_depend) allow $1 etc_t:dir r_dir_perms; ') -define(`files_read_general_system_config_directory_depend',` +define(`files_read_generic_etc_files_directory_depend',` type etc_t; class dir r_dir_perms; @@ -501,9 +502,9 @@ define(`files_read_general_system_config_directory_depend',` ######################################## # -# files_read_general_system_config(domain) +# files_read_generic_etc_files(domain) # -define(`files_read_general_system_config',` +define(`files_read_generic_etc_files',` requires_block_template(`$0'_depend) allow $1 etc_t:dir r_dir_perms; @@ -511,7 +512,7 @@ define(`files_read_general_system_config',` allow $1 etc_t:lnk_file r_file_perms; ') -define(`files_read_general_system_config_depend',` +define(`files_read_generic_etc_files_depend',` type etc_t; class dir r_dir_perms; @@ -521,9 +522,9 @@ define(`files_read_general_system_config_depend',` ######################################## # -# files_modify_general_system_config(domain) +# files_rw_generic_etc_files(domain) # -define(`files_modify_general_system_config',` +define(`files_rw_generic_etc_files',` requires_block_template(`$0'_depend) allow $1 etc_t:dir r_dir_perms; @@ -531,7 +532,7 @@ define(`files_modify_general_system_config',` allow $1 etc_t:lnk_file r_file_perms; ') -define(`files_modify_general_system_config_depend',` +define(`files_rw_generic_etc_files_depend',` type etc_t; class dir r_dir_perms; @@ -541,9 +542,9 @@ define(`files_modify_general_system_config_depend',` ######################################## # -# files_manage_general_system_config(domain) +# files_manage_generic_etc_files(domain) # -define(`files_manage_general_system_config',` +define(`files_manage_generic_etc_files',` requires_block_template(`$0'_depend) allow $1 etc_t:dir rw_dir_perms; @@ -551,7 +552,7 @@ define(`files_manage_general_system_config',` allow $1 etc_t:lnk_file r_file_perms; ') -define(`files_manage_general_system_config_depend',` +define(`files_manage_generic_etc_files_depend',` type etc_t; class dir rw_dir_perms; @@ -560,7 +561,7 @@ define(`files_manage_general_system_config_depend',` ') ######################################## -## +## ## ## Delete system configuration files in /etc. ## @@ -569,14 +570,14 @@ define(`files_manage_general_system_config_depend',` ## ## # -define(`files_remove_general_system_config',` +define(`files_delete_generic_etc_files',` requires_block_template(`$0'_depend) allow $1 etc_t:dir rw_dir_perms; allow $1 etc_t:file unlink; ') -define(`files_remove_general_system_config_depend',` +define(`files_delete_generic_etc_files_depend',` type etc_t; class dir rw_dir_perms; @@ -585,9 +586,9 @@ define(`files_remove_general_system_config_depend',` ######################################## # -# files_execute_system_config_script(domain) +# files_exec_generic_etc_files(domain) # -define(`files_execute_system_config_script',` +define(`files_exec_generic_etc_files',` requires_block_template(`$0'_depend) allow $1 etc_t:dir r_dir_perms; @@ -596,7 +597,7 @@ define(`files_execute_system_config_script',` ') -define(`files_execute_system_config_script_depend',` +define(`files_exec_generic_etc_files_depend',` type etc_t; class dir r_dir_perms; @@ -627,9 +628,9 @@ define(`files_create_boot_flag_depend',` ######################################## # -# files_manage_runtime_system_config(type) +# files_manage_etc_runtime_files(type) # -define(`files_manage_runtime_system_config',` +define(`files_manage_etc_runtime_files',` requires_block_template(`$0'_depend) allow $1 etc_t:dir rw_dir_perms; @@ -637,7 +638,7 @@ define(`files_manage_runtime_system_config',` type_transition $1 etc_t:file etc_runtime_t; ') -define(`files_manage_runtime_system_config_depend',` +define(`files_manage_etc_runtime_files_depend',` type etc_t, etc_runtime_t; class dir rw_dir_perms; @@ -646,16 +647,16 @@ define(`files_manage_runtime_system_config_depend',` ######################################## # -# files_read_runtime_system_config(domain) +# files_read_etc_runtime_files(domain) # -define(`files_read_runtime_system_config',` +define(`files_read_etc_runtime_files',` requires_block_template(`$0'_depend) allow $1 etc_t:dir r_dir_perms; allow $1 etc_runtime_t:file r_file_perms; ') -define(`files_read_runtime_system_config_depend',` +define(`files_read_etc_runtime_files_depend',` type etc_t, etc_runtime_t; class dir r_dir_perms; @@ -664,9 +665,9 @@ define(`files_read_runtime_system_config_depend',` ######################################## # -# files_create_private_config(domain,privatetype,[class(es)]) +# files_create_etc_config(domain,privatetype,[class(es)]) # -define(`files_create_private_config',` +define(`files_create_etc_config',` requires_block_template(`$0'_depend) allow $1 etc_t:dir rw_dir_perms; @@ -677,7 +678,7 @@ define(`files_create_private_config',` ') ') -define(`files_create_private_config_depend',` +define(`files_create_etc_config_depend',` type etc_t; class dir rw_dir_perms; @@ -685,15 +686,15 @@ class dir rw_dir_perms; ######################################## # -# files_modify_isid_type_dir(domain) +# files_rw_isid_type_dir(domain) # -define(`files_modify_isid_type_dir',` +define(`files_rw_isid_type_dir',` requires_block_template(`$0'_depend) allow $1 file_t:dir rw_dir_perms; ') -define(`files_modify_isid_type_dir_depend',` +define(`files_rw_isid_type_dir_depend',` type file_t; class dir rw_dir_perms; @@ -701,15 +702,15 @@ define(`files_modify_isid_type_dir_depend',` ######################################## # -# files_ignore_get_isid_type_dir_attrib(domain) +# files_dontaudit_getattr_isid_type_dir(domain) # -define(`files_ignore_get_isid_type_dir_attrib',` +define(`files_dontaudit_getattr_isid_type_dir',` requires_block_template(`$0'_depend) dontaudit $1 file_t:dir search; ') -define(`files_ignore_get_isid_type_dir_attrib_depend',` +define(`files_dontaudit_getattr_isid_type_dir_depend',` type file_t; class dir search; @@ -717,22 +718,22 @@ define(`files_ignore_get_isid_type_dir_attrib_depend',` ######################################## # -# files_ignore_search_isid_type_dir(domain) +# files_dontaudit_search_isid_type_dir(domain) # -define(`files_ignore_search_isid_type_dir',` +define(`files_dontaudit_search_isid_type_dir',` requires_block_template(`$0'_depend) dontaudit $1 file_t:dir search; ') -define(`files_ignore_search_isid_type_dir_depend',` +define(`files_dontaudit_search_isid_type_dir_depend',` type file_t; class dir search; ') ######################################## -## +## ## ## Get listing home home directories. ## @@ -741,13 +742,13 @@ define(`files_ignore_search_isid_type_dir_depend',` ## ## # -define(`files_list_home_directories',` +define(`files_list_home',` requires_block_template(`$0'_depend) allow $1 home_root_t:dir r_dir_perms; ') -define(`files_list_home_directories_depend',` +define(`files_list_home_depend',` type home_root_t; class dir r_dir_perms; @@ -755,15 +756,15 @@ define(`files_list_home_directories_depend',` ######################################## # -# files_read_mnt_dir(domain) +# files_list_mnt(domain) # -define(`files_read_mnt_dir',` +define(`files_list_mnt',` requires_block_template(`$0'_depend) allow $1 mnt_t:dir r_dir_perms; ') -define(`files_read_runtime_system_config_depend',` +define(`files_read_etc_runtime_files_depend',` type mnt_t; class dir r_dir_perms; @@ -771,9 +772,9 @@ define(`files_read_runtime_system_config_depend',` ######################################## # -# files_create_private_tmp_data(domain,private_type,[object class(es)]) +# files_create_tmp_files(domain,private_type,[object class(es)]) # -define(`files_create_private_tmp_data',` +define(`files_create_tmp_files',` requires_block_template(`$0'_depend) allow $1 tmp_t:dir rw_dir_perms; @@ -785,7 +786,7 @@ define(`files_create_private_tmp_data',` ') ') -define(`files_create_private_tmp_data_depend',` +define(`files_create_tmp_files_depend',` type tmp_t; class dir rw_dir_perms; @@ -793,9 +794,9 @@ define(`files_create_private_tmp_data_depend',` ######################################## # -# files_remove_all_tmp_data(domain) +# files_delete_all_tmp_files(domain) # -define(`files_remove_all_tmp_data',` +define(`files_delete_all_tmp_files',` requires_block_template(`$0'_depend) allow $1 tmpfile:dir { getattr search read write add_name remove_name rmdir }; @@ -805,7 +806,7 @@ define(`files_remove_all_tmp_data',` allow $1 tmpfile:sock_file { getattr unlink }; ') -define(`files_remove_all_tmp_data_depend',` +define(`files_delete_all_tmp_files_depend',` attribute tmpfile; class dir { getattr search read write add_name remove_name rmdir }; @@ -817,15 +818,15 @@ define(`files_remove_all_tmp_data_depend',` ######################################## # -# files_search_general_application_resources_dir(domain) +# files_search_usr(domain) # -define(`files_search_general_application_resources_dir',` +define(`files_search_usr',` requires_block_template(`$0'_depend) allow $1 usr_t:dir search; ') -define(`files_search_general_application_resources_dir_depend',` +define(`files_search_usr_depend',` type usr_t; class dir search; @@ -833,16 +834,16 @@ define(`files_search_general_application_resources_dir_depend',` ######################################## # -# files_read_general_application_resources(domain) +# files_read_usr_files(domain) # -define(`files_read_general_application_resources',` +define(`files_read_usr_files',` requires_block_template(`$0'_depend) allow $1 usr_t:dir r_dir_perms; allow $1 usr_t:{ file lnk_file } r_file_perms; ') -define(`files_read_general_application_resources_depend',` +define(`files_read_usr_files_depend',` type usr_t; class dir r_dir_perms; @@ -851,7 +852,7 @@ define(`files_read_general_application_resources_depend',` ') ######################################## -## +## ## ## Execute programs in /usr/src in the caller domain. ## @@ -860,7 +861,7 @@ define(`files_read_general_application_resources_depend',` ## ## # -define(`files_execute_system_source_code_scripts',` +define(`files_exec_usr_files',` requires_block_template(`$0'_depend) allow $1 usr_t:dir search; @@ -870,7 +871,7 @@ define(`files_execute_system_source_code_scripts',` ') -define(`files_read_system_source_code_depend',` +define(`files_read_usr_src_depend',` type usr_t, src_t; class dir r_dir_perms; @@ -880,9 +881,9 @@ define(`files_read_system_source_code_depend',` ######################################## # -# files_read_system_source_code(domain) +# files_read_usr_src(domain) # -define(`files_read_system_source_code',` +define(`files_read_usr_src',` requires_block_template(`$0'_depend) allow $1 usr_t:dir search; @@ -890,7 +891,7 @@ define(`files_read_system_source_code',` allow $1 src_t:{ file lnk_file } r_file_perms; ') -define(`files_read_system_source_code_depend',` +define(`files_read_usr_src_depend',` type usr_t, src_t; class dir r_dir_perms; @@ -900,15 +901,15 @@ define(`files_read_system_source_code_depend',` ######################################## # -# files_search_system_state_data_directory(domain) +# files_search_var(domain) # -define(`files_search_system_state_data_directory',` +define(`files_search_var',` requires_block_template(`$0'_depend) allow $1 var_t:dir search; ') -define(`files_search_system_state_data_directory_depend',` +define(`files_search_var_depend',` type var_t; class dir search; @@ -916,15 +917,15 @@ define(`files_search_system_state_data_directory_depend',` ######################################## # -# files_ignore_search_system_state_data_directory(domain) +# files_dontaudit_search_var(domain) # -define(`files_ignore_search_system_state_data_directory',` +define(`files_dontaudit_search_var',` requires_block_template(`$0'_depend) dontaudit $1 var_t:dir search; ') -define(`files_ignore_search_system_state_data_directory_depend',` +define(`files_dontaudit_search_var_depend',` type var_t; class dir search; @@ -932,9 +933,9 @@ define(`files_ignore_search_system_state_data_directory_depend',` ######################################## # -# files_manage_pseudorandom_saved_seed(domain) +# files_manage_urandom_seed(domain) # -define(`files_manage_pseudorandom_saved_seed',` +define(`files_manage_urandom_seed',` requires_block_template(`$0'_depend) allow $1 var_t:dir search; @@ -942,7 +943,7 @@ define(`files_manage_pseudorandom_saved_seed',` allow $1 var_lib_t:file { getattr create read write setattr unlink }; ') -define(`files_manage_pseudorandom_saved_seed_depend',` +define(`files_manage_urandom_seed_depend',` type var_t, var_lib_t; class dir rw_file_perms; @@ -951,16 +952,16 @@ define(`files_manage_pseudorandom_saved_seed_depend',` ######################################## # -# files_get_system_lock_file_attributes(domain) +# files_getattr_generic_lock_files(domain) # -define(`files_get_system_lock_file_attributes',` +define(`files_getattr_generic_lock_files',` requires_block_template(`$0'_depend) allow $1 var_lock_t:dir r_dir_perms; allow $1 var_lock_t:file getattr; ') -define(`files_get_system_lock_file_attributes_depend',` +define(`files_getattr_generic_lock_files_depend',` type var_lock_t; class dir r_dir_perms; @@ -969,16 +970,16 @@ define(`files_get_system_lock_file_attributes_depend',` ######################################## # -# files_manage_system_lock_files(domain) +# files_manage_generic_lock_files(domain) # -define(`files_manage_system_lock_files',` +define(`files_manage_generic_lock_files',` requires_block_template(`$0'_depend) allow $1 var_lock_t:dir { getattr search create read write setattr add_name remove_name rmdir }; allow $1 var_lock_t:file { getattr create read write setattr unlink }; ') -define(`files_manage_system_lock_files_depend',` +define(`files_manage_generic_lock_files_depend',` type var_lock_t; class dir { getattr search create read write setattr add_name remove_name rmdir }; @@ -987,16 +988,16 @@ define(`files_manage_system_lock_files_depend',` ######################################## # -# files_remove_all_lock_files(domain) +# files_delete_all_lock_files(domain) # -define(`files_remove_all_lock_files',` +define(`files_delete_all_lock_files',` requires_block_template(`$0'_depend) allow $1 lockfile:dir rw_dir_perms; allow $1 lockfile:file { getattr unlink }; ') -define(`files_remove_all_lock_files_depend',` +define(`files_delete_all_lock_files_depend',` attribute lockfile; class dir rw_dir_perms; @@ -1005,9 +1006,9 @@ define(`files_remove_all_lock_files_depend',` ######################################## # -# files_create_private_lock_file(domain,private_type,[object class(es)]) +# files_create_lock_file(domain,private_type,[object class(es)]) # -define(`files_create_private_lock_file',` +define(`files_create_lock_file',` requires_block_template(`$0'_depend) allow $1 var_t:dir search; @@ -1020,7 +1021,7 @@ define(`files_create_private_lock_file',` ') ') -define(`files_create_private_lock_file_depend',` +define(`files_create_lock_file_depend',` type var_t, var_lock_t; class dir rw_dir_perms; @@ -1028,16 +1029,16 @@ define(`files_create_private_lock_file_depend',` ######################################## # -# files_search_runtime_data_directory(domain) +# files_search_pids(domain) # -define(`files_search_runtime_data_directory',` +define(`files_search_pids',` requires_block_template(`$0'_depend) allow $1 var_t:dir search; allow $1 var_run_t:dir search; ') -define(`files_search_runtime_data_directory_depend',` +define(`files_search_pids_depend',` type var_t, var_run_t; class dir search; @@ -1045,15 +1046,15 @@ define(`files_search_runtime_data_directory_depend',` ######################################## # -# files_ignore_search_runtime_data_directory(domain) +# files_dontaudit_search_pids(domain) # -define(`files_ignore_search_runtime_data_directory',` +define(`files_dontaudit_search_pids',` requires_block_template(`$0'_depend) allow $1 var_run_t:dir search; ') -define(`files_ignore_search_runtime_data_directory_depend',` +define(`files_dontaudit_search_pids_depend',` type var_run_t; class dir search; @@ -1061,16 +1062,16 @@ define(`files_ignore_search_runtime_data_directory_depend',` ######################################## # -# files_read_runtime_data_directory(domain) +# files_list_pids(domain) # -define(`files_read_runtime_data_directory',` +define(`files_list_pids',` requires_block_template(`$0'_depend) allow $1 var_t:dir search; allow $1 var_run_t:dir r_dir_perms; ') -define(`files_read_runtime_data_directory_depend',` +define(`files_list_pids_depend',` type var_t, var_run_t; class dir r_dir_perms; @@ -1078,9 +1079,9 @@ define(`files_read_runtime_data_directory_depend',` ######################################## # -# files_create_daemon_runtime_data(domain,pidfile,[object class(es)]) +# files_create_pid(domain,pidfile,[object class(es)]) # -define(`files_create_daemon_runtime_data',` +define(`files_create_pid',` requires_block_template(`$0'_depend) allow $1 var_t:dir search; @@ -1093,7 +1094,7 @@ define(`files_create_daemon_runtime_data',` ') ') -define(`files_create_daemon_runtime_data_depend',` +define(`files_create_pid_depend',` type var_t, var_run_t; class dir rw_dir_perms; @@ -1101,9 +1102,9 @@ define(`files_create_daemon_runtime_data_depend',` ######################################## # -# files_modify_system_runtime_data(domain) +# files_rw_generic_pids(domain) # -define(`files_modify_system_runtime_data',` +define(`files_rw_generic_pids',` requires_block_template(`$0'_depend) allow $1 var_t:dir search; @@ -1111,7 +1112,7 @@ define(`files_modify_system_runtime_data',` allow $1 var_run_t:file rw_file_perms; ') -define(`files_modify_system_runtime_data_depend',` +define(`files_rw_generic_pids_depend',` type var_t, var_run_t; class dir r_dir_perms; @@ -1119,7 +1120,7 @@ define(`files_modify_system_runtime_data_depend',` ') ######################################## -## +## ## ## Do not audit attempts to write to daemon runtime data files. ## @@ -1129,20 +1130,20 @@ define(`files_modify_system_runtime_data_depend',` ## # -define(`files_ignore_write_all_daemon_runtime_data',` +define(`files_dontaudit_write_all_pids',` requires_block_template(`$0'_depend) dontaudit $1 pidfile:file write; ') -define(`files_ignore_write_all_daemon_runtime_data_depend',` +define(`files_dontaudit_write_all_pids_depend',` attribute pidfile; class file write; ') ######################################## -## +## ## ## Do not audit attempts to ioctl daemon runtime data files. ## @@ -1152,13 +1153,13 @@ define(`files_ignore_write_all_daemon_runtime_data_depend',` ## # -define(`files_ignore_ioctl_all_daemon_runtime_data',` +define(`files_dontaudit_ioctl_all_pids',` requires_block_template(`$0'_depend) dontaudit $1 pidfile:file ioctl; ') -define(`files_ignore_ioctl_all_daemon_runtime_data_depend',` +define(`files_dontaudit_ioctl_all_pids_depend',` attribute pidfile; class file ioctl; @@ -1166,9 +1167,9 @@ define(`files_ignore_ioctl_all_daemon_runtime_data_depend',` ######################################## # -# files_read_all_daemon_runtime_data(domain) +# files_read_all_pids(domain) # -define(`files_read_all_daemon_runtime_data',` +define(`files_read_all_pids',` requires_block_template(`$0'_depend) allow $1 var_t:dir search; @@ -1176,7 +1177,7 @@ define(`files_read_all_daemon_runtime_data',` allow $1 pidfile:file r_file_perms; ') -define(`files_read_all_daemon_runtime_data_depend',` +define(`files_read_all_pids_depend',` attribute pidfile; type var_t; @@ -1186,9 +1187,9 @@ define(`files_read_all_daemon_runtime_data_depend',` ######################################## # -# files_remove_all_daemon_runtime_data(domain) +# files_delete_all_pids(domain) # -define(`files_remove_all_daemon_runtime_data',` +define(`files_delete_all_pids',` requires_block_template(`$0'_depend) allow $1 var_t:dir search; @@ -1199,7 +1200,7 @@ define(`files_remove_all_daemon_runtime_data',` allow $1 pidfile:sock_file { getattr unlink }; ') -define(`files_remove_all_daemon_runtime_data_depend',` +define(`files_delete_all_pids_depend',` attribute pidfile; type var_t, var_run_t; @@ -1212,16 +1213,16 @@ define(`files_remove_all_daemon_runtime_data_depend',` ######################################## # -# files_search_system_spool_directory(domain) +# files_search_spool(domain) # -define(`files_search_system_spool_directory',` +define(`files_search_spool',` requires_block_template(`$0'_depend) allow $1 var_t:dir search; allow $1 var_spool_t:dir search; ') -define(`files_search_system_spool_directory_depend',` +define(`files_search_spool_depend',` type var_t, var_spool_t; class dir search; @@ -1229,16 +1230,16 @@ define(`files_search_system_spool_directory_depend',` ######################################## # -# files_read_system_spool_directory(domain) +# files_list_spool(domain) # -define(`files_read_system_spool_directory',` +define(`files_list_spool',` requires_block_template(`$0'_depend) allow $1 var_t:dir search; allow $1 var_spool_t:dir r_dir_perms; ') -define(`files_read_system_spool_directory_depend',` +define(`files_list_spool_depend',` type var_t, var_spool_t; class dir r_dir_perms; @@ -1246,9 +1247,9 @@ define(`files_read_system_spool_directory_depend',` ######################################## # -# files_read_system_spools(domain) +# files_read_spools(domain) # -define(`files_read_system_spools',` +define(`files_read_spools',` requires_block_template(`$0'_depend) allow $1 var_t:dir search; @@ -1256,7 +1257,7 @@ define(`files_read_system_spools',` allow $1 var_spool_t:file r_file_perms; ') -define(`files_read_system_spools_depend',` +define(`files_read_spools_depend',` type var_t, var_spool_t; class dir r_dir_perms; @@ -1265,9 +1266,9 @@ define(`files_read_system_spools_depend',` ######################################## # -# files_manage_system_spools(domain) +# files_manage_spools(domain) # -define(`files_manage_system_spools',` +define(`files_manage_spools',` requires_block_template(`$0'_depend) allow $1 var_t:dir search; @@ -1275,7 +1276,7 @@ define(`files_manage_system_spools',` allow $1 var_spool_t:file create_file_perms; ') -define(`files_manage_system_spools_depend',` +define(`files_manage_spools_depend',` type var_t, var_spool_t; class dir rw_dir_perms; diff --git a/refpolicy/policy/modules/system/getty.if b/refpolicy/policy/modules/system/getty.if index 4bfe180..8a68f0d 100644 --- a/refpolicy/policy/modules/system/getty.if +++ b/refpolicy/policy/modules/system/getty.if @@ -2,7 +2,7 @@ ## Policy for getty. ######################################## -## +## ## ## Execute gettys in the getty domain. ## @@ -11,7 +11,7 @@ ## ## # -define(`getty_transition',` +define(`getty_domtrans',` requires_block_template(`$0'_depend) allow $1 getty_exec_t:file { getattr read execute }; @@ -25,7 +25,7 @@ define(`getty_transition',` allow getty_t $1:process sigchld; ') -define(`getty_transition_depend',` +define(`getty_domtrans_depend',` type getty_t, getty_exec_t; class file { getattr read execute }; @@ -35,7 +35,7 @@ define(`getty_transition_depend',` ') ######################################## -## +## ## ## Allow process to read getty log file. ## @@ -44,20 +44,20 @@ define(`getty_transition_depend',` ## ## # -define(`getty_read_log_file',` +define(`getty_read_log',` requires_block_template(`$0'_depend) allow $1 getty_log_t:file { getattr read }; ') -define(`getty_read_log_file_depend',` +define(`getty_read_log_depend',` type getty_log_t; class file { getattr read }; ') ######################################## -## +## ## ## Allow process to read getty config file. ## @@ -66,20 +66,20 @@ define(`getty_read_log_file_depend',` ## ## # -define(`getty_read_config_file',` +define(`getty_read_config',` requires_block_template(`$0'_depend) allow $1 getty_etc_t:file { getattr read }; ') -define(`getty_read_config_file_depend',` +define(`getty_read_config_depend',` type getty_etc_t; class file { getattr read }; ') ######################################## -## +## ## ## Allow process to edit getty config file. ## @@ -88,13 +88,13 @@ define(`getty_read_config_file_depend',` ## ## # -define(`getty_modify_config_file',` +define(`getty_modify_config',` requires_block_template(`$0'_depend) allow $1 getty_etc_t:file { getattr read write }; ') -define(`getty_modify_config_file_depend',` +define(`getty_modify_config_depend',` type getty_etc_t; class file { getattr read write }; diff --git a/refpolicy/policy/modules/system/getty.te b/refpolicy/policy/modules/system/getty.te index aafc77d..46e3772 100644 --- a/refpolicy/policy/modules/system/getty.te +++ b/refpolicy/policy/modules/system/getty.te @@ -8,17 +8,17 @@ policy_module(getty,1.0) type getty_t; type getty_exec_t; -init_make_init_domain(getty_t,getty_exec_t) -domain_make_file_descriptors_widely_inheritable(getty_t) +init_domain(getty_t,getty_exec_t) +domain_wide_inherit_fd(getty_t) type getty_etc_t; typealias getty_etc_t alias etc_getty_t; type getty_log_t; -logging_make_log_file(getty_log_t) +logging_log_file(getty_log_t) type getty_tmp_t; -files_make_temporary_file(getty_tmp_t) +files_tmp_file(getty_tmp_t) ######################################## # @@ -34,11 +34,11 @@ allow getty_t self:process { getpgid getsession }; allow getty_t getty_etc_t:dir r_dir_perms; allow getty_t getty_etc_t:file r_file_perms; -files_create_private_config(getty_t,getty_etc_t,{ file dir }) +files_create_etc_config(getty_t,getty_etc_t,{ file dir }) allow getty_t getty_tmp_t:file { getattr create read setattr write setattr unlink }; allow getty_t getty_tmp_t:dir { getattr search create read setattr write setattr unlink rmdir }; -files_create_private_tmp_data(getty_t,getty_tmp_t,{ file dir }) +files_create_tmp_files(getty_t,getty_tmp_t,{ file dir }) allow getty_t getty_log_t:file { getattr append setattr }; @@ -54,23 +54,23 @@ term_setattr_all_user_ttys(getty_t) term_setattr_unallocated_ttys(getty_t) term_setattr_console(getty_t) -authlogin_modify_login_records(getty_t) +auth_rw_login_records(getty_t) -corecommands_search_general_programs_directory(getty_t) +corecmd_search_bin(getty_t) -files_modify_system_runtime_data(getty_t) -files_manage_system_lock_files(getty_t) -files_read_runtime_system_config(getty_t) -files_read_general_system_config(getty_t) +files_rw_generic_pids(getty_t) +files_manage_generic_lock_files(getty_t) +files_read_etc_runtime_files(getty_t) +files_read_generic_etc_files(getty_t) -init_script_modify_runtime_data(getty_t) -init_script_use_pseudoterminal(getty_t) +init_rw_script_pid(getty_t) +init_use_script_pty(getty_t) -libraries_use_dynamic_loader(getty_t) -libraries_use_shared_libraries(getty_t) +libs_use_ld_so(getty_t) +libs_use_shared_libs(getty_t) -locallogin_transition(getty_t) +locallogin_domtrans(getty_t) -logging_send_system_log_message(getty_t) +logging_send_syslog_msg(getty_t) miscfiles_read_localization(getty_t) diff --git a/refpolicy/policy/modules/system/hostname.if b/refpolicy/policy/modules/system/hostname.if index 6197994..272ae12 100644 --- a/refpolicy/policy/modules/system/hostname.if +++ b/refpolicy/policy/modules/system/hostname.if @@ -2,7 +2,7 @@ ## Policy for changing the system host name. ######################################## -## +## ## ## Execute hostname in the hostname domain. ## @@ -12,7 +12,7 @@ ## ## # -define(`hostname_transition',` +define(`hostname_domtrans',` requires_block_template(`$0'_depend) allow $1 hostname_exec_t:file rx_file_perms; @@ -26,7 +26,7 @@ define(`hostname_transition',` allow hostname_t $1:process sigchld; ') -define(`hostname_transition_depend',` +define(`hostname_domtrans_depend',` type hostname_t, hostname_exec_t; class file rx_file_perms; @@ -36,7 +36,7 @@ define(`hostname_transition_depend',` ') ######################################## -## +## ## ## Execute hostname in the hostname domain, and ## allow the specified role the hostname domain. @@ -53,22 +53,22 @@ define(`hostname_transition_depend',` ## ## # -define(`hostname_transition_add_role_use_terminal',` +define(`hostname_run',` requires_block_template(`$0'_depend) - hostname_transition($1) + hostname_domtrans($1) role $2 types hostname_t; allow hostname_t $3:chr_file { getattr read write ioctl }; ') -define(`hostname_transition_add_role_use_terminal_depend',` +define(`hostname_run_depend',` type hostname_t; class chr_file { getattr read write ioctl }; ') ######################################## -## +## ## ## Execute hostname in the hostname domain, and ## Has a sigchld signal backchannel. @@ -80,16 +80,16 @@ define(`hostname_transition_add_role_use_terminal_depend',` # ####################################### # -# hostname_execute(domain) +# hostname_exec(domain) # -define(`hostname_execute',` +define(`hostname_exec',` requires_block_template(`$0'_depend) can_exec($1,hostname_exec_t) ') -define(`hostname_execute_depend',` +define(`hostname_exec_depend',` type hostname_exec_t; class file { getattr read execute execute_no_trans }; diff --git a/refpolicy/policy/modules/system/hostname.te b/refpolicy/policy/modules/system/hostname.te index 3353e17..ae17162 100644 --- a/refpolicy/policy/modules/system/hostname.te +++ b/refpolicy/policy/modules/system/hostname.te @@ -8,7 +8,7 @@ policy_module(hostname,1.0) type hostname_t; type hostname_exec_t; -init_make_system_domain(hostname_t,hostname_exec_t) +init_system_domain(hostname_t,hostname_exec_t) role system_r types hostname_t; @@ -23,36 +23,36 @@ allow hostname_t self:process { sigchld sigkill sigstop signull signal }; allow hostname_t self:capability sys_admin; dontaudit hostname_t self:capability sys_tty_config; -sysnetwork_read_network_config(hostname_t) +sysnet_read_config(hostname_t) kernel_read_kernel_sysctl(hostname_t) kernel_read_hardware_state(hostname_t) kernel_dontaudit_use_fd(hostname_t) -files_read_general_system_config(hostname_t) -files_ignore_search_system_state_data_directory(hostname_t) +files_read_generic_etc_files(hostname_t) +files_dontaudit_search_var(hostname_t) fs_getattr_xattr_fs(hostname_t) term_dontaudit_use_console(hostname_t) term_use_all_user_ttys(hostname_t) term_use_all_user_ptys(hostname_t) -init_use_file_descriptors(hostname_t) -init_script_use_pseudoterminal(hostname_t) +init_use_fd(hostname_t) +init_use_script_pty(hostname_t) -domain_use_widely_inheritable_file_descriptors(hostname_t) +domain_use_wide_inherit_fd(hostname_t) # for when /usr is not mounted: -files_ignore_search_isid_type_dir(hostname_t) +files_dontaudit_search_isid_type_dir(hostname_t) -libraries_use_dynamic_loader(hostname_t) -libraries_use_shared_libraries(hostname_t) +libs_use_ld_so(hostname_t) +libs_use_shared_libs(hostname_t) -logging_send_system_log_message(hostname_t) +logging_send_syslog_msg(hostname_t) miscfiles_read_localization(hostname_t) -userdomain_use_all_users_file_descriptors(hostname_t) +userdom_use_all_user_fd(hostname_t) ifdef(`distro_redhat', ` fs_use_tmpfs_character_devices(hostname_t) @@ -61,7 +61,7 @@ ifdef(`distro_redhat', ` ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(hostname_t) terminal_ignore_use_general_pseudoterminal(hostname_t) - files_ignore_read_rootfs_file(hostname_t) + files_dontaudit_read_root_file(hostname_t) ') tunable_policy(`use_dns',` @@ -72,11 +72,11 @@ tunable_policy(`use_dns',` corenet_raw_sendrecv_all_nodes(hostname_t) corenet_udp_bind_all_nodes(hostname_t) corenet_udp_sendrecv_dns_port(hostname_t) - sysnetwork_read_network_config(hostname_t) + sysnet_read_config(hostname_t) ') optional_policy(`hotplug.te',` - hotplug_ignore_use_file_descriptors(hostname_t) + hotplug_dontaudit_use_fd(hostname_t) ') optional_policy(`selinux.te',` @@ -84,7 +84,7 @@ optional_policy(`selinux.te',` ') optional_policy(`udev.te', ` - udev_read_database(hostname_t) + udev_read_db(hostname_t) ') ifdef(`TODO',` diff --git a/refpolicy/policy/modules/system/hotplug.if b/refpolicy/policy/modules/system/hotplug.if index c80095a..6f0b15f 100644 --- a/refpolicy/policy/modules/system/hotplug.if +++ b/refpolicy/policy/modules/system/hotplug.if @@ -6,9 +6,9 @@ ####################################### # -# hotplug_transition(domain) +# hotplug_domtrans(domain) # -define(`hotplug_transition',` +define(`hotplug_domtrans',` requires_block_template(`$0'_depend) allow $1 hotplug_exec_t:file rx_file_perms; @@ -22,7 +22,7 @@ define(`hotplug_transition',` allow hotplug_t $1:process sigchld; ') -define(`hotplug_transition_depend',` +define(`hotplug_domtrans_depend',` type hotplug_t, hotplug_exec_t; class file rx_file_perms; @@ -33,16 +33,16 @@ define(`hotplug_transition_depend',` ####################################### # -# hotplug_execute(domain) +# hotplug_exec(domain) # -define(`hotplug_execute',` +define(`hotplug_exec',` requires_block_template(`$0'_depend) can_exec($1,hotplug_exec_t) ') -define(`hotplug_execute_depend',` +define(`hotplug_exec_depend',` type hotplug_t; class file { getattr read execute execute_no_trans }; @@ -50,15 +50,15 @@ define(`hotplug_execute_depend',` ####################################### # -# hotplug_use_file_descriptors(domain) +# hotplug_use_fd(domain) # -define(`hotplug_use_file_descriptors',` +define(`hotplug_use_fd',` requires_block_template(`$0'_depend) allow $1 hotplug_t:fd use; ') -define(`hotplug_use_file_descriptors_depend',` +define(`hotplug_use_fd_depend',` type hotplug_t; class fd use; @@ -66,15 +66,15 @@ define(`hotplug_use_file_descriptors_depend',` ####################################### # -# hotplug_ignore_use_file_descriptors(domain) +# hotplug_dontaudit_use_fd(domain) # -define(`hotplug_ignore_use_file_descriptors',` +define(`hotplug_dontaudit_use_fd',` requires_block_template(`$0'_depend) dontaudit $1 hotplug_t:fd use; ') -define(`hotplug_ignore_use_file_descriptors_depend',` +define(`hotplug_dontaudit_use_fd_depend',` type hotplug_t; class fd use; @@ -82,15 +82,15 @@ define(`hotplug_ignore_use_file_descriptors_depend',` ######################################## # -# hotplug_ignore_search_config_directory(domain) +# hotplug_dontaudit_search_config(domain) # -define(`hotplug_ignore_search_config_directory',` +define(`hotplug_dontaudit_search_config',` requires_block_template(`$0'_depend) dontaudit $1 hotplug_etc_t:dir search; ') -define(`hotplug_ignore_search_config_directory_depend',` +define(`hotplug_dontaudit_search_config_depend',` type hotplug_etc_t; class dir search; @@ -109,7 +109,7 @@ define(`hotplug_ignore_search_config_directory_depend',` define(`hotplug_read_config',` requires_block_template(`$0'_depend) - files_search_general_system_config_directory($1) + files_search_etc($1) allow $1 hotplug_etc_t:file r_file_perms; allow $1 hotplug_etc_t:dir r_dir_perms; allow $1 hotplug_etc_t:lnk_file r_file_perms; diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te index 50252fe..6e59141 100644 --- a/refpolicy/policy/modules/system/hotplug.te +++ b/refpolicy/policy/modules/system/hotplug.te @@ -9,13 +9,13 @@ policy_module(hotplug, 1.0) type hotplug_t; type hotplug_exec_t; kernel_userland_entry(hotplug_t,hotplug_exec_t) -init_make_system_domain(hotplug_t,hotplug_exec_t) +init_system_domain(hotplug_t,hotplug_exec_t) type hotplug_etc_t; #, usercanread; -files_make_file(hotplug_etc_t) +files_file_type(hotplug_etc_t) type hotplug_var_run_t; -files_make_daemon_runtime_file(hotplug_var_run_t) +files_pid_file(hotplug_var_run_t) ######################################## # @@ -41,7 +41,7 @@ allow hotplug_t hotplug_exec_t:file { getattr read ioctl execute execute_no_tran allow hotplug_t hotplug_etc_t:file { getattr read execute execute_no_trans }; allow hotplug_t hotplug_var_run_t:file { getattr create read write append setattr unlink }; -files_create_daemon_runtime_data(hotplug_t,hotplug_var_run_t) +files_create_pid(hotplug_t,hotplug_var_run_t) kernel_read_system_state(hotplug_t) kernel_read_kernel_sysctl(hotplug_t) @@ -68,71 +68,71 @@ storage_set_removable_device_attributes(hotplug_t) term_dontaudit_use_console(hotplug_t) -corecommands_execute_general_programs(hotplug_t) -corecommands_execute_shell(hotplug_t) -corecommands_execute_system_programs(hotplug_t) +corecmd_exec_bin(hotplug_t) +corecmd_exec_shell(hotplug_t) +corecmd_exec_sbin(hotplug_t) -domain_use_widely_inheritable_file_descriptors(hotplug_t) +domain_use_wide_inherit_fd(hotplug_t) -files_read_general_system_config(hotplug_t) -files_manage_runtime_system_config(hotplug_t) -files_execute_system_config_script(hotplug_t) +files_read_generic_etc_files(hotplug_t) +files_manage_etc_runtime_files(hotplug_t) +files_exec_generic_etc_files(hotplug_t) # for when filesystems are not mounted early in the boot: -files_ignore_search_isid_type_dir(hotplug_t) +files_dontaudit_search_isid_type_dir(hotplug_t) -init_use_file_descriptors(hotplug_t) -init_script_use_pseudoterminal(hotplug_t) -init_script_read_process_state(hotplug_t) +init_use_fd(hotplug_t) +init_use_script_pty(hotplug_t) +init_read_script_process_state(hotplug_t) # Allow hotplug (including /sbin/ifup-local) to start/stop services and # run sendmail -q -init_script_transition(hotplug_t) +init_domtrans_script(hotplug_t) # kernel threads inherit from shared descriptor table used by init -init_ignore_use_control_channel(hotplug_t) +init_dontaudit_use_initctl(hotplug_t) -logging_send_system_log_message(hotplug_t) -logging_search_system_log_directory(hotplug_t) +logging_send_syslog_msg(hotplug_t) +logging_search_logs(hotplug_t) -libraries_use_dynamic_loader(hotplug_t) -libraries_use_shared_libraries(hotplug_t) +libs_use_ld_so(hotplug_t) +libs_use_shared_libs(hotplug_t) # Read /usr/lib/gconv/.* -libraries_read_library_resources(hotplug_t) +libs_read_lib(hotplug_t) -modutils_insmod_transition(hotplug_t) +modutils_domtrans_insmod(hotplug_t) modutils_read_kernel_module_dependencies(hotplug_t) miscfiles_read_localization(hotplug_t) -mount_transition(hotplug_t) +mount_domtrans(hotplug_t) -sysnetwork_read_network_config(hotplug_t) +sysnet_read_config(hotplug_t) -userdomain_ignore_use_all_unprivileged_users_file_descriptors(hotplug_t) +userdom_dontaudit_use_unpriv_user_fd(hotplug_t) ifdef(`distro_redhat', ` optional_policy(`netutils.te', ` # for arping used for static IP addresses on PCMCIA ethernet - netutils_transition(hotplug_t) + netutils_domtrans(hotplug_t) fs_use_tmpfs_character_devices(hotplug_t) ') - files_get_system_lock_file_attributes(hotplug_t) + files_getattr_generic_lock_files(hotplug_t) ') ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(hotplug_t) terminal_ignore_use_general_pseudoterminal(hotplug_t) - files_ignore_read_rootfs_file(hotplug_t) + files_dontaudit_read_root_file(hotplug_t) ') optional_policy(`consoletype.te',` - consoletype_transition(hotplug_t) + consoletype_domtrans(hotplug_t) ') optional_policy(`hostname.te',` - hostname_execute(hotplug_t) + hostname_exec(hotplug_t) ') optional_policy(`iptables.te',` - iptables_transition(hotplug_t) + iptables_domtrans(hotplug_t) ') optional_policy(`mta.te', ` @@ -144,12 +144,12 @@ optional_policy(`selinux.te',` ') optional_policy(`sysnetwork.te',` - sysnetwork_ifconfig_transition(hotplug_t) + sysnet_domtrans_ifconfig(hotplug_t) ') optional_policy(`udev.te', ` - udev_transition(hotplug_t) - udev_read_database(hotplug_t) + udev_domtrans(hotplug_t) + udev_read_db(hotplug_t) ') optional_policy(`updfstab.te', ` diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if index bf0b733..68427f0 100644 --- a/refpolicy/policy/modules/system/init.if +++ b/refpolicy/policy/modules/system/init.if @@ -3,13 +3,13 @@ ######################################## # -# init_make_init_domain(domain,entrypointfile) +# init_domain(domain,entrypointfile) # -define(`init_make_init_domain',` +define(`init_domain',` requires_block_template(`$0'_depend) - domain_make_domain($1) - domain_make_entrypoint_file($1,$2) + domain_type($1) + domain_entry_file($1,$2) role system_r types $1; @@ -27,11 +27,11 @@ define(`init_make_init_domain',` # fd open from the initrd optional_policy(`distro_redhat',` kernel_dontaudit_use_fd($1) - files_ignore_read_rootfs_file($1) + files_dontaudit_read_root_file($1) ') ') -define(`init_make_init_domain_depend',` +define(`init_domain_depend',` type init_t; class file rx_file_perms; class fd use; @@ -42,13 +42,13 @@ define(`init_make_init_domain_depend',` ######################################## # -# init_make_daemon_domain(domain,entrypointfile) +# init_daemon_domain(domain,entrypointfile) # -define(`init_make_daemon_domain',` +define(`init_daemon_domain',` requires_block_template(`$0'_depend) - domain_make_domain($1) - domain_make_entrypoint_file($1,$2) + domain_type($1) + domain_entry_file($1,$2) role system_r types $1; @@ -66,11 +66,11 @@ define(`init_make_daemon_domain',` # fd open from the initrd optional_policy(`distro_redhat',` kernel_dontaudit_use_fd($1) - files_ignore_read_rootfs_file($1) + files_dontaudit_read_root_file($1) ') ') -define(`init_make_daemon_domain_depend',` +define(`init_daemon_domain_depend',` type initrc_t; role system_r; @@ -83,13 +83,13 @@ define(`init_make_daemon_domain_depend',` ######################################## # -# init_make_system_domain(domain,entrypointfile) +# init_system_domain(domain,entrypointfile) # -define(`init_make_system_domain',` +define(`init_system_domain',` requires_block_template(`$0'_depend) - domain_make_domain($1) - domain_make_entrypoint_file($1,$2) + domain_type($1) + domain_entry_file($1,$2) role system_r types $1; @@ -107,11 +107,11 @@ define(`init_make_system_domain',` # fd open from the initrd optional_policy(`distro_redhat',` kernel_dontaudit_use_fd($1) - files_ignore_read_rootfs_file($1) + files_dontaudit_read_root_file($1) ') ') -define(`init_make_system_domain_depend',` +define(`init_system_domain_depend',` type initrc_t; role system_r; @@ -123,9 +123,9 @@ define(`init_make_system_domain_depend',` ######################################## # -# init_transition(domain) +# init_domtrans(domain) # -define(`init_transition',` +define(`init_domtrans',` requires_block_template(`$0'_depend) allow $1 init_exec_t:file rx_file_perms; @@ -139,7 +139,7 @@ define(`init_transition',` allow init_t $1:process sigchld; ') -define(`init_transition_depend',` +define(`init_domtrans_depend',` type init_t, init_exec_t; class file rx_file_perms; @@ -166,15 +166,15 @@ define(`init_get_process_group_depend',` ######################################## # -# init_get_control_channel_attributes(domain) +# init_getattr_initctl(domain) # -define(`init_get_control_channel_attributes',` +define(`init_getattr_initctl',` requires_block_template(`$0'_depend) allow $1 initctl_t:fifo_file getattr; ') -define(`init_get_control_channel_attributes_depend',` +define(`init_getattr_initctl_depend',` type initctl_t; class fifo_file getattr; @@ -182,15 +182,15 @@ define(`init_get_control_channel_attributes_depend',` ######################################## # -# init_ignore_get_control_channel_attributes(domain) +# init_dontaudit_getattr_initctl(domain) # -define(`init_ignore_get_control_channel_attributes',` +define(`init_dontaudit_getattr_initctl',` requires_block_template(`$0'_depend) dontaudit $1 initctl_t:fifo_file getattr; ') -define(`init_get_control_channel_attributes_depend',` +define(`init_getattr_initctl_depend',` type initctl_t; class fifo_file getattr; @@ -198,16 +198,16 @@ define(`init_get_control_channel_attributes_depend',` ######################################## # -# init_use_control_channel(domain) +# init_use_initctl(domain) # -define(`init_use_control_channel',` +define(`init_use_initctl',` requires_block_template(`$0'_depend) dev_list_all_dev_nodes($1) allow $1 initctl_t:fifo_file rw_file_perms; ') -define(`init_use_control_channel_depend',` +define(`init_use_initctl_depend',` type initctl_t; class fifo_file rw_file_perms; @@ -215,15 +215,15 @@ define(`init_use_control_channel_depend',` ######################################## # -# init_ignore_use_control_channel(domain) +# init_dontaudit_use_initctl(domain) # -define(`init_ignore_use_control_channel',` +define(`init_dontaudit_use_initctl',` requires_block_template(`$0'_depend) dontaudit $1 initctl_t:fifo_file { read write }; ') -define(`init_ignore_use_control_channel_depend',` +define(`init_dontaudit_use_initctl_depend',` type initctl_t; class fifo_file { read write }; @@ -247,15 +247,15 @@ define(`init_sigchld_depend',` ######################################## # -# init_use_file_descriptors(domain) +# init_use_fd(domain) # -define(`init_use_file_descriptors',` +define(`init_use_fd',` requires_block_template(`$0'_depend) allow $1 init_t:fd use; ') -define(`init_use_file_descriptors_depend',` +define(`init_use_fd_depend',` type init_t; class fd use; @@ -263,15 +263,15 @@ define(`init_use_file_descriptors_depend',` ######################################## # -# init_ignore_use_file_descriptors(domain) +# init_dontaudit_use_fd(domain) # -define(`init_ignore_use_file_descriptors',` +define(`init_dontaudit_use_fd',` requires_block_template(`$0'_depend) dontaudit $1 init_t:fd use; ') -define(`init_ignore_use_file_descriptors_depend',` +define(`init_dontaudit_use_fd_depend',` type init_t; class fd use; @@ -279,9 +279,9 @@ define(`init_ignore_use_file_descriptors_depend',` ######################################## # -# init_script_transition(domain) +# init_domtrans_script(domain) # -define(`init_script_transition',` +define(`init_domtrans_script',` requires_block_template(`$0'_depend) allow $1 initrc_exec_t:file rx_file_perms; @@ -295,7 +295,7 @@ define(`init_script_transition',` allow initrc_t $1:process sigchld; ') -define(`init_script_transition_depend',` +define(`init_domtrans_script_depend',` type initrc_t, initrc_exec_t; class file rx_file_perms; @@ -306,23 +306,23 @@ define(`init_script_transition_depend',` ######################################## # -# init_script_execute(domain) +# init_exec_script(domain) # -define(`init_script_execute',` +define(`init_exec_script',` requires_block_template(`$0'_depend) can_exec($1,initrc_exec_t) ') -define(`init_script_execute_depend',` +define(`init_exec_script_depend',` type initrc_exec_t; class file { getattr read execute execute_no_trans }; ') ######################################## -## +## ## ## Read the process state (/proc/pid) of the init scripts. ## @@ -331,7 +331,7 @@ define(`init_script_execute_depend',` ## ## # -define(`init_script_read_process_state',` +define(`init_read_script_process_state',` requires_block_template(`$0'_depend) allow $1 initrc_t:dir r_dir_perms; @@ -345,7 +345,7 @@ define(`init_script_read_process_state',` dontaudit $1 initrc_t:process ptrace; ') -define(`init_script_read_process_state_depend',` +define(`init_read_script_process_state_depend',` type initrc_t; class dir r_dir_perms; @@ -356,15 +356,15 @@ define(`init_script_read_process_state_depend',` ######################################## # -# init_script_use_file_descriptors(domain) +# init_use_script_fd(domain) # -define(`init_script_use_file_descriptors',` +define(`init_use_script_fd',` requires_block_template(`$0'_depend) allow $1 initrc_t:fd use; ') -define(`init_script_use_file_descriptors_depend',` +define(`init_use_script_fd_depend',` type initrc_t; class fd use; @@ -372,15 +372,15 @@ define(`init_script_use_file_descriptors_depend',` ######################################## # -# init_script_ignore_use_file_descriptors(domain) +# init_dontaudit_use_script_fd(domain) # -define(`init_script_ignore_use_file_descriptors',` +define(`init_dontaudit_use_script_fd',` requires_block_template(`$0'_depend) dontaudit $1 initrc_t:fd use; ') -define(`init_script_ignore_use_file_descriptors_depend',` +define(`init_dontaudit_use_script_fd_depend',` type initrc_t; class fd use; @@ -388,15 +388,15 @@ define(`init_script_ignore_use_file_descriptors_depend',` ######################################## # -# init_script_get_process_group(domain) +# init_get_script_process_group(domain) # -define(`init_script_get_process_group',` +define(`init_get_script_process_group',` requires_block_template(`$0'_depend) allow $1 initrc_t:process getpgid; ') -define(`init_script_get_process_group_depend',` +define(`init_get_script_process_group_depend',` type initrc_t; class process getpgid; @@ -404,16 +404,16 @@ define(`init_script_get_process_group_depend',` ######################################## # -# init_script_use_pseudoterminal(domain) +# init_use_script_pty(domain) # -define(`init_script_use_pseudoterminal',` +define(`init_use_script_pty',` requires_block_template(`$0'_depend) term_list_ptys($1) allow $1 initrc_devpts_t:chr_file { getattr read write ioctl }; ') -define(`init_script_use_pseudoterminal_depend',` +define(`init_use_script_pty_depend',` type initrc_devpts_t; class chr_file { getattr read write ioctl }; @@ -421,22 +421,22 @@ define(`init_script_use_pseudoterminal_depend',` ######################################## # -# init_script_ignore_use_pseudoterminal(domain) +# init_dontaudit_use_script_pty(domain) # -define(`init_script_ignore_use_pseudoterminal',` +define(`init_dontaudit_use_script_pty',` requires_block_template(`$0'_depend) dontaudit $1 initrc_devpts_t:chr_file { read write ioctl }; ') -define(`init_script_ignore_use_pseudoterminal_depend',` +define(`init_dontaudit_use_script_pty_depend',` type initrc_devpts_t; class chr_file { read write ioctl }; ') ######################################## -## +## ## ## Read and write init script temporary data. ## @@ -445,14 +445,14 @@ define(`init_script_ignore_use_pseudoterminal_depend',` ## ## # -define(`init_script_modify_temporary_data',` +define(`init_rw_script_tmp_files',` requires_block_template(`$0'_depend) # FIXME: read tmp_t allow $1 initrc_tmp_t:file rw_file_perms; ') -define(`init_script_modify_temporary_data_depend',` +define(`init_rw_script_tmp_files_depend',` type initrc_var_run_t; class file rw_file_perms; @@ -460,16 +460,16 @@ define(`init_script_modify_temporary_data_depend',` ######################################## # -# init_script_read_runtime_data(domain) +# init_read_script_pid(domain) # -define(`init_script_read_runtime_data',` +define(`init_read_script_pid',` requires_block_template(`$0'_depend) - files_read_runtime_data_directory($1) + files_list_pids($1) allow $1 initrc_var_run_t:file r_file_perms; ') -define(`init_script_read_runtime_data_depend',` +define(`init_read_script_pid_depend',` type initrc_var_run_t; class file r_file_perms; @@ -477,15 +477,15 @@ define(`init_script_read_runtime_data_depend',` ######################################## # -# init_script_ignore_write_runtime_data(domain) +# init_dontaudit_write_script_pid(domain) # -define(`init_script_ignore_write_runtime_data',` +define(`init_dontaudit_write_script_pid',` requires_block_template(`$0'_depend) dontaudit $1 initrc_var_run_t:file { write lock }; ') -define(`init_script_ignore_write_runtime_data_depend',` +define(`init_dontaudit_write_script_pid_depend',` type initrc_var_run_t; class file { write lock }; @@ -493,16 +493,16 @@ define(`init_script_ignore_write_runtime_data_depend',` ######################################## # -# init_script_modify_runtime_data(domain) +# init_rw_script_pid(domain) # -define(`init_script_modify_runtime_data',` +define(`init_rw_script_pid',` requires_block_template(`$0'_depend) - files_read_runtime_data_directory($1) + files_list_pids($1) allow $1 initrc_var_run_t:file rw_file_perms; ') -define(`init_script_modify_runtime_data_depend',` +define(`init_rw_script_pid_depend',` type initrc_var_run_t; class file rw_file_perms; @@ -510,15 +510,15 @@ define(`init_script_modify_runtime_data_depend',` ######################################## # -# init_script_ignore_modify_runtime_data(domain) +# init_dontaudit_rw_script_pid(domain) # -define(`init_script_ignore_modify_runtime_data',` +define(`init_dontaudit_rw_script_pid',` requires_block_template(`$0'_depend) dontaudit $1 initrc_var_run_t:file { getattr read write append }; ') -define(`init_script_ignore_modify_runtime_data_depend',` +define(`init_dontaudit_rw_script_pid_depend',` type initrc_var_run_t; class file rw_file_perms; diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index 7bf5cef..929da00 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -10,7 +10,7 @@ policy_module(init,1.0) # init_t is the domain of the init process. # type init_t; -domain_make_domain(init_t) +domain_type(init_t) role system_r types init_t; # @@ -18,13 +18,13 @@ role system_r types init_t; # type init_exec_t; kernel_userland_entry(init_t,init_exec_t) -domain_make_entrypoint_file(init_t,init_exec_t) +domain_entry_file(init_t,init_exec_t) # # init_var_run_t is the type for /var/run/shutdown.pid. # type init_var_run_t; -files_make_daemon_runtime_file(init_var_run_t) +files_pid_file(init_var_run_t) # # initctl_t is the type of the named pipe created @@ -32,14 +32,14 @@ files_make_daemon_runtime_file(init_var_run_t) # to communicate with init. # type initctl_t; -files_make_file(initctl_t) +files_file_type(initctl_t) type initrc_t; -domain_make_domain(initrc_t) +domain_type(initrc_t) role system_r types initrc_t; type initrc_exec_t; -domain_make_entrypoint_file(initrc_t,initrc_exec_t) +domain_entry_file(initrc_t,initrc_exec_t) type initrc_devpts_t; fs_associate(initrc_devpts_t) @@ -47,13 +47,13 @@ fs_associate_noxattr(initrc_devpts_t) term_pty(initrc_devpts_t) type initrc_var_run_t; -files_make_daemon_runtime_file(initrc_var_run_t) +files_pid_file(initrc_var_run_t) type initrc_state_t; -files_make_file(initrc_state_t) +files_file_type(initrc_state_t) type initrc_tmp_t; -files_make_temporary_file(initrc_tmp_t) +files_tmp_file(initrc_tmp_t) ######################################## # @@ -67,7 +67,7 @@ allow init_t self:capability ~sys_module; # sys_tty_config # kill: now provided by domain_kill_all_domains() # setuid (from /sbin/shutdown) -# sys_chroot (from /usr/bin/chroot): now provided by corecommands_chroot() +# sys_chroot (from /usr/bin/chroot): now provided by corecmd_chroot_exec_chroot() allow init_t self:fifo_file rw_file_perms; @@ -76,7 +76,7 @@ allow init_t init_exec_t:file { getattr read ioctl execute execute_no_trans }; # For /var/run/shutdown.pid. allow init_t init_var_run_t:file { create getattr read append write setattr unlink }; -files_create_daemon_runtime_data(init_t,init_var_run_t) +files_create_pid(init_t,init_var_run_t) allow init_t initctl_t:fifo_file { create getattr read append write setattr unlink }; fs_associate_tmpfs(initctl_t) @@ -95,9 +95,9 @@ kernel_share_state(init_t) term_use_all_terms(init_t) -corecommands_chroot(init_t) -corecommands_execute_general_programs(init_t) -corecommands_execute_system_programs(init_t) +corecmd_chroot_exec_chroot(init_t) +corecmd_exec_bin(init_t) +corecmd_exec_sbin(init_t) domain_kill_all_domains(init_t) domain_signal_all_domains(init_t) @@ -106,22 +106,22 @@ domain_sigstop_all_domains(init_t) domain_sigstop_all_domains(init_t) domain_sigchld_all_domains(init_t) -files_read_general_system_config(init_t) -files_modify_system_runtime_data(init_t) -files_ignore_search_isid_type_dir(init_t) -files_manage_runtime_system_config(init_t) +files_read_generic_etc_files(init_t) +files_rw_generic_pids(init_t) +files_dontaudit_search_isid_type_dir(init_t) +files_manage_etc_runtime_files(init_t) # Run /etc/X11/prefdm: -files_execute_system_config_script(init_t) +files_exec_generic_etc_files(init_t) # file descriptors inherited from the rootfs: -files_ignore_modify_rootfs_file(init_t) -files_ignore_modify_rootfs_device(init_t) +files_dontaudit_rw_root_file(init_t) +files_dontaudit_rw_root_chr_dev(init_t) -libraries_use_dynamic_loader(init_t) -libraries_use_shared_libraries(init_t) -libraries_modify_dynamic_loader_cache(init_t) +libs_use_ld_so(init_t) +libs_use_shared_libs(init_t) +libs_rw_ld_so_cache(init_t) -logging_send_system_log_message(init_t) -logging_modify_system_logs(init_t) +logging_send_syslog_msg(init_t) +logging_rw_generic_logs(init_t) selinux_read_config(init_t) @@ -133,12 +133,12 @@ ifdef(`distro_redhat',` ') optional_policy(`authlogin.te',` - authlogin_modify_login_records(init_t) + auth_rw_login_records(init_t) ') # Run the shell in the sysadm_t domain for single-user mode. optional_policy(`userdomain.te',` - userdomain_sysadm_shell_transition(init_t) + userdom_shell_domtrans_sysadm(init_t) ') ######################################## @@ -167,11 +167,11 @@ allow initrc_t initrc_state_t:file create_file_perms; allow initrc_t initrc_state_t:lnk_file { create read getattr setattr unlink rename }; allow initrc_t initrc_var_run_t:file create_file_perms; -files_create_daemon_runtime_data(initrc_t,initrc_var_run_t) +files_create_pid(initrc_t,initrc_var_run_t) allow initrc_t initrc_tmp_t:file create_file_perms; allow initrc_t initrc_tmp_t:dir create_dir_perms; -files_create_private_tmp_data(initrc_t,initrc_tmp_t, { file dir }) +files_create_tmp_files(initrc_t,initrc_tmp_t, { file dir }) kernel_read_system_state(initrc_t) kernel_read_software_raid_state(initrc_t) @@ -230,16 +230,16 @@ storage_set_removable_device_attributes(initrc_t) term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) -authlogin_modify_login_records(initrc_t) -authlogin_modify_last_login_log(initrc_t) -authlogin_pam_read_runtime_data(initrc_t) -authlogin_pam_remove_runtime_data(initrc_t) -authlogin_pam_console_read_runtime_data_dir(initrc_t) +auth_rw_login_records(initrc_t) +auth_rw_lastlog(initrc_t) +auth_read_pam_pid(initrc_t) +auth_delete_pam_pid(initrc_t) +auth_list_pam_console_data(initrc_t) -corecommands_execute_general_programs(initrc_t) -corecommands_execute_system_programs(initrc_t) -corecommands_execute_shell(initrc_t) -corecommands_execute_ls(initrc_t) +corecmd_exec_bin(initrc_t) +corecmd_exec_sbin(initrc_t) +corecmd_exec_shell(initrc_t) +corecmd_exec_ls(initrc_t) domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) @@ -247,53 +247,53 @@ domain_signull_all_domains(initrc_t) domain_sigstop_all_domains(initrc_t) domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) -domain_read_all_domains_process_state(initrc_t) -domain_get_all_domains_session_id(initrc_t) -domain_use_widely_inheritable_file_descriptors(initrc_t) +domain_read_all_domains_state(initrc_t) +domain_getsession_all_domains(initrc_t) +domain_use_wide_inherit_fd(initrc_t) # for lsof which is used by alsa shutdown: -domain_ignore_get_all_domains_udp_socket_attributes(initrc_t) -domain_ignore_get_all_domains_tcp_socket_attributes(initrc_t) -domain_ignore_get_all_domains_unix_dgram_socket_attributes(initrc_t) -domain_ignore_get_all_domains_pipe_attributes(initrc_t) - -files_get_all_file_attributes(initrc_t) -files_remove_all_tmp_data(initrc_t) -files_remove_all_lock_files(initrc_t) -files_read_all_daemon_runtime_data(initrc_t) -files_remove_all_daemon_runtime_data(initrc_t) -files_read_general_system_config(initrc_t) -files_manage_runtime_system_config(initrc_t) -files_manage_system_lock_files(initrc_t) -files_execute_system_config_script(initrc_t) -files_read_general_application_resources(initrc_t) -files_manage_pseudorandom_saved_seed(initrc_t) -files_manage_system_spools(initrc_t) - -libraries_modify_dynamic_loader_cache(initrc_t) -libraries_use_dynamic_loader(initrc_t) -libraries_use_shared_libraries(initrc_t) -libraries_execute_library_scripts(initrc_t) - -logging_send_system_log_message(initrc_t) -logging_modify_system_logs(initrc_t) +domain_dontaudit_getattr_all_udp_sockets(initrc_t) +domain_dontaudit_getattr_all_tcp_sockets(initrc_t) +domain_dontaudit_getattr_all_unix_dgram_sockets(initrc_t) +domain_dontaudit_getattr_all_unnamed_pipes(initrc_t) + +files_getattr_all_files(initrc_t) +files_delete_all_tmp_files(initrc_t) +files_delete_all_lock_files(initrc_t) +files_read_all_pids(initrc_t) +files_delete_all_pids(initrc_t) +files_read_generic_etc_files(initrc_t) +files_manage_etc_runtime_files(initrc_t) +files_manage_generic_lock_files(initrc_t) +files_exec_generic_etc_files(initrc_t) +files_read_usr_files(initrc_t) +files_manage_urandom_seed(initrc_t) +files_manage_spools(initrc_t) + +libs_rw_ld_so_cache(initrc_t) +libs_use_ld_so(initrc_t) +libs_use_shared_libs(initrc_t) +libs_exec_lib_files(initrc_t) + +logging_send_syslog_msg(initrc_t) +logging_rw_generic_logs(initrc_t) logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) miscfiles_read_localization(initrc_t) -modutils_read_kernel_module_loading_config(initrc_t) +modutils_read_module_conf(initrc_t) selinux_read_config(initrc_t) -sysnetwork_read_network_config(initrc_t) +sysnet_read_config(initrc_t) -udev_modify_database(initrc_t) +udev_rw_db(initrc_t) -userdomain_read_all_users_data(initrc_t) +userdom_read_all_user_data(initrc_t) # Allow access to the sysadm TTYs. Note that this will give access to the # TTYs to any process in the initrc_t domain. Therefore, daemons and such # started from init should be placed in their own domain. -userdomain_use_admin_terminals(initrc_t) +userdom_use_sysadm_terms(initrc_t) ifdef(`distro_debian', ` fs_create_tmpfs_data(initrc_t,initrc_var_run_t,dir) @@ -306,7 +306,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd kernel_dontaudit_use_fd(initrc_t) - files_ignore_read_rootfs_file(initrc_t) + files_dontaudit_read_root_file(initrc_t) kernel_set_enforcement_mode(initrc_t) @@ -329,7 +329,7 @@ ifdef(`distro_redhat',` files_create_boot_flag(initrc_t) # readahead asks for these - mta_read_mail_aliases(initrc_t) + mta_read_aliases(initrc_t) ') optional_policy(`hotplug.te',` @@ -349,7 +349,7 @@ optional_policy(`lvm.te',` ') optional_policy(`rhgb.te',` - corecommands_make_shell_entrypoint(initrc_t) + corecmd_shell_entry_type(initrc_t) ') optional_policy(`rpm.te',` @@ -357,13 +357,13 @@ optional_policy(`rpm.te',` kernel_dontaudit_getattr_unlabeled_blk_dev(initrc_t) # for a bug in rm - files_ignore_write_all_daemon_runtime_data(initrc_t) + files_dontaudit_write_all_pids(initrc_t) # bash tries ioctl for some reason - files_ignore_ioctl_all_daemon_runtime_data(initrc_t) + files_dontaudit_ioctl_all_pids(initrc_t) # why is this needed: - rpm_manage_package_database(initrc_t) + rpm_manage_db(initrc_t) ') dnl end rpm.te ifdef(`TODO',` diff --git a/refpolicy/policy/modules/system/iptables.if b/refpolicy/policy/modules/system/iptables.if index 2774065..53eee21 100644 --- a/refpolicy/policy/modules/system/iptables.if +++ b/refpolicy/policy/modules/system/iptables.if @@ -2,7 +2,7 @@ ## Policy for iptables. ######################################## -## +## ## ## Execute iptables in the iptables domain. ## @@ -11,7 +11,7 @@ ## ## # -define(`iptables_transition',` +define(`iptables_domtrans',` requires_block_template(`$0'_depend) allow $1 iptables_exec_t:file rx_file_perms; @@ -25,7 +25,7 @@ define(`iptables_transition',` allow iptables_t $1:process sigchld; ') -define(`iptables_transition_depend',` +define(`iptables_domtrans_depend',` type iptables_t, iptables_exec_t; class file rx_file_perms; @@ -35,7 +35,7 @@ define(`iptables_transition_depend',` ') ######################################## -## +## ## ## Execute iptables in the iptables domain, and ## allow the specified role the iptables domain. @@ -51,22 +51,22 @@ define(`iptables_transition_depend',` ## ## # -define(`iptables_transition_add_role_use_terminal',` +define(`iptables_run',` requires_block_template(`$0'_depend) - iptables_transition($1) + iptables_domtrans($1) role $2 types iptables_t; allow iptables_t $3:chr_file { getattr read write ioctl }; ') -define(`iptables_transition_add_role_use_terminal_depend',` +define(`iptables_run_depend',` type iptables_t; class chr_file { getattr read write ioctl }; ') ######################################## -## +## ## ## Execute iptables in the caller domain. ## @@ -75,14 +75,14 @@ define(`iptables_transition_add_role_use_terminal_depend',` ## ## # -define(`iptables_execute',` +define(`iptables_exec',` requires_block_template(`$0'_depend) can_exec($1,iptables_exec_t) ') -define(`iptables_execute_depend',` +define(`iptables_exec_depend',` type iptables_t, iptables_exec_t; class file { getattr read execute execute_no_trans }; diff --git a/refpolicy/policy/modules/system/iptables.te b/refpolicy/policy/modules/system/iptables.te index 3576220..c2b04e8 100644 --- a/refpolicy/policy/modules/system/iptables.te +++ b/refpolicy/policy/modules/system/iptables.te @@ -8,14 +8,14 @@ policy_module(iptables, 1.0) type iptables_t; type iptables_exec_t; -init_make_system_domain(iptables_t,iptables_exec_t) +init_system_domain(iptables_t,iptables_exec_t) role system_r types iptables_t; type iptables_tmp_t; -files_make_temporary_file(iptables_tmp_t) +files_tmp_file(iptables_tmp_t) type iptables_var_run_t; -files_make_daemon_runtime_file(iptables_var_run_t) +files_pid_file(iptables_var_run_t) ######################################## # @@ -27,13 +27,13 @@ dontaudit iptables_t self:capability sys_tty_config; allow iptables_t self:process { sigchld sigkill sigstop signull signal }; allow iptables_t iptables_var_run_t:dir rw_dir_perms; -files_create_daemon_runtime_data(iptables_t,iptables_var_run_t) +files_create_pid(iptables_t,iptables_var_run_t) can_exec(iptables_t,iptables_exec_t) allow iptables_t iptables_tmp_t:dir create_dir_perms; allow iptables_t iptables_tmp_t:file create_file_perms; -files_create_private_tmp_data(iptables_t, iptables_tmp_t, { file dir }) +files_create_tmp_files(iptables_t, iptables_tmp_t, { file dir }) allow iptables_t self:rawip_socket create_socket_perms; @@ -48,27 +48,27 @@ fs_getattr_xattr_fs(iptables_t) term_dontaudit_use_console(iptables_t) -domain_use_widely_inheritable_file_descriptors(iptables_t) +domain_use_wide_inherit_fd(iptables_t) -files_read_general_system_config(iptables_t) +files_read_generic_etc_files(iptables_t) -init_use_file_descriptors(iptables_t) -init_script_use_pseudoterminal(iptables_t) +init_use_fd(iptables_t) +init_use_script_pty(iptables_t) # to allow rules to be saved on reboot: -init_script_modify_temporary_data(iptables_t) +init_rw_script_tmp_files(iptables_t) -libraries_use_dynamic_loader(iptables_t) -libraries_use_shared_libraries(iptables_t) +libs_use_ld_so(iptables_t) +libs_use_shared_libs(iptables_t) -logging_send_system_log_message(iptables_t) +logging_send_syslog_msg(iptables_t) # system-config-network appends to /var/log #logging_append_system_logs(iptables_t) miscfiles_read_localization(iptables_t) -sysnetwork_ifconfig_transition(iptables_t) +sysnet_domtrans_ifconfig(iptables_t) -userdomain_use_all_users_file_descriptors(iptables_t) +userdom_use_all_user_fd(iptables_t) tunable_policy(`use_dns',` allow iptables_t self:udp_socket create_socket_perms; @@ -80,12 +80,12 @@ tunable_policy(`use_dns',` corenet_udp_bind_all_nodes(iptables_t) corenet_udp_sendrecv_dns_port(iptables_t) - sysnetwork_read_network_config(iptables_t) + sysnet_read_config(iptables_t) ') optional_policy(`modutils.te', ` - corecommands_search_system_programs_directory(iptables_t) - modutils_insmod_transition(iptables_t) + corecmd_search_sbin(iptables_t) + modutils_domtrans_insmod(iptables_t) ') optional_policy(`selinux.te',` @@ -93,14 +93,14 @@ optional_policy(`selinux.te',` ') optional_policy(`udev.te', ` - udev_read_database(iptables_t) + udev_read_db(iptables_t) ') ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(iptables_t) terminal_ignore_use_general_pseudoterminal(iptables_t) - files_ignore_read_rootfs_file(iptables_t) + files_dontaudit_read_root_file(iptables_t) ') ifdef(`TODO',` diff --git a/refpolicy/policy/modules/system/libraries.if b/refpolicy/policy/modules/system/libraries.if index df3a2b8..0490095 100644 --- a/refpolicy/policy/modules/system/libraries.if +++ b/refpolicy/policy/modules/system/libraries.if @@ -2,7 +2,7 @@ ## Policy for system libraries. ######################################## -## +## ## ## Execute ldconfig in the ldconfig domain. ## @@ -11,7 +11,7 @@ ## ## # -define(`libraries_ldconfig_transition',` +define(`libs_domtrans_ldconfig',` requires_block_template(`$0'_depend) domain_auto_trans($1,ldconfig_exec_t,ldconfig_t) @@ -22,7 +22,7 @@ define(`libraries_ldconfig_transition',` allow ldconfig_t $1:process sigchld; ') -define(`libraries_ldconfig_transition_depend',` +define(`libs_domtrans_ldconfig_depend',` type ldconfig_t, ldconfig_exec_t; class file rx_file_perms; @@ -32,7 +32,7 @@ define(`libraries_ldconfig_transition_depend',` ') ######################################## -## +## ## ## Execute ldconfig in the ldconfig domain. ## @@ -47,22 +47,22 @@ define(`libraries_ldconfig_transition_depend',` ## ## # -define(`libraries_ldconfig_transition_add_role_use_terminal',` +define(`libs_run_ldconfig',` requires_block_template(`$0'_depend) - libraries_ldconfig_transition($1) + libs_domtrans_ldconfig($1) role $2 types ldconfig_t; allow ldconfig_t $3:chr_file { getattr read write ioctl }; ') -define(`libraries_ldconfig_transition_add_role_use_terminal_depend',` +define(`libs_run_ldconfig_depend',` type ldconfig_t; class chr_file { getattr read write ioctl }; ') ######################################## -## +## ## ## Use the dynamic link/loader for automatic loading ## of shared libraries. @@ -72,10 +72,10 @@ define(`libraries_ldconfig_transition_add_role_use_terminal_depend',` ## ## # -define(`libraries_use_dynamic_loader',` +define(`libs_use_ld_so',` requires_block_template(`$0'_depend) - files_read_general_system_config_directory($1) + files_read_generic_etc_files_directory($1) allow $1 lib_t:dir r_dir_perms; allow $1 lib_t:lnk_file r_file_perms; allow $1 ld_so_t:lnk_file r_file_perms; @@ -83,7 +83,7 @@ define(`libraries_use_dynamic_loader',` allow $1 ld_so_cache_t:file r_file_perms; ') -define(`libraries_use_dynamic_loader_depend',` +define(`libs_use_ld_so_depend',` type lib_t, ld_so_t, ld_so_cache_t; class dir r_dir_perms; @@ -92,7 +92,7 @@ define(`libraries_use_dynamic_loader_depend',` ') ######################################## -## +## ## ## Use the dynamic link/loader for automatic loading ## of shared libraries with legacy support. @@ -102,22 +102,22 @@ define(`libraries_use_dynamic_loader_depend',` ## ## # -define(`libraries_legacy_use_dynamic_loader',` +define(`libs_legacy_use_ld_so',` requires_block_template(`$0'_depend) - libraries_use_dynamic_loader($1) + libs_use_ld_so($1) allow $1 ld_so_t:file execmod; allow $1 ld_so_cache_t:file execute; ') -define(`libraries_legacy_use_dynamic_loader_depend',` +define(`libs_legacy_use_ld_so_depend',` type ld_so_t, ld_so_cache_t; class file { execute execmod }; ') ######################################## -## +## ## ## Execute the dynamic link/loader in the caller's ## domain. This is commonly needed for the @@ -131,7 +131,7 @@ define(`libraries_legacy_use_dynamic_loader_depend',` ## ## # -define(`libraries_execute_dynamic_loader',` +define(`libs_exec_ld_so',` requires_block_template(`$0'_depend) allow $1 lib_t:dir r_dir_perms; @@ -140,7 +140,7 @@ define(`libraries_execute_dynamic_loader',` allow $1 ld_so_t:file { r_file_perms execute execute_no_trans }; ') -define(`libraries_execute_dynamic_loader_depend',` +define(`libs_exec_ld_so_depend',` type lib_t, ld_so_t; class dir r_dir_perms; @@ -149,7 +149,7 @@ define(`libraries_execute_dynamic_loader_depend',` ') ######################################## -## +## ## ## Modify the dynamic link/loader's cached listing ## of shared libraries. @@ -159,21 +159,21 @@ define(`libraries_execute_dynamic_loader_depend',` ## ## # -define(`libraries_modify_dynamic_loader_cache',` +define(`libs_rw_ld_so_cache',` requires_block_template(`$0'_depend) - files_read_general_system_config_directory($1) + files_read_generic_etc_files_directory($1) allow $1 ld_so_cache_t:file rw_file_perms; ') -define(`libraries_modify_dynamic_loader_cache_depend',` +define(`libs_rw_ld_so_cache_depend',` type ld_so_cache_t; class file rw_file_perms; ') ######################################## -## +## ## ## Read files in the library directories, such ## as static libraries. @@ -183,14 +183,14 @@ define(`libraries_modify_dynamic_loader_cache_depend',` ## ## # -define(`libraries_read_library_resources',` +define(`libs_read_lib',` requires_block_template(`$0'_depend) allow $1 lib_t:dir r_dir_perms; allow $1 lib_t:{ file lnk_file } r_file_perms; ') -define(`libraries_read_library_resources_depend',` +define(`libs_read_lib_depend',` type lib_t; class dir r_dir_perms; @@ -199,7 +199,7 @@ define(`libraries_read_library_resources_depend',` ') ######################################## -## +## ## ## Execute library scripts in the caller domain. ## @@ -208,7 +208,7 @@ define(`libraries_read_library_resources_depend',` ## ## # -define(`libraries_execute_library_scripts',` +define(`libs_exec_lib_files',` requires_block_template(`$0'_depend) allow $1 lib_t:dir r_dir_perms; @@ -216,7 +216,7 @@ define(`libraries_execute_library_scripts',` allow $1 lib_t:file { getattr read execute execute_no_trans }; ') -define(`libraries_execute_library_scripts_depend',` +define(`libs_exec_lib_files_depend',` type lib_t; class dir r_dir_perms; @@ -225,7 +225,7 @@ define(`libraries_execute_library_scripts_depend',` ') ######################################## -## +## ## ## Load and execute functions from shared libraries. ## @@ -234,17 +234,17 @@ define(`libraries_execute_library_scripts_depend',` ## ## # -define(`libraries_use_shared_libraries',` +define(`libs_use_shared_libs',` requires_block_template(`$0'_depend) - files_search_general_application_resources_dir($1) + files_search_usr($1) allow $1 lib_t:dir r_dir_perms; allow $1 lib_t:lnk_file r_file_perms; allow $1 { shlib_t texrel_shlib_t }:lnk_file r_file_perms; allow $1 { shlib_t texrel_shlib_t }:file rx_file_perms; ') -define(`libraries_use_shared_libraries_depend',` +define(`libs_use_shared_libs_depend',` type lib_t, shlib_t, texrel_shlib_t; class dir r_dir_perms; @@ -253,7 +253,7 @@ define(`libraries_use_shared_libraries_depend',` ') ######################################## -## +## ## ## Load and execute functions from shared libraries, ## with legacy support. @@ -263,14 +263,14 @@ define(`libraries_use_shared_libraries_depend',` ## ## # -define(`libraries_legacy_use_shared_libraries',` +define(`libs_legacy_use_shared_libs',` requires_block_template(`$0'_depend) - libraries_use_shared_libraries($1) + libs_use_shared_libs($1) allow $1 { shlib_t texrel_shlib_t }:file execmod; ') -define(`libraries_legacy_use_shared_libraries_depend',` +define(`libs_legacy_use_shared_libs_depend',` type shlib_t, texrel_shlib_t; class file execmod; diff --git a/refpolicy/policy/modules/system/libraries.te b/refpolicy/policy/modules/system/libraries.te index 7dea914..4b34dae 100644 --- a/refpolicy/policy/modules/system/libraries.te +++ b/refpolicy/policy/modules/system/libraries.te @@ -10,33 +10,33 @@ policy_module(libraries,1.0) # ld_so_cache_t is the type of /etc/ld.so.cache. # type ld_so_cache_t; -files_make_file(ld_so_cache_t) +files_file_type(ld_so_cache_t) # # ld_so_t is the type of the system dynamic loaders. # type ld_so_t; -files_make_file(ld_so_t) +files_file_type(ld_so_t) # # lib_t is the type of files in the system lib directories. # type lib_t; -files_make_file(lib_t) +files_file_type(lib_t) # # shlib_t is the type of shared objects in the system lib # directories. # type shlib_t; -files_make_file(shlib_t) +files_file_type(shlib_t) # # texrel_shlib_t is the type of shared objects in the system lib # directories, which require text relocation. # type texrel_shlib_t; -files_make_file(texrel_shlib_t) +files_file_type(texrel_shlib_t) ######################################## # @@ -44,11 +44,11 @@ files_make_file(texrel_shlib_t) # type ldconfig_t; type ldconfig_exec_t; -init_make_system_domain(ldconfig_t,ldconfig_exec_t) +init_system_domain(ldconfig_t,ldconfig_exec_t) role system_r types ldconfig_t; allow ldconfig_t ld_so_cache_t:file create_file_perms; -files_create_private_config(ldconfig_t,ld_so_cache_t,file) +files_create_etc_config(ldconfig_t,ld_so_cache_t,file) allow ldconfig_t lib_t:dir rw_dir_perms; allow ldconfig_t lib_t:lnk_file { getattr create read unlink }; @@ -62,17 +62,17 @@ kernel_read_system_state(ldconfig_t) fs_getattr_xattr_fs(ldconfig_t) -domain_use_widely_inheritable_file_descriptors(ldconfig_t) +domain_use_wide_inherit_fd(ldconfig_t) -files_read_general_system_config(ldconfig_t) +files_read_generic_etc_files(ldconfig_t) # for when /etc/ld.so.cache is mislabeled: -files_remove_general_system_config(ldconfig_t) +files_delete_generic_etc_files(ldconfig_t) -init_script_use_pseudoterminal(ldconfig_t) +init_use_script_pty(ldconfig_t) -logging_send_system_log_message(ldconfig_t) +logging_send_syslog_msg(ldconfig_t) -userdomain_use_all_users_file_descriptors(ldconfig_t) +userdom_use_all_user_fd(ldconfig_t) ifdef(`TODO',` diff --git a/refpolicy/policy/modules/system/locallogin.if b/refpolicy/policy/modules/system/locallogin.if index aade7aa..f7db31f 100644 --- a/refpolicy/policy/modules/system/locallogin.if +++ b/refpolicy/policy/modules/system/locallogin.if @@ -2,7 +2,7 @@ ## Policy for local logins. ######################################## -## +## ## ## Execute local logins in the locallogin domain. ## @@ -11,18 +11,18 @@ ## ## # -define(`locallogin_transition',` +define(`locallogin_domtrans',` requires_block_template(`$0'_depend) - authlogin_login_program_transition($1,local_login_t) + auth_domtrans_login_program($1,local_login_t) ') -define(`locallogin_transition_depend',` +define(`locallogin_domtrans_depend',` type local_login_t; ') ######################################## -## +## ## ## Allow processes to inherit local login file descriptors ## @@ -33,15 +33,15 @@ define(`locallogin_transition_depend',` # ######################################## # -# locallogin_use_file_descriptors(domain) +# locallogin_use_fd(domain) # -define(`locallogin_use_file_descriptors',` +define(`locallogin_use_fd',` requires_block_template(`$0'_depend) allow $1 local_login_t:fd use; ') -define(`locallogin_use_file_descriptors_depend',` +define(`locallogin_use_fd_depend',` type local_login_t; class fd use; diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te index 6c41572..6745937 100644 --- a/refpolicy/policy/modules/system/locallogin.te +++ b/refpolicy/policy/modules/system/locallogin.te @@ -7,25 +7,25 @@ policy_module(locallogin,1.0) # type local_login_t; #, nscd_client_domain; -kernel_make_object_identity_change_constraint_exception(local_login_t) -kernel_make_process_identity_change_constraint_exception(local_login_t) -kernel_make_role_change_constraint_exception(local_login_t) -authlogin_make_login_program_entrypoint(local_login_t) -domain_make_domain(local_login_t) -domain_make_file_descriptors_widely_inheritable(local_login_t) +kernel_obj_id_change_exempt(local_login_t) +kernel_subj_id_change_exempt(local_login_t) +kernel_role_change_exempt(local_login_t) +auth_login_entry_type(local_login_t) +domain_type(local_login_t) +domain_wide_inherit_fd(local_login_t) role system_r types local_login_t; type local_login_tmp_t; -files_make_file(local_login_tmp_t) +files_file_type(local_login_tmp_t) type sulogin_t; type sulogin_exec_t; -kernel_make_object_identity_change_constraint_exception(sulogin_t) -kernel_make_process_identity_change_constraint_exception(sulogin_t) -kernel_make_role_change_constraint_exception(sulogin_t) -domain_make_file_descriptors_widely_inheritable(sulogin_t) -init_make_init_domain(sulogin_t,sulogin_exec_t) -init_make_system_domain(sulogin_t,sulogin_exec_t) +kernel_obj_id_change_exempt(sulogin_t) +kernel_subj_id_change_exempt(sulogin_t) +kernel_role_change_exempt(sulogin_t) +domain_wide_inherit_fd(sulogin_t) +init_domain(sulogin_t,sulogin_exec_t) +init_system_domain(sulogin_t,sulogin_exec_t) role system_r types sulogin_t; ######################################## @@ -49,7 +49,7 @@ allow local_login_t self:msg { send receive }; allow local_login_t local_login_tmp_t:dir create_dir_perms; allow local_login_t local_login_tmp_t:file create_file_perms; -files_create_private_tmp_data(local_login_t, local_login_tmp_t, { file dir }) +files_create_tmp_files(local_login_t, local_login_tmp_t, { file dir }) kernel_read_system_state(local_login_t) kernel_read_kernel_sysctl(local_login_t) @@ -70,47 +70,47 @@ term_relabel_all_user_ttys(local_login_t) term_setattr_all_user_ttys(local_login_t) term_setattr_unallocated_ttys(local_login_t) -authlogin_check_password_transition(local_login_t) -authlogin_ignore_read_shadow_passwords(local_login_t) -authlogin_modify_login_records(local_login_t) -authlogin_modify_last_login_log(local_login_t) -authlogin_modify_login_failure_records(local_login_t) -authlogin_pam_execute(local_login_t) -authlogin_pam_console_manage_runtime_data(local_login_t) +auth_domtrans_chk_passwd(local_login_t) +auth_dontaudit_read_shadow(local_login_t) +auth_rw_login_records(local_login_t) +auth_rw_lastlog(local_login_t) +auth_rw_faillog(local_login_t) +auth_exec_pam(local_login_t) +auth_manage_pam_console_data(local_login_t) -domain_read_all_entrypoint_programs(local_login_t) +domain_read_all_entry_files(local_login_t) -files_read_general_system_config(local_login_t) -files_read_runtime_system_config(local_login_t) -files_read_general_application_resources(local_login_t) -files_manage_system_lock_files(var_lock_t) +files_read_generic_etc_files(local_login_t) +files_read_etc_runtime_files(local_login_t) +files_read_usr_files(local_login_t) +files_manage_generic_lock_files(var_lock_t) -init_script_modify_runtime_data(local_login_t) -init_ignore_use_file_descriptors(local_login_t) +init_rw_script_pid(local_login_t) +init_dontaudit_use_fd(local_login_t) -libraries_use_dynamic_loader(local_login_t) -libraries_use_shared_libraries(local_login_t) +libs_use_ld_so(local_login_t) +libs_use_shared_libs(local_login_t) -logging_send_system_log_message(local_login_t) +logging_send_syslog_msg(local_login_t) miscfiles_read_localization(local_login_t) selinux_read_config(local_login_t) selinux_read_default_contexts(local_login_t) -userdomain_all_users_explicit_transition(local_login_t) -userdomain_signal_all_userdomains(local_login_t) -userdomain_search_all_users_home_dirs(local_login_t) -userdomain_use_all_unprivileged_users_file_descriptors(local_login_t) +userdom_spec_domtrans_all_users(local_login_t) +userdom_signal_all_users(local_login_t) +userdom_search_all_users_home(local_login_t) +userdom_use_unpriv_users_fd(local_login_t) # Search for mail spool file. -mta_get_mail_spool_attributes(local_login_t) +mta_getattr_spool(local_login_t) # Red Hat systems seem to have a stray # fd open from the initrd optional_policy(`distro_redhat',` kernel_dontaudit_use_fd(local_login_t) - files_ignore_read_rootfs_file(local_login_t) + files_dontaudit_read_root_file(local_login_t) ') ifdef(`TODO',` @@ -210,24 +210,24 @@ allow sulogin_t self:msg { send receive }; kernel_read_system_state(sulogin_t) -init_script_get_process_group(sulogin_t) +init_get_script_process_group(sulogin_t) -files_read_general_system_config(sulogin_t) +files_read_generic_etc_files(sulogin_t) # because file systems are not mounted: -files_ignore_search_isid_type_dir(sulogin_t) +files_dontaudit_search_isid_type_dir(sulogin_t) -libraries_use_dynamic_loader(sulogin_t) -libraries_use_shared_libraries(sulogin_t) +libs_use_ld_so(sulogin_t) +libs_use_shared_libs(sulogin_t) -logging_send_system_log_message(sulogin_t) +logging_send_syslog_msg(sulogin_t) selinux_read_config(sulogin_t) selinux_read_default_contexts(sulogin_t) -authlogin_read_shadow_passwords(sulogin_t) +auth_read_shadow(sulogin_t) -userdomain_sysadm_shell_transition(sulogin_t) -userdomain_use_all_unprivileged_users_file_descriptors(sulogin_t) +userdom_shell_domtrans_sysadm(sulogin_t) +userdom_use_unpriv_users_fd(sulogin_t) # suse and debian do not use pam with sulogin... ifdef(`monolithic_policy',` diff --git a/refpolicy/policy/modules/system/logging.if b/refpolicy/policy/modules/system/logging.if index 6578e28..5fde11a 100644 --- a/refpolicy/policy/modules/system/logging.if +++ b/refpolicy/policy/modules/system/logging.if @@ -3,24 +3,24 @@ ####################################### # -# logging_make_log_file(domain) +# logging_log_file(domain) # -define(`logging_make_log_file',` +define(`logging_log_file',` requires_block_template(`$0'_depend) - files_make_file($1) + files_file_type($1) typeattribute $1 logfile; ') -define(`logging_make_log_file_depend',` +define(`logging_log_file_depend',` attribute logfile; ') ######################################## # -# logging_create_private_log(domain,privatetype,[class(es)]) +# logging_create_log(domain,privatetype,[class(es)]) # -define(`logging_create_private_log',` +define(`logging_create_log',` requires_block_template(`$0'_depend) allow $1 var_log_t:dir rw_dir_perms; @@ -32,7 +32,7 @@ define(`logging_create_private_log',` ') ') -define(`logging_create_private_log_depend',` +define(`logging_create_log_depend',` type var_log_t; class dir rw_dir_perms; @@ -40,9 +40,9 @@ define(`logging_create_private_log_depend',` ####################################### # -# logging_send_system_log_message(domain) +# logging_send_syslog_msg(domain) # -define(`logging_send_system_log_message',` +define(`logging_send_syslog_msg',` requires_block_template(`$0'_depend) allow $1 devlog_t:lnk_file read; @@ -58,7 +58,7 @@ define(`logging_send_system_log_message',` term_use_console($1) ') -define(`logging_send_system_log_message_depend',` +define(`logging_send_syslog_msg_depend',` type syslogd_t, devlog_t; class sock_file rw_file_perms; @@ -67,7 +67,7 @@ define(`logging_send_system_log_message_depend',` ') ######################################## -## +## ## ## Allows the domain to open a file in the ## log directory, but does not allow the listing @@ -78,14 +78,14 @@ define(`logging_send_system_log_message_depend',` ## ## # -define(`logging_search_system_log_directory',` +define(`logging_search_logs',` requires_block_template(`$0'_depend) - files_search_system_state_data_directory($1) + files_search_var($1) allow $1 var_log_t:dir search; ') -define(`logging_search_system_log_directory_depend',` +define(`logging_search_logs_depend',` type var_log_t; class dir search; @@ -93,15 +93,15 @@ define(`logging_search_system_log_directory_depend',` ####################################### # -# logging_ignore_get_all_logs_attributes(domain) +# logging_dontaudit_getattr_all_logs(domain) # -define(`logging_ignore_get_all_logs_attributes',` +define(`logging_dontaudit_getattr_all_logs',` requires_block_template(`$0'_depend) dontaudit $1 logfile:file getattr; ') -define(`logging_ignore_get_all_logs_attributes_depend',` +define(`logging_dontaudit_getattr_all_logs_depend',` attribute logfile; class file getattr; @@ -114,7 +114,7 @@ define(`logging_ignore_get_all_logs_attributes_depend',` define(`logging_append_all_logs',` requires_block_template(`$0'_depend) - files_search_system_state_data_directory($1) + files_search_var($1) allow $1 var_log_t:dir r_dir_perms; allow $1 logfile:file { getattr append }; ') @@ -135,7 +135,7 @@ define(`logging_append_all_logs_depend',` define(`logging_read_all_logs',` requires_block_template(`$0'_depend) - files_search_system_state_data_directory($1) + files_search_var($1) allow $1 var_log_t:dir r_dir_perms; allow $1 logfile:file r_file_perms; ') @@ -151,17 +151,17 @@ define(`logging_read_all_logs_depend',` ####################################### # -# logging_read_system_logs(domain) +# logging_read_generic_logs(domain) # -define(`logging_read_system_logs',` +define(`logging_read_generic_logs',` requires_block_template(`$0'_depend) - files_search_system_state_data_directory($1) + files_search_var($1) allow $1 var_log_t:dir r_dir_perms; allow $1 var_log_t:file r_file_perms; ') -define(`logging_read_system_logs_depend',` +define(`logging_read_generic_logs_depend',` type var_log_t; class dir r_dir_perms; @@ -170,17 +170,17 @@ define(`logging_read_system_logs_depend',` ####################################### # -# logging_write_system_logs(domain) +# logging_write_generic_logs(domain) # -define(`logging_write_system_logs',` +define(`logging_write_generic_logs',` requires_block_template(`$0'_depend) - files_search_system_state_data_directory($1) + files_search_var($1) allow $1 var_log_t:dir r_dir_perms; allow $1 var_log_t:file { getattr write }; ') -define(`logging_write_system_logs_depend',` +define(`logging_write_generic_logs_depend',` type var_log_t; class dir r_dir_perms; @@ -189,17 +189,17 @@ define(`logging_write_system_logs_depend',` ####################################### # -# logging_modify_system_logs(domain) +# logging_rw_generic_logs(domain) # -define(`logging_modify_system_logs',` +define(`logging_rw_generic_logs',` requires_block_template(`$0'_depend) - files_search_system_state_data_directory($1) + files_search_var($1) allow $1 var_log_t:dir r_dir_perms; allow $1 var_log_t:file rw_file_perms; ') -define(`logging_modify_system_logs_depend',` +define(`logging_rw_generic_logs_depend',` type var_log_t; class dir r_dir_perms; diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te index 954f184..f2fe8aa 100644 --- a/refpolicy/policy/modules/system/logging.te +++ b/refpolicy/policy/modules/system/logging.te @@ -9,40 +9,40 @@ policy_module(logging,1.0) attribute logfile; type auditd_log_t; -logging_make_log_file(auditd_t,auditd_log_t) +logging_log_file(auditd_t,auditd_log_t) type auditd_t; type auditd_exec_t; -init_make_daemon_domain(auditd_t,auditd_exec_t) +init_daemon_domain(auditd_t,auditd_exec_t) type auditd_var_run_t; -files_make_daemon_runtime_file(auditd_var_run_t) +files_pid_file(auditd_var_run_t) type devlog_t; -files_make_file(devlog_t) +files_file_type(devlog_t) type klogd_t; type klogd_exec_t; -init_make_daemon_domain(klogd_t,klogd_exec_t) +init_daemon_domain(klogd_t,klogd_exec_t) type klogd_tmp_t; -files_make_temporary_file(klogd_tmp_t) +files_tmp_file(klogd_tmp_t) type klogd_var_run_t; -files_make_daemon_runtime_file(klogd_var_run_t) +files_pid_file(klogd_var_run_t) type syslogd_t; type syslogd_exec_t; -init_make_daemon_domain(syslogd_t,syslogd_exec_t) +init_daemon_domain(syslogd_t,syslogd_exec_t) type syslogd_tmp_t; -files_make_temporary_file(syslogd_tmp_t) +files_tmp_file(syslogd_tmp_t) type syslogd_var_run_t; -files_make_daemon_runtime_file(syslogd_var_run_t) +files_pid_file(syslogd_var_run_t) type var_log_t, logfile; -files_make_file(var_log_t) +files_file_type(var_log_t) ######################################## # @@ -56,7 +56,7 @@ allow auditd_t self:netlink_audit_socket { bind create getattr nlmsg_read nlmsg_ allow auditd_t auditd_log_t:file create_file_perms; allow auditd_t auditd_var_run_t:file create_file_perms; -files_create_daemon_runtime_data(auditd_t,auditd_var_run_t) +files_create_pid(auditd_t,auditd_var_run_t) kernel_read_kernel_sysctl(auditd_t) kernel_read_hardware_state(auditd_t) @@ -65,24 +65,24 @@ fs_getattr_all_fs(auditd_t) term_dontaudit_use_console(auditd_t) -init_use_file_descriptors(auditd_t) -init_script_use_pseudoterminal(auditd_t) +init_use_fd(auditd_t) +init_use_script_pty(auditd_t) -domain_use_widely_inheritable_file_descriptors(auditd_t) +domain_use_wide_inherit_fd(auditd_t) -files_read_general_system_config(auditd_t) +files_read_generic_etc_files(auditd_t) -logging_send_system_log_message(auditd_t) +logging_send_syslog_msg(auditd_t) -libraries_use_dynamic_loader(auditd_t) -libraries_use_shared_libraries(auditd_t) +libs_use_ld_so(auditd_t) +libs_use_shared_libs(auditd_t) miscfiles_read_localization(auditd_t) ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(auditd_t) terminal_ignore_use_general_pseudoterminal(auditd_t) - files_ignore_read_rootfs_file(auditd_t) + files_dontaudit_read_root_file(auditd_t) ') optional_policy(`selinux.te',` @@ -90,7 +90,7 @@ optional_policy(`selinux.te',` ') optional_policy(`udev.te', ` - udev_read_database(auditd_t) + udev_read_db(auditd_t) ') ifdef(`TODO',` @@ -115,7 +115,7 @@ allow auditd_t sysadm_tty_device_t:chr_file rw_file_perms; # allow klogd_t klogd_tmp_t:file create_file_perms; -files_create_private_tmp_data(klogd_t,klogd_tmp_t) +files_create_tmp_files(klogd_t,klogd_tmp_t) allow klogd_t klogd_var_run_t:file create_file_perms; @@ -134,17 +134,17 @@ dev_read_raw_memory(klogd_t) fs_getattr_all_fs(klogd_t) -files_create_daemon_runtime_data(klogd_t,klogd_var_run_t) -files_read_runtime_system_config(klogd_t) +files_create_pid(klogd_t,klogd_var_run_t) +files_read_etc_runtime_files(klogd_t) # read /etc/nsswitch.conf -files_read_general_system_config(klogd_t) +files_read_generic_etc_files(klogd_t) -init_use_file_descriptors(klogd_t) +init_use_fd(klogd_t) -libraries_use_dynamic_loader(klogd_t) -libraries_use_shared_libraries(klogd_t) +libs_use_ld_so(klogd_t) +libs_use_shared_libs(klogd_t) -logging_send_system_log_message(klogd_t) +logging_send_syslog_msg(klogd_t) miscfiles_read_localization(klogd_t) @@ -170,21 +170,21 @@ allow syslogd_t var_log_t:file create_file_perms; # manage temporary files allow syslogd_t syslogd_tmp_t:file create_file_perms; -files_create_private_tmp_data(syslogd_t,syslogd_tmp_t) +files_create_tmp_files(syslogd_t,syslogd_tmp_t) allow syslogd_t syslogd_var_run_t:file create_file_perms; -files_create_daemon_runtime_data(syslogd_t,syslogd_var_run_t,file) +files_create_pid(syslogd_t,syslogd_var_run_t,file) # Create and bind to /dev/log or /var/run/log. allow syslogd_t devlog_t:sock_file create_file_perms; -files_create_daemon_runtime_data(syslogd_t,devlog_t,sock_file) +files_create_pid(syslogd_t,devlog_t,sock_file) # I belive these are not needed: allow syslogd_t devlog_t:unix_stream_socket name_bind; allow syslogd_t devlog_t:unix_dgram_socket name_bind; # manage pid file allow syslogd_t syslogd_var_run_t:file create_file_perms; -files_create_daemon_runtime_data(syslogd_t,syslogd_var_run_t) +files_create_pid(syslogd_t,syslogd_var_run_t) kernel_read_hardware_state(syslogd_t) kernel_read_kernel_sysctl(syslogd_t) @@ -196,8 +196,8 @@ term_dontaudit_use_console(syslogd_t) term_write_unallocated_ttys(syslogd_t) # for sending messages to logged in users -init_script_read_runtime_data(syslogd_t) -init_script_ignore_write_runtime_data(syslogd_t) +init_read_script_pid(syslogd_t) +init_dontaudit_write_script_pid(syslogd_t) term_write_all_user_ttys(syslogd_t) corenet_raw_sendrecv_all_if(syslogd_t) @@ -210,26 +210,26 @@ corenet_udp_bind_syslogd_port(syslogd_t) fs_getattr_all_fs(syslogd_t) -init_use_file_descriptors(syslogd_t) -init_script_use_pseudoterminal(syslogd_t) +init_use_fd(syslogd_t) +init_use_script_pty(syslogd_t) -domain_use_widely_inheritable_file_descriptors(syslogd_t) +domain_use_wide_inherit_fd(syslogd_t) -files_read_general_system_config(syslogd_t) +files_read_generic_etc_files(syslogd_t) -libraries_use_dynamic_loader(syslogd_t) -libraries_use_shared_libraries(syslogd_t) +libs_use_ld_so(syslogd_t) +libs_use_shared_libs(syslogd_t) -sysnetwork_read_network_config(syslogd_t) +sysnet_read_config(syslogd_t) miscfiles_read_localization(syslogd_t) -userdomain_ignore_use_all_unprivileged_users_file_descriptors(syslogd_t) +userdom_dontaudit_use_unpriv_user_fd(syslogd_t) # # /initrd is not umounted before minilog starts # -files_ignore_search_isid_type_dir(syslogd_t) +files_dontaudit_search_isid_type_dir(syslogd_t) #allow syslogd_t tmpfs_t:dir search; #dontaudit syslogd_t unlabeled_t:file read; #dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr; @@ -246,7 +246,7 @@ ifdef(`klogd.te', `', ` ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(syslogd_t) terminal_ignore_use_general_pseudoterminal(syslogd_t) - files_ignore_read_rootfs_file(syslogd_t) + files_dontaudit_read_root_file(syslogd_t) ') optional_policy(`selinux.te',` @@ -254,11 +254,11 @@ optional_policy(`selinux.te',` ') optional_policy(`udev.te', ` - udev_read_database(syslogd_t) + udev_read_db(syslogd_t) ') optional_policy(`cron.te',` - cron_modify_log(syslogd_t) + cron_rw_log(syslogd_t) ') ifdef(`TODO',` diff --git a/refpolicy/policy/modules/system/lvm.if b/refpolicy/policy/modules/system/lvm.if index db73920..007c608 100644 --- a/refpolicy/policy/modules/system/lvm.if +++ b/refpolicy/policy/modules/system/lvm.if @@ -2,7 +2,7 @@ ## Policy for logical volume management programs. ######################################## -## +## ## ## Execute lvm programs in the lvm domain. ## @@ -11,7 +11,7 @@ ## ## # -define(`lvm_transition',` +define(`lvm_domtrans',` requires_block_template(`$0'_depend) domain_auto_trans($1, lvm_exec_t, lvm_t) @@ -22,7 +22,7 @@ define(`lvm_transition',` allow lvm_t $1:process sigchld; ') -define(`lvm_transition_depend',` +define(`lvm_domtrans_depend',` type lvm_t, lvm_exec_t; class file { getattr read execute }; @@ -32,7 +32,7 @@ define(`lvm_transition_depend',` ') ######################################## -## +## ## ## Execute lvm programs in the lvm domain. ## @@ -47,15 +47,15 @@ define(`lvm_transition_depend',` ## ## # -define(`lvm_transition_add_role_use_terminal',` +define(`lvm_run',` requires_block_template(`$0'_depend) - lvm_transition($1) + lvm_domtrans($1) role $2 types lvm_t; allow lvm_t $3:chr_file { getattr read write ioctl }; ') -define(`lvm_transition_add_role_use_terminal_depend',` +define(`lvm_run_depend',` type lvm_t; class chr_file { getattr read write ioctl }; diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te index 3c7a83a..82f9752 100644 --- a/refpolicy/policy/modules/system/lvm.te +++ b/refpolicy/policy/modules/system/lvm.te @@ -8,23 +8,23 @@ policy_module(lvm,1.0) type lvm_t; type lvm_exec_t; -init_make_system_domain(lvm_t,lvm_exec_t) +init_system_domain(lvm_t,lvm_exec_t) # needs privowner because it assigns the identity system_u to device nodes # but runs as the identity of the sysadmin -kernel_make_object_identity_change_constraint_exception(lvm_t) +kernel_obj_id_change_exempt(lvm_t) role system_r types lvm_t; type lvm_etc_t; -files_make_file(lvm_etc_t) +files_file_type(lvm_etc_t) type lvm_lock_t; -files_make_lock_file(lvm_lock_t) +files_lock_file(lvm_lock_t) type lvm_metadata_t; -files_make_file(lvm_metadata_t) +files_file_type(lvm_metadata_t) type lvm_tmp_t; -files_make_temporary_file(lvm_tmp_t) +files_tmp_file(lvm_tmp_t) ######################################## # @@ -45,7 +45,7 @@ allow lvm_t self:unix_dgram_socket create_socket_perms; allow lvm_t lvm_tmp_t:dir create_dir_perms; allow lvm_t lvm_tmp_t:file create_file_perms; -files_create_private_tmp_data(lvm_t, lvm_tmp_t, { file dir }) +files_create_tmp_files(lvm_t, lvm_tmp_t, { file dir }) # /lib/lvm- holds the actual LVM binaries (and symlinks) allow lvm_t lvm_exec_t:dir search; @@ -57,7 +57,7 @@ can_exec(lvm_t, lvm_exec_t) # Creating lock files allow lvm_t lvm_lock_t:dir rw_dir_perms; allow lvm_t lvm_lock_t:file create_file_perms; -files_create_private_lock_file(lvm_t,lvm_lock_t) +files_create_lock_file(lvm_t,lvm_lock_t) allow lvm_t lvm_etc_t:file r_file_perms; allow lvm_t lvm_etc_t:lnk_file r_file_perms; @@ -66,7 +66,7 @@ allow lvm_t lvm_etc_t:dir rw_dir_perms; allow lvm_t lvm_metadata_t:file create_file_perms; allow lvm_t lvm_metadata_t:dir rw_dir_perms; type_transition lvm_t lvm_etc_t:file lvm_metadata_t; -files_create_private_config(lvm_t,lvm_metadata_t,file) +files_create_etc_config(lvm_t,lvm_metadata_t,file) kernel_read_system_state(lvm_t) kernel_get_selinuxfs_mount_point(lvm_t) @@ -89,8 +89,8 @@ dev_read_rand(lvm_t) dev_read_urand(lvm_t) dev_rw_lvm_control(lvm_t) dev_manage_generic_symlinks(lvm_t) -devices_relabel_dev_dirs(lvm_t) -devices_manage_generic_block_device(lvm_t) +dev_relabel_dev_dirs(lvm_t) +dev_manage_generic_blk_file(lvm_t) # LVM (vgscan) scans for devices by stating every file in /dev and applying a regex... dev_dontaudit_getattr_all_chr_files(lvm_t) @@ -110,25 +110,25 @@ storage_create_fixed_disk_dev_entry(lvm_t) # Access raw devices and old /dev/lvm (c 109,0). Is this needed? storage_manage_fixed_disk(lvm_t) -corecommands_search_system_programs_directory(lvm_t) -corecommands_ignore_get_system_programs_attributes(lvm_t) +corecmd_search_sbin(lvm_t) +corecmd_dontaudit_getattr_sbin_file(lvm_t) -domain_use_widely_inheritable_file_descriptors(lvm_t) +domain_use_wide_inherit_fd(lvm_t) -files_search_system_state_data_directory(lvm_t) -files_read_general_system_config(lvm_t) -files_read_runtime_system_config(lvm_t) +files_search_var(lvm_t) +files_read_generic_etc_files(lvm_t) +files_read_etc_runtime_files(lvm_t) # for when /usr is not mounted: -files_ignore_search_isid_type_dir(lvm_t) +files_dontaudit_search_isid_type_dir(lvm_t) -init_use_file_descriptors(lvm_t) -init_ignore_get_control_channel_attributes(lvm_t) -init_script_use_pseudoterminal(lvm_t) +init_use_fd(lvm_t) +init_dontaudit_getattr_initctl(lvm_t) +init_use_script_pty(lvm_t) -libraries_use_dynamic_loader(lvm_t) -libraries_use_shared_libraries(lvm_t) +libs_use_ld_so(lvm_t) +libs_use_shared_libs(lvm_t) -logging_send_system_log_message(lvm_t) +logging_send_syslog_msg(lvm_t) miscfiles_read_localization(lvm_t) @@ -138,14 +138,14 @@ selinux_newrole_sigchld(lvm_t) ifdef(`distro_redhat',` # this is from the initrd: - files_modify_isid_type_dir(lvm_t) + files_rw_isid_type_dir(lvm_t) ') ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(lvm_t) terminal_ignore_use_general_pseudoterminal(lvm_t) - files_ignore_read_rootfs_file(lvm_t) + files_dontaudit_read_root_file(lvm_t) ') optional_policy(`bootloader.te',` @@ -153,7 +153,7 @@ optional_policy(`bootloader.te',` ') optional_policy(`udev.te', ` - udev_read_database(lvm_t) + udev_read_db(lvm_t) ') ifdef(`TODO',` diff --git a/refpolicy/policy/modules/system/miscfiles.if b/refpolicy/policy/modules/system/miscfiles.if index 1a671b9..cca062f 100644 --- a/refpolicy/policy/modules/system/miscfiles.if +++ b/refpolicy/policy/modules/system/miscfiles.if @@ -2,7 +2,7 @@ ## Miscelaneous files. ######################################## -## +## ## ## Allow process to create files and dirs in /var/cache/man ## and /var/catman/ @@ -15,7 +15,7 @@ ## ## # -define(`miscfiles_manage_man_page_cache',` +define(`miscfiles_rw_man_cache',` requires_block_template(`$0'_depend) # FIXME: search var_t dir @@ -23,7 +23,7 @@ define(`miscfiles_manage_man_page_cache',` allow $1 catman_t:file create_file_perms; ') -define(`miscfiles_manage_man_page_cache_depend',` +define(`miscfiles_rw_man_cache_depend',` type catman_t; class dir create_dir_perms; @@ -83,7 +83,7 @@ define(`miscfiles_read_localization',` allow $1 locale_t:file r_file_perms; # why? - libraries_read_library_resources($1) + libs_read_lib($1) ') define(`miscfiles_read_localization_depend',` diff --git a/refpolicy/policy/modules/system/miscfiles.te b/refpolicy/policy/modules/system/miscfiles.te index 76438d7..c275451 100644 --- a/refpolicy/policy/modules/system/miscfiles.te +++ b/refpolicy/policy/modules/system/miscfiles.te @@ -5,41 +5,41 @@ policy_module(miscfiles,1.0) # catman_t is the type for /var/catman. # type catman_t; # , tmpfile; -files_make_file(catman_t) +files_file_type(catman_t) # # cert_t is the type of files in the system certs directories. # type cert_t; -files_make_file(cert_t) +files_file_type(cert_t) # # fonts_t is the type of various font # files in /usr # type fonts_t; -files_make_file(fonts_t) +files_file_type(fonts_t) # # locale_t is the type for system localization # type locale_t; -files_make_file(locale_t) +files_file_type(locale_t) # # man_t is the type for the man directories. # type man_t; -files_make_file(man_t) +files_file_type(man_t) # # Base type for the tests directory. # type test_file_t; -files_make_file(test_file_t) +files_file_type(test_file_t) # # for /var/{spool,lib}/texmf index files # type tetex_data_t; # , tmpfile; -files_make_file(tetex_data_t) +files_file_type(tetex_data_t) diff --git a/refpolicy/policy/modules/system/modutils.if b/refpolicy/policy/modules/system/modutils.if index 1ce9857..567d30d 100644 --- a/refpolicy/policy/modules/system/modutils.if +++ b/refpolicy/policy/modules/system/modutils.if @@ -26,7 +26,7 @@ define(`modutils_read_kernel_module_dependencies_depend',` ') ######################################## -## +## ## ## Read the configuration options used when ## loading modules. @@ -36,20 +36,20 @@ define(`modutils_read_kernel_module_dependencies_depend',` ## ## # -define(`modutils_read_kernel_module_loading_config',` +define(`modutils_read_module_conf',` requires_block_template(`$0'_depend) allow $1 modules_conf_t:file r_file_perms; ') -define(`modutils_read_kernel_module_loading_config_depend',` +define(`modutils_read_module_conf_depend',` type modules_conf_t; class file r_file_perms; ') ######################################## -## +## ## ## Execute insmod in the insmod domain. Has a ## sigchld backchannel. @@ -59,7 +59,7 @@ define(`modutils_read_kernel_module_loading_config_depend',` ## ## # -define(`modutils_insmod_transition',` +define(`modutils_domtrans_insmod',` requires_block_template(`$0'_depend) domain_auto_trans($1, insmod_exec_t, insmod_t) @@ -70,7 +70,7 @@ define(`modutils_insmod_transition',` allow insmod_t $1:process sigchld; ') -define(`modutils_insmod_transition_depend',` +define(`modutils_domtrans_insmod_depend',` type insmod_t; class file { getattr read execute }; @@ -80,7 +80,7 @@ define(`modutils_insmod_transition_depend',` ') ######################################## -## +## ## ## Execute insmod in the insmod domain, and ## allow the specified role the insmod domain, @@ -98,15 +98,15 @@ define(`modutils_insmod_transition_depend',` ## ## # -define(`modutils_insmod_transition_add_role_use_terminal',` +define(`modutils_run_insmod',` requires_block_template(`$0'_depend) - modutils_insmod_transition($1) + modutils_domtrans_insmod($1) role $2 types insmod_t; allow insmod_t $3:chr_file { getattr read write ioctl }; ') -define(`modutils_insmod_transition_add_role_use_terminal_depend',` +define(`modutils_run_insmod_depend',` type insmod_t; class chr_file { getattr read write ioctl }; @@ -114,22 +114,22 @@ define(`modutils_insmod_transition_add_role_use_terminal_depend',` ######################################## # -# modutils_insmod_execute(domain) +# modutils_exec_insmod(domain) # -define(`modutils_insmod_execute',` +define(`modutils_exec_insmod',` requires_block_template(`$0'_depend) can_exec($1, insmod_exec_t) ') -define(`modutils_insmod_execute_depend',` +define(`modutils_exec_insmod_depend',` type insmod_t; class file { getattr read execute execute_no_trans }; ') ######################################## -## +## ## ## Execute depmod in the depmod domain. ## @@ -138,7 +138,7 @@ define(`modutils_insmod_execute_depend',` ## ## # -define(`modutils_depmod_transition',` +define(`modutils_domtrans_depmod',` requires_block_template(`$0'_depend) domain_auto_trans($1, depmod_exec_t, depmod_t) @@ -149,7 +149,7 @@ define(`modutils_depmod_transition',` allow depmod_t $1:process sigchld; ') -define(`modutils_depmod_transition_depend',` +define(`modutils_domtrans_depmod_depend',` type depmod_t; class file { getattr read execute }; @@ -159,7 +159,7 @@ define(`modutils_depmod_transition_depend',` ') ######################################## -## +## ## ## Execute depmod in the depmod domain. ## @@ -174,15 +174,15 @@ define(`modutils_depmod_transition_depend',` ## ## # -define(`modutils_depmod_transition_add_role_use_terminal',` +define(`modutils_run_depmod',` requires_block_template(`$0'_depend) - modutils_depmod_transition($1) + modutils_domtrans_depmod($1) role $2 types insmod_t; allow insmod_t $3:chr_file { getattr read write ioctl }; ') -define(`modutils_depmod_transition_add_role_use_terminal_depend',` +define(`modutils_run_depmod_depend',` type depmod_t; class chr_file { getattr read write ioctl }; @@ -190,22 +190,22 @@ define(`modutils_depmod_transition_add_role_use_terminal_depend',` ######################################## # -# modutils_depmod_execute(domain) +# modutils_exec_depmod(domain) # -define(`modutils_depmod_execute',` +define(`modutils_exec_depmod',` requires_block_template(`$0'_depend) can_exec($1, depmod_exec_t) ') -define(`modutils_depmod_execute_depend',` +define(`modutils_exec_depmod_depend',` type depmod_t; class file { getattr read execute execute_no_trans }; ') ######################################## -## +## ## ## Execute depmod in the depmod domain. ## @@ -214,7 +214,7 @@ define(`modutils_depmod_execute_depend',` ## ## # -define(`modutils_update_modules_transition',` +define(`modutils_domtrans_update_mods',` requires_block_template(`$0'_depend) domain_auto_trans($1, update_modules_exec_t, update_modules_t) @@ -225,7 +225,7 @@ define(`modutils_update_modules_transition',` allow update_modules_t $1:process sigchld; ') -define(`modutils_update_modules_transition_depend',` +define(`modutils_domtrans_update_mods_depend',` type update_modules_t; class file { getattr read execute }; @@ -235,7 +235,7 @@ define(`modutils_update_modules_transition_depend',` ') ######################################## -## +## ## ## Execute update_modules in the update_modules domain. ## @@ -250,15 +250,15 @@ define(`modutils_update_modules_transition_depend',` ## ## # -define(`modutils_update_modules_transition_add_role_use_terminal',` +define(`modutils_run_update_mods',` requires_block_template(`$0'_depend) - modutils_update_modules_transition($1) + modutils_domtrans_update_mods($1) role $2 types update_modules_t; allow update_modules_t $3:chr_file rw_file_perms; ') -define(`modutils_update_modules_transition_add_role_use_terminal_depend',` +define(`modutils_run_update_mods_depend',` type update_modules_t; class chr_file rw_file_perms; @@ -266,15 +266,15 @@ define(`modutils_update_modules_transition_add_role_use_terminal_depend',` ######################################## # -# modutils_update_modules_execute(domain) +# modutils_exec_update_mods(domain) # -define(`modutils_update_modules_execute',` +define(`modutils_exec_update_mods',` requires_block_template(`$0'_depend) can_exec($1, update_modules_exec_t) ') -define(`modutils_update_modules_execute_depend',` +define(`modutils_exec_update_mods_depend',` type update_modules_t; class file { getattr read execute execute_no_trans }; diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te index cde351f..d9cdace 100644 --- a/refpolicy/policy/modules/system/modutils.te +++ b/refpolicy/policy/modules/system/modutils.te @@ -8,30 +8,30 @@ policy_module(modutils,1.0) # module loading config type modules_conf_t; -files_make_file(modules_conf_t) +files_file_type(modules_conf_t) # module dependencies type modules_dep_t; -files_make_file(modules_dep_t) +files_file_type(modules_dep_t) type insmod_t; type insmod_exec_t; kernel_userland_entry(insmod_t,insmod_exec_t) -init_make_system_domain(insmod_t,insmod_exec_t) +init_system_domain(insmod_t,insmod_exec_t) role system_r types insmod_t; type depmod_t; type depmod_exec_t; -init_make_system_domain(depmod_t,depmod_exec_t) +init_system_domain(depmod_t,depmod_exec_t) role system_r types depmod_t; type update_modules_t; type update_modules_exec_t; -init_make_system_domain(update_modules_t,update_modules_exec_t) +init_system_domain(update_modules_t,update_modules_exec_t) role system_r types update_modules_t; type update_modules_tmp_t; -files_make_temporary_file(update_modules_tmp_t) +files_tmp_file(update_modules_tmp_t) ######################################## # @@ -68,37 +68,37 @@ dev_rw_agp_dev(insmod_t) fs_getattr_xattr_fs(insmod_t) -corecommands_execute_general_programs(insmod_t) -corecommands_execute_system_programs(insmod_t) -corecommands_execute_shell(insmod_t) +corecmd_exec_bin(insmod_t) +corecmd_exec_sbin(insmod_t) +corecmd_exec_shell(insmod_t) domain_signal_all_domains(insmod_t) -domain_use_widely_inheritable_file_descriptors(insmod_t) +domain_use_wide_inherit_fd(insmod_t) -files_read_runtime_system_config(insmod_t) -files_read_general_system_config(insmod_t) -files_read_general_application_resources(insmod_t) -files_execute_system_config_script(insmod_t) +files_read_etc_runtime_files(insmod_t) +files_read_generic_etc_files(insmod_t) +files_read_usr_files(insmod_t) +files_exec_generic_etc_files(insmod_t) # for nscd: -files_ignore_search_runtime_data_directory(insmod_t) +files_dontaudit_search_pids(insmod_t) # for when /var is not mounted early in the boot: -files_ignore_search_isid_type_dir(insmod_t) +files_dontaudit_search_isid_type_dir(insmod_t) -init_use_control_channel(insmod_t) -init_use_file_descriptors(insmod_t) -init_script_use_file_descriptors(insmod_t) -init_script_use_pseudoterminal(insmod_t) +init_use_initctl(insmod_t) +init_use_fd(insmod_t) +init_use_script_fd(insmod_t) +init_use_script_pty(insmod_t) -libraries_use_dynamic_loader(insmod_t) -libraries_use_shared_libraries(insmod_t) +libs_use_ld_so(insmod_t) +libs_use_shared_libs(insmod_t) -logging_send_system_log_message(insmod_t) -logging_search_system_log_directory(insmod_t) +logging_send_syslog_msg(insmod_t) +logging_search_logs(insmod_t) miscfiles_read_localization(insmod_t) optional_policy(`mount.te',` - mount_transition(insmod_t) + mount_domtrans(insmod_t) ') ifdef(`TODO',` @@ -138,18 +138,18 @@ term_use_console(depmod_t) bootloader_read_kernel_symbol_table(depmod_t) bootloader_read_kernel_modules(depmod_t) -init_use_file_descriptors(depmod_t) -init_script_use_file_descriptors(depmod_t) -init_script_use_pseudoterminal(depmod_t) +init_use_fd(depmod_t) +init_use_script_fd(depmod_t) +init_use_script_pty(depmod_t) -domain_use_widely_inheritable_file_descriptors(depmod_t) +domain_use_wide_inherit_fd(depmod_t) -files_read_runtime_system_config(depmod_t) -files_read_general_system_config(depmod_t) -files_read_system_source_code(depmod_t) +files_read_etc_runtime_files(depmod_t) +files_read_generic_etc_files(depmod_t) +files_read_usr_src(depmod_t) -libraries_use_dynamic_loader(depmod_t) -libraries_use_shared_libraries(depmod_t) +libs_use_ld_so(depmod_t) +libs_use_shared_libs(depmod_t) ifdef(`TODO',` @@ -177,14 +177,14 @@ can_exec(update_modules_t, update_modules_exec_t) # manage module loading configuration allow update_modules_t modules_conf_t:file create_file_perms; bootloader_create_private_module_dir_entry(update_modules_t,modules_conf_t) -files_create_private_config(update_modules_t,modules_conf_t) +files_create_etc_config(update_modules_t,modules_conf_t) # transition to depmod domain_auto_trans(update_modules_t, depmod_exec_t, depmod_t) allow update_modules_t update_modules_tmp_t:dir create_dir_perms; allow update_modules_t update_modules_tmp_t:file create_file_perms; -files_create_private_tmp_data(update_modules_t, update_modules_tmp_t, { file dir }) +files_create_tmp_files(update_modules_t, update_modules_tmp_t, { file dir }) kernel_read_kernel_sysctl(update_modules_t) kernel_read_system_state(update_modules_t) @@ -195,24 +195,24 @@ fs_getattr_xattr_fs(update_modules_t) term_use_console(update_modules_t) -init_use_file_descriptors(depmod_t) -init_script_use_file_descriptors(depmod_t) -init_script_use_pseudoterminal(depmod_t) +init_use_fd(depmod_t) +init_use_script_fd(depmod_t) +init_use_script_pty(depmod_t) -domain_use_widely_inheritable_file_descriptors(depmod_t) +domain_use_wide_inherit_fd(depmod_t) -files_read_runtime_system_config(update_modules_t) -files_read_general_system_config(update_modules_t) -files_execute_system_config_script(update_modules_t) +files_read_etc_runtime_files(update_modules_t) +files_read_generic_etc_files(update_modules_t) +files_exec_generic_etc_files(update_modules_t) -corecommands_execute_general_programs(update_modules_t) -corecommands_execute_system_programs(update_modules_t) -corecommands_execute_shell(update_modules_t) +corecmd_exec_bin(update_modules_t) +corecmd_exec_sbin(update_modules_t) +corecmd_exec_shell(update_modules_t) -libraries_use_dynamic_loader(update_modules_t) -libraries_use_shared_libraries(update_modules_t) +libs_use_ld_so(update_modules_t) +libs_use_shared_libs(update_modules_t) -logging_send_system_log_message(update_modules_t) +logging_send_syslog_msg(update_modules_t) miscfiles_read_localization(update_modules_t) diff --git a/refpolicy/policy/modules/system/mount.if b/refpolicy/policy/modules/system/mount.if index c9b9228..69457c8 100644 --- a/refpolicy/policy/modules/system/mount.if +++ b/refpolicy/policy/modules/system/mount.if @@ -2,7 +2,7 @@ ## Policy for mount. ######################################## -## +## ## ## Execute mount in the mount domain. ## @@ -11,7 +11,7 @@ ## ## # -define(`mount_transition',` +define(`mount_domtrans',` requires_block_template(`$0'_depend) allow $1 mount_exec_t:file rx_file_perms; @@ -25,7 +25,7 @@ define(`mount_transition',` allow mount_t $1:process sigchld; ') -define(`mount_transition_depend',` +define(`mount_domtrans_depend',` type mount_t, mount_exec_t; class file rx_file_perms; @@ -35,7 +35,7 @@ define(`mount_transition_depend',` ') ######################################## -## +## ## ## Execute mount in the mount domain, and ## allow the specified role the mount domain, @@ -52,22 +52,22 @@ define(`mount_transition_depend',` ## ## # -define(`mount_transition_add_role_use_terminal',` +define(`mount_run',` requires_block_template(`$0'_depend) - mount_transition($1) + mount_domtrans($1) role $2 types mount_t; allow mount_t $3:chr_file rw_file_perms; ') -define(`mount_transition_add_role_use_terminal_depend',` +define(`mount_run_depend',` type mount_t; class chr_file rw_file_perms; ') ######################################## -## +## ## ## Use file descriptors for mount. ## @@ -76,13 +76,13 @@ define(`mount_transition_add_role_use_terminal_depend',` ## ## # -define(`mount_use_file_descriptors',` +define(`mount_use_fd',` requires_block_template(`$0'_depend) allow $1 mount_t:fd use; ') -define(`mount_use_file_descriptors_depend',` +define(`mount_use_fd_depend',` type mount_t; class fd use; diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te index aaa9565..8e9737b 100644 --- a/refpolicy/policy/modules/system/mount.te +++ b/refpolicy/policy/modules/system/mount.te @@ -1,11 +1,11 @@ type mount_t; type mount_exec_t; -init_make_system_domain(mount_t,mount_exec_t) +init_system_domain(mount_t,mount_exec_t) role system_r types mount_t; type mount_tmp_t; -files_make_temporary_file(mount_tmp_t) +files_tmp_file(mount_tmp_t) ######################################## # @@ -16,7 +16,7 @@ allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown allow mount_t mount_tmp_t:file create_file_perms; allow mount_t mount_tmp_t:dir create_dir_perms; -files_create_private_tmp_data(mount_t,mount_tmp_t,{ file dir }) +files_create_tmp_files(mount_t,mount_tmp_t,{ file dir }) kernel_read_system_state(mount_t) kernel_dontaudit_use_fd(mount_t) @@ -41,39 +41,39 @@ fs_relabelfrom_xattr_fs(mount_t) term_use_console(mount_t) # required for mount.smbfs -corecommands_execute_system_programs(mount_t) -corecommands_execute_general_programs(mount_t) +corecmd_exec_sbin(mount_t) +corecmd_exec_bin(mount_t) -domain_use_widely_inheritable_file_descriptors(mount_t) +domain_use_wide_inherit_fd(mount_t) -files_search_all_directories(mount_t) -files_read_general_system_config(mount_t) -files_manage_runtime_system_config(mount_t) -files_mount_on_all_mountpoints(mount_t) -files_unmount_root_fs(mount_t) +files_search_all_dirs(mount_t) +files_read_generic_etc_files(mount_t) +files_manage_etc_runtime_files(mount_t) +files_mounton_all_mountpoints(mount_t) +files_unmount_rootfs(mount_t) # These rules need to be generalized. Only admin, initrc should have it: files_relabelto_all_file_type_fs(mount_t) files_mount_all_file_type_fs(mount_t) files_mount_all_file_type_fs(mount_t) -init_use_file_descriptors(mount_t) -init_script_use_pseudoterminal(mount_t) +init_use_fd(mount_t) +init_use_script_pty(mount_t) -libraries_use_dynamic_loader(mount_t) -libraries_use_shared_libraries(mount_t) +libs_use_ld_so(mount_t) +libs_use_shared_libs(mount_t) -logging_send_system_log_message(mount_t) +logging_send_syslog_msg(mount_t) miscfiles_read_localization(mount_t) -userdomain_use_all_users_file_descriptors(mount_t) +userdom_use_all_user_fd(mount_t) ifdef(`distro_redhat',` fs_use_tmpfs_character_devices(mount_t) allow mount_t tmpfs_t:dir mounton; optional_policy(`authlogin.te',` - authlogin_pam_console_read_runtime_data(mount_t) + auth_read_pam_console_data(mount_t) # mount config by default sets fscontext=removable_t fs_relabelfrom_dos_fs(mount_t) ') @@ -103,7 +103,7 @@ optional_policy(`portmap.te', ` ifdef(`TODO',` # this goes to the nfs/rpc module -files_make_mountpoint(var_lib_nfs_t) +files_mountpoint(var_lib_nfs_t) # TODO: Need to examine this further. Not sure how to handle this #type sysadm_mount_source_t, file_type, sysadmfile, $1_file_type; diff --git a/refpolicy/policy/modules/system/selinux.if b/refpolicy/policy/modules/system/selinux.if index f3defc7..78fbf0d 100644 --- a/refpolicy/policy/modules/system/selinux.if +++ b/refpolicy/policy/modules/system/selinux.if @@ -2,7 +2,7 @@ ## Policy for SELinux policy and userland applications. ####################################### -## +## ## ## Execute checkpolicy in the checkpolicy domain. ## @@ -11,7 +11,7 @@ ## ## # -define(`selinux_checkpolicy_transition',` +define(`selinux_domtrans_checkpol',` requires_block_template(`$0'_depend) allow $1 checkpolicy_exec_t:file rx_file_perms; @@ -25,7 +25,7 @@ define(`selinux_checkpolicy_transition',` allow checkpolicy_t $1:process sigchld; ') -define(`selinux_checkpolicy_transition_depend',` +define(`selinux_domtrans_checkpol_depend',` type checkpolicy_t, checkpolicy_exec_t; class file rx_file_perms @@ -35,7 +35,7 @@ define(`selinux_checkpolicy_transition_depend',` ') ######################################## -## +## ## ## Execute checkpolicy in the checkpolicy domain, and ## allow the specified role the checkpolicy domain, @@ -53,15 +53,15 @@ define(`selinux_checkpolicy_transition_depend',` ## ## # -define(`selinux_checkpolicy_transition_add_role_use_terminal',` +define(`selinux_run_checkpol',` requires_block_template(`$0'_depend) - selinux_checkpolicy_transition($1) + selinux_domtrans_checkpol($1) role $2 types checkpolicy_t; allow checkpolicy_t $3:chr_file { getattr read write ioctl }; ') -define(`selinux_checkpolicy_transition_add_role_use_terminal_depend',` +define(`selinux_run_checkpol_depend',` type checkpolicy_t; class chr_file { getattr read write ioctl }; @@ -69,22 +69,22 @@ define(`selinux_checkpolicy_transition_add_role_use_terminal_depend',` ####################################### # -# selinux_checkpolicy_execute(domain) +# selinux_exec_checkpol(domain) # -define(`selinux_checkpolicy_execute',` +define(`selinux_exec_checkpol',` requires_block_template(`$0'_depend) can_exec($1,checkpolicy_exec_t) ') -define(`selinux_checkpolicy_execute_depend',` +define(`selinux_exec_checkpol_depend',` type checkpolicy_exec_t; class file { rx_file_perms execute_no_trans }; ') ####################################### -## +## ## ## Execute load_policy in the load_policy domain. ## @@ -93,7 +93,7 @@ define(`selinux_checkpolicy_execute_depend',` ## ## # -define(`selinux_load_policy_transition',` +define(`selinux_domtrans_loadpol',` requires_block_template(`$0'_depend) allow $1 load_policy_exec_t:file rx_file_perms; @@ -107,7 +107,7 @@ define(`selinux_load_policy_transition',` allow load_policy_t $1:process sigchld; ') -define(`selinux_load_policy_transition_depend',` +define(`selinux_domtrans_loadpol_depend',` type load_policy_t, load_policy_exec_t; class file rx_file_perms; @@ -117,7 +117,7 @@ define(`selinux_load_policy_transition_depend',` ') ######################################## -## +## ## ## Execute load_policy in the load_policy domain, and ## allow the specified role the load_policy domain, @@ -135,15 +135,15 @@ define(`selinux_load_policy_transition_depend',` ## ## # -define(`selinux_load_policy_transition_add_role_use_terminal',` +define(`selinux_run_loadpol',` requires_block_template(`$0'_depend) - selinux_load_policy_transition($1) + selinux_domtrans_loadpol($1) role $2 types load_policy_t; allow load_policy_t $3:chr_file { getattr read write ioctl }; ') -define(`selinux_load_policy_transition_add_role_use_terminal_depend',` +define(`selinux_run_loadpol_depend',` type load_policy_t; class chr_file { getattr read write ioctl }; @@ -151,15 +151,15 @@ define(`selinux_load_policy_transition_add_role_use_terminal_depend',` ####################################### # -# selinux_load_policy_execute(domain) +# selinux_exec_loadpol(domain) # -define(`selinux_load_policy_execute',` +define(`selinux_exec_loadpol',` requires_block_template(`$0'_depend) can_exec($1,load_policy_exec_t) ') -define(`selinux_load_policy_execute_depend',` +define(`selinux_exec_loadpol_depend',` type load_policy_exec_t; class file { rx_file_perms execute_no_trans }; @@ -167,22 +167,22 @@ define(`selinux_load_policy_execute_depend',` ####################################### # -# selinux_read_load_policy_binary(domain) +# selinux_read_loadpol(domain) # -define(`selinux_read_load_policy_binary',` +define(`selinux_read_loadpol',` requires_block_template(`$0'_depend) allow $1 load_policy_exec_t:file r_file_perms; ') -define(`selinux_read_load_policy_binary_depend',` +define(`selinux_read_loadpol_depend',` type load_policy_exec_t; class file r_file_perms ') ####################################### -## +## ## ## Execute newrole in the load_policy domain. ## @@ -191,7 +191,7 @@ define(`selinux_read_load_policy_binary_depend',` ## ## # -define(`selinux_newrole_transition',` +define(`selinux_domtrans_newrole',` requires_block_template(`$0'_depend) allow $1 newrole_exec_t:file rx_file_perms; @@ -205,7 +205,7 @@ define(`selinux_newrole_transition',` allow newrole_t $1:process sigchld; ') -define(`selinux_newrole_transition_depend',` +define(`selinux_domtrans_newrole_depend',` type newrole_t, newrole_exec_t; class file rx_file_perms; @@ -215,7 +215,7 @@ define(`selinux_newrole_transition_depend',` ') ######################################## -## +## ## ## Execute newrole in the newrole domain, and ## allow the specified role the newrole domain, @@ -232,15 +232,15 @@ define(`selinux_newrole_transition_depend',` ## ## # -define(`selinux_newrole_transition_add_role_use_terminal',` +define(`selinux_run_newrole',` requires_block_template(`$0'_depend) - selinux_newrole_transition($1) + selinux_domtrans_newrole($1) role $2 types newrole_t; allow newrole_t $3:chr_file { getattr read write ioctl }; ') -define(`selinux_newrole_transition_add_role_use_terminal_depend',` +define(`selinux_run_newrole_depend',` type newrole_t; class chr_file { getattr read write ioctl }; @@ -248,22 +248,22 @@ define(`selinux_newrole_transition_add_role_use_terminal_depend',` ####################################### # -# selinux_newrole_execute(domain) +# selinux_exec_newrole(domain) # -define(`selinux_newrole_execute',` +define(`selinux_exec_newrole',` requires_block_template(`$0'_depend) can_exec($1,newrole_exec_t) ') -define(`selinux_newrole_execute_depend',` +define(`selinux_exec_newrole_depend',` type newrole_t, newrole_exec_t; class file { rx_file_perms execute_no_trans }; ') ######################################## -## +## ## ## Do not audit the caller attempts to send ## a signal to newrole. @@ -273,13 +273,13 @@ define(`selinux_newrole_execute_depend',` ## ## # -define(`selinux_newrole_ignore_signal',` +define(`selinux_dontaudit_newrole_signal',` requires_block_template(`$0'_depend) dontaudit $1 newrole_t:process signal; ') -define(`selinux_newrole_ignore_signal_depend',` +define(`selinux_dontaudit_newrole_signal_depend',` type newrole_t; class process signal; @@ -303,22 +303,22 @@ define(`selinux_newrole_sigchld_depend',` ####################################### # -# selinux_newrole_use_file_descriptors(domain) +# selinux_use_newrole_fd(domain) # -define(`selinux_newrole_use_file_descriptors',` +define(`selinux_use_newrole_fd',` requires_block_template(`$0'_depend) allow $1 newrole_t:fd use; ') -define(`selinux_newrole_use_file_descriptors_depend',` +define(`selinux_use_newrole_fd_depend',` type newrole_t; class fd use; ') ####################################### -## +## ## ## Execute restorecon in the restorecon domain. ## @@ -327,7 +327,7 @@ define(`selinux_newrole_use_file_descriptors_depend',` ## ## # -define(`selinux_restorecon_transition',` +define(`selinux_domtrans_restorecon',` requires_block_template(`$0'_depend) allow $1 restorecon_exec_t:file rx_file_perms; @@ -341,7 +341,7 @@ define(`selinux_restorecon_transition',` allow restorecon_t $1:process sigchld; ') -define(`selinux_restorecon_transition_depend',` +define(`selinux_domtrans_restorecon_depend',` type restorecon_t, restorecon_exec_t; class file rx_file_perms; @@ -351,7 +351,7 @@ define(`selinux_restorecon_transition_depend',` ') ######################################## -## +## ## ## Execute restorecon in the restorecon domain, and ## allow the specified role the restorecon domain, @@ -368,15 +368,15 @@ define(`selinux_restorecon_transition_depend',` ## ## # -define(`selinux_restorecon_transition_add_role_use_terminal',` +define(`selinux_run_restorecon',` requires_block_template(`$0'_depend) - selinux_restorecon_transition($1) + selinux_domtrans_restorecon($1) role $2 types restorecon_t; allow restorecon_t $3:chr_file { getattr read write ioctl }; ') -define(`selinux_restorecon_transition_add_role_use_terminal_depend',` +define(`selinux_run_restorecon_depend',` type restorecon_t; class chr_file { getattr read write ioctl }; @@ -384,21 +384,21 @@ define(`selinux_restorecon_transition_add_role_use_terminal_depend',` ####################################### # -# selinux_restorecon_execute(domain) +# selinux_exec_restorecon(domain) # -define(`selinux_restorecon_execute',` +define(`selinux_exec_restorecon',` requires_block_template(`$0'_depend) can_exec($1,restorecon_exec_t) ') -define(`selinux_restorecon_execute_depend',` +define(`selinux_exec_restorecon_depend',` type restorecon_t, restorecon_exec_t; class file { rx_file_perms execute_no_trans }; ') ######################################## -## +## ## ## Execute run_init in the run_init domain. ## @@ -407,7 +407,7 @@ define(`selinux_restorecon_execute_depend',` ## ## # -define(`selinux_run_init_transition',` +define(`selinux_domtrans_runinit',` requires_block_template(`$0'_depend) allow $1 run_init_exec_t:file rx_file_perms; @@ -421,7 +421,7 @@ define(`selinux_run_init_transition',` allow run_init_t $1:process sigchld; ') -define(`selinux_run_init_transition_depend',` +define(`selinux_domtrans_runinit_depend',` type run_init_t, run_init_exec_t; class file rx_file_perms; @@ -431,7 +431,7 @@ define(`selinux_run_init_transition_depend',` ') ######################################## -## +## ## ## Execute run_init in the run_init domain, and ## allow the specified role the run_init domain, @@ -448,15 +448,15 @@ define(`selinux_run_init_transition_depend',` ## ## # -define(`selinux_run_init_transition_add_role_use_terminal',` +define(`selinux_run_runinit',` requires_block_template(`$0'_depend) - selinux_run_init_transition($1) + selinux_domtrans_runinit($1) role $2 types run_init_t; allow run_init_t $3:chr_file { getattr read write ioctl }; ') -define(`selinux_run_init_transition_add_role_use_terminal_depend',` +define(`selinux_run_runinit_depend',` type run_init_t; class chr_file { getattr read write ioctl }; @@ -464,22 +464,22 @@ define(`selinux_run_init_transition_add_role_use_terminal_depend',` ######################################## # -# selinux_run_init_use_file_descriptors(domain) +# selinux_use_runinit_fd(domain) # -define(`selinux_run_init_use_file_descriptors',` +define(`selinux_use_runinit_fd',` requires_block_template(`$0'_depend) allow $1 run_init_t:fd use; ') -define(`selinux_run_init_use_file_descriptors_depend',` +define(`selinux_use_runinit_fd_depend',` type run_init_t; class fd use; ') ######################################## -## +## ## ## Execute setfiles in the setfiles domain. ## @@ -488,7 +488,7 @@ define(`selinux_run_init_use_file_descriptors_depend',` ## ## # -define(`selinux_setfiles_transition',` +define(`selinux_domtrans_setfiles',` requires_block_template(`$0'_depend) allow $1 setfiles_exec_t:file rx_file_perms; @@ -502,7 +502,7 @@ define(`selinux_setfiles_transition',` allow setfiles_t $1:process sigchld; ') -define(`selinux_setfiles_transition_depend',` +define(`selinux_domtrans_setfiles_depend',` type setfiles_t, setfiles_exec_t; class file rx_file_perms; @@ -512,7 +512,7 @@ define(`selinux_setfiles_transition_depend',` ') ######################################## -## +## ## ## Execute setfiles in the setfiles domain, and ## allow the specified role the setfiles domain, @@ -529,15 +529,15 @@ define(`selinux_setfiles_transition_depend',` ## ## # -define(`selinux_setfiles_transition_add_role_use_terminal',` +define(`selinux_run_setfiles',` requires_block_template(`$0'_depend) - selinux_setfiles_transition($1) + selinux_domtrans_setfiles($1) role $2 types setfiles_t; allow setfiles_t $3:chr_file { getattr read write ioctl }; ') -define(`selinux_setfiles_transition_add_role_use_terminal_depend',` +define(`selinux_run_setfiles_depend',` type setfiles_t; class chr_file { getattr read write ioctl }; @@ -545,15 +545,15 @@ define(`selinux_setfiles_transition_add_role_use_terminal_depend',` ####################################### # -# selinux_setfiles_execute(domain) +# selinux_exec_setfiles(domain) # -define(`selinux_setfiles_execute',` +define(`selinux_exec_setfiles',` requires_block_template(`$0'_depend) can_exec($1,setfiles_exec_t) ') -define(`selinux_setfiles_execute_depend',` +define(`selinux_exec_setfiles_depend',` type setfiles_exec_t; class file { rx_file_perms execute_no_trans }; @@ -617,16 +617,16 @@ define(`selinux_read_file_contexts_depend',` ######################################## # -# selinux_read_binary_policy(domain) +# selinux_read_binary_pol(domain) # -define(`selinux_read_binary_policy',` +define(`selinux_read_binary_pol',` requires_block_template(`$0'_depend) allow $1 policy_config_t:dir r_dir_perms; allow $1 policy_config_t:file r_file_perms; ') -define(`selinux_read_binary_policy_depend',` +define(`selinux_read_binary_pol_depend',` type policy_config_t; class dir r_dir_perms; @@ -635,9 +635,9 @@ define(`selinux_read_binary_policy_depend',` ######################################## # -# selinux_write_binary_policy(domain) +# selinux_write_binary_pol(domain) # -define(`selinux_write_binary_policy',` +define(`selinux_write_binary_pol',` requires_block_template(`$0'_depend) allow $1 policy_config_t:dir rw_dir_perms; @@ -645,7 +645,7 @@ define(`selinux_write_binary_policy',` typeattribute $1 can_write_binary_policy; ') -define(`selinux_write_binary_policy_depend',` +define(`selinux_write_binary_pol_depend',` attribute can_write_binary_policy; type policy_config_t; @@ -655,7 +655,7 @@ define(`selinux_write_binary_policy_depend',` ') ######################################## -## +## ## ## Allow the caller to relabel a file to the binary policy type. ## @@ -664,14 +664,14 @@ define(`selinux_write_binary_policy_depend',` ## ## # -define(`selinux_relabelto_binary_policy',` +define(`selinux_relabelto_binary_pol',` requires_block_template(`$0'_depend) allow $1 policy_config_t:file relabelto; typeattribute $1 can_relabelto_binary_policy; ') -define(`selinux_relabelto_binary_policy_depend',` +define(`selinux_relabelto_binary_pol_depend',` attribute can_relabelto_binary_policy; type policy_config_t; @@ -681,9 +681,9 @@ define(`selinux_relabelto_binary_policy_depend',` ######################################## # -# selinux_manage_binary_policy(domain) +# selinux_manage_binary_pol(domain) # -define(`selinux_manage_binary_policy',` +define(`selinux_manage_binary_pol',` requires_block_template(`$0'_depend) # FIXME: search etc_t:dir @@ -693,7 +693,7 @@ define(`selinux_manage_binary_policy',` typeattribute $1 can_write_binary_policy; ') -define(`selinux_manage_binary_policy_depend',` +define(`selinux_manage_binary_pol_depend',` attribute can_write_binary_policy; type selinux_config_t, policy_config_t; @@ -703,9 +703,9 @@ define(`selinux_manage_binary_policy_depend',` ######################################## # -# selinux_read_source_policy(domain) +# selinux_read_src_pol(domain) # -define(`selinux_read_source_policy',` +define(`selinux_read_src_pol',` requires_block_template(`$0'_depend) # FIXME: search etc_t:dir @@ -714,7 +714,7 @@ define(`selinux_read_source_policy',` allow $1 policy_src_t:file r_file_perms; ') -define(`selinux_read_source_policy_depend',` +define(`selinux_read_src_pol_depend',` type selinux_config_t, policy_src_t; class dir r_dir_perms; @@ -723,9 +723,9 @@ define(`selinux_read_source_policy_depend',` ######################################## # -# selinux_manage_source_policy(domain) +# selinux_manage_src_pol(domain) # -define(`selinux_manage_source_policy',` +define(`selinux_manage_src_pol',` requires_block_template(`$0'_depend) # FIXME: search etc_t:dir @@ -734,7 +734,7 @@ define(`selinux_manage_source_policy',` allow $1 policy_src_t:file create_file_perms; ') -define(`selinux_manage_source_policy_depend',` +define(`selinux_manage_src_pol_depend',` type selinux_config_t, policy_src_t; class dir create_dir_perms; diff --git a/refpolicy/policy/modules/system/selinux.te b/refpolicy/policy/modules/system/selinux.te index ab8e283..4926625 100644 --- a/refpolicy/policy/modules/system/selinux.te +++ b/refpolicy/policy/modules/system/selinux.te @@ -10,48 +10,48 @@ attribute can_write_binary_policy; attribute can_relabelto_binary_policy; type checkpolicy_t, can_write_binary_policy; -domain_make_domain(checkpolicy_t) +domain_type(checkpolicy_t) role system_r types checkpolicy_t; type checkpolicy_exec_t; -domain_make_entrypoint_file(checkpolicy_t,checkpolicy_exec_t) +domain_entry_file(checkpolicy_t,checkpolicy_exec_t) # # default_context_t is the type applied to # /etc/selinux/*/contexts/* # type default_context_t; -files_make_file(default_context_t) +files_file_type(default_context_t) # # file_context_t is the type applied to # /etc/selinux/*/contexts/files # type file_context_t; -files_make_file(file_context_t) +files_file_type(file_context_t) type load_policy_t; -domain_make_domain(load_policy_t) +domain_type(load_policy_t) role system_r types load_policy_t; type load_policy_exec_t; -domain_make_entrypoint_file(load_policy_t,load_policy_exec_t) +domain_entry_file(load_policy_t,load_policy_exec_t) type newrole_t; # nscd_client_domain, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl; -kernel_make_role_change_constraint_exception(newrole_t) -kernel_make_object_identity_change_constraint_exception(newrole_t) -domain_make_domain(newrole_t) -domain_make_file_descriptors_widely_inheritable(newrole_t) +kernel_role_change_exempt(newrole_t) +kernel_obj_id_change_exempt(newrole_t) +domain_type(newrole_t) +domain_wide_inherit_fd(newrole_t) type newrole_exec_t; -domain_make_entrypoint_file(newrole_t,newrole_exec_t) +domain_entry_file(newrole_t,newrole_exec_t) # # policy_config_t is the type of /etc/security/selinux/* # the security server policy configuration. # type policy_config_t; -files_make_file(policy_config_t) +files_file_type(policy_config_t) neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto; neverallow ~can_write_binary_policy policy_config_t:file { write append }; @@ -61,34 +61,34 @@ neverallow ~can_write_binary_policy policy_config_t:file { write append }; # files. # type policy_src_t; -files_make_file(policy_src_t) +files_file_type(policy_src_t) type restorecon_t, can_relabelto_binary_policy; type restorecon_exec_t; -kernel_make_object_identity_change_constraint_exception(restorecon_t) -init_make_system_domain(restorecon_t,restorecon_exec_t) +kernel_obj_id_change_exempt(restorecon_t) +init_system_domain(restorecon_t,restorecon_exec_t) role system_r types restorecon_t; type run_init_t; -domain_make_domain(run_init_t) +domain_type(run_init_t) type run_init_exec_t; -domain_make_entrypoint_file(run_init_t,run_init_exec_t) +domain_entry_file(run_init_t,run_init_exec_t) # # selinux_config_t is the type applied to # /etc/selinux/config # type selinux_config_t; -files_make_file(selinux_config_t) +files_file_type(selinux_config_t) type setfiles_t, can_relabelto_binary_policy; -kernel_make_object_identity_change_constraint_exception(setfiles_t) -domain_make_domain(setfiles_t) +kernel_obj_id_change_exempt(setfiles_t) +domain_type(setfiles_t) role system_r types setfiles_t; type setfiles_exec_t; -domain_make_entrypoint_file(setfiles_t,setfiles_exec_t) +domain_entry_file(setfiles_t,setfiles_exec_t) ######################################## # @@ -115,18 +115,18 @@ fs_getattr_xattr_fs(checkpolicy_t) term_use_console(checkpolicy_t) -domain_use_widely_inheritable_file_descriptors(checkpolicy_t) +domain_use_wide_inherit_fd(checkpolicy_t) # directory search permissions for path to source and binary policy files -files_search_general_system_config_directory(checkpolicy_t) +files_search_etc(checkpolicy_t) -init_use_file_descriptors(checkpolicy_t) -init_script_use_pseudoterminal(checkpolicy_t) +init_use_fd(checkpolicy_t) +init_use_script_pty(checkpolicy_t) -libraries_use_dynamic_loader(checkpolicy_t) -libraries_use_shared_libraries(checkpolicy_t) +libs_use_ld_so(checkpolicy_t) +libs_use_shared_libs(checkpolicy_t) -userdomain_use_all_users_file_descriptors(checkpolicy_t) +userdom_use_all_user_fd(checkpolicy_t) ifdef(`TODO',` # Read the devpts root directory. @@ -158,19 +158,19 @@ fs_getattr_xattr_fs(load_policy_t) term_use_console(load_policy_t) term_list_ptys(load_policy_t) -init_script_use_file_descriptors(load_policy_t) -init_script_use_pseudoterminal(load_policy_t) +init_use_script_fd(load_policy_t) +init_use_script_pty(load_policy_t) -domain_use_widely_inheritable_file_descriptors(load_policy_t) +domain_use_wide_inherit_fd(load_policy_t) -files_search_general_system_config_directory(load_policy_t) +files_search_etc(load_policy_t) -libraries_use_dynamic_loader(load_policy_t) -libraries_use_shared_libraries(load_policy_t) +libs_use_ld_so(load_policy_t) +libs_use_shared_libs(load_policy_t) miscfiles_read_localization(load_policy_t) -userdomain_use_all_users_file_descriptors(load_policy_t) +userdom_use_all_user_fd(load_policy_t) ######################################## # @@ -210,23 +210,23 @@ fs_getattr_xattr_fs(newrole_t) term_use_all_user_ttys(newrole_t) term_use_all_user_ptys(newrole_t) -authlogin_check_password_transition(newrole_t) +auth_domtrans_chk_passwd(newrole_t) -domain_use_widely_inheritable_file_descriptors(newrole_t) +domain_use_wide_inherit_fd(newrole_t) # Write to utmp. -init_script_modify_runtime_data(newrole_t) +init_rw_script_pid(newrole_t) -files_read_general_system_config(newrole_t) +files_read_generic_etc_files(newrole_t) -libraries_use_dynamic_loader(newrole_t) -libraries_use_shared_libraries(newrole_t) +libs_use_ld_so(newrole_t) +libs_use_shared_libs(newrole_t) -logging_send_system_log_message(newrole_t) +logging_send_syslog_msg(newrole_t) miscfiles_read_localization(newrole_t) -userdomain_use_all_unprivileged_users_file_descriptors(newrole_t) +userdom_use_unpriv_users_fd(newrole_t) ifdef(`TODO',` @@ -291,23 +291,23 @@ fs_getattr_xattr_fs(restorecon_t) term_use_unallocated_tty(restorecon_t) -init_use_file_descriptors(restorecon_t) -init_script_use_pseudoterminal(restorecon_t) +init_use_fd(restorecon_t) +init_use_script_pty(restorecon_t) -domain_use_widely_inheritable_file_descriptors(restorecon_t) +domain_use_wide_inherit_fd(restorecon_t) -files_read_runtime_system_config(restorecon_t) -files_read_general_system_config(restorecon_t) +files_read_etc_runtime_files(restorecon_t) +files_read_generic_etc_files(restorecon_t) -libraries_use_dynamic_loader(restorecon_t) -libraries_use_shared_libraries(restorecon_t) +libs_use_ld_so(restorecon_t) +libs_use_shared_libs(restorecon_t) -logging_send_system_log_message(restorecon_t) +logging_send_syslog_msg(restorecon_t) -userdomain_use_all_users_file_descriptors(restorecon_t) +userdom_use_all_user_fd(restorecon_t) optional_policy(`hotplug.te',` - hotplug_use_file_descriptors(restorecon_t) + hotplug_use_fd(restorecon_t) ') # relabeling rules @@ -315,9 +315,9 @@ kernel_relabel_unlabeled(restorecon_t) dev_relabel_all_dev_nodes(restorecon_t) files_relabel_all_files(restorecon_t) -files_read_all_directories(restorecon_t) +files_list_all_dirs(restorecon_t) # this is to satisfy the assertion: -authlogin_relabel_to_shadow_passwords(restorecon_t) +auth_relabelto_shadow(restorecon_t) ifdef(`distro_redhat', ` fs_use_tmpfs_character_devices(restorecon_t) @@ -363,34 +363,34 @@ ifdef(`targeted_policy',`',` fs_getattr_xattr_fs(run_init_t) - dev_dontaudit_list_all_nodes(run_init_t) + dev_dontaudit_list_all_dev_nodes(run_init_t) term_dontaudit_list_ptys(run_init_t) - authlogin_check_password_transition(run_init_t) - authlogin_ignore_read_shadow_passwords(run_init_t) + auth_domtrans_chk_passwd(run_init_t) + auth_dontaudit_read_shadow(run_init_t) - corecommands_execute_general_programs(run_init_t) - corecommands_execute_shell(run_init_t) + corecmd_exec_bin(run_init_t) + corecmd_exec_shell(run_init_t) - domain_use_widely_inheritable_file_descriptors(run_init_t) + domain_use_wide_inherit_fd(run_init_t) - files_read_general_system_config(run_init_t) - files_ignore_search_all_directories(run_init_t) + files_read_generic_etc_files(run_init_t) + files_dontaudit_search_all_dirs(run_init_t) - init_script_transition(run_init_t) + init_domtrans_script(run_init_t) # for utmp - init_script_modify_runtime_data(run_init_t) + init_rw_script_pid(run_init_t) - libraries_use_dynamic_loader(run_init_t) - libraries_use_shared_libraries(run_init_t) + libs_use_ld_so(run_init_t) + libs_use_shared_libs(run_init_t) selinux_read_config(run_init_t) selinux_read_default_contexts(run_init_t) miscfiles_read_localization(run_init_t) - logging_send_system_log_message(run_init_t) + logging_send_syslog_msg(run_init_t) ') dnl end ifdef targeted policy ifdef(`TODO',` @@ -398,7 +398,7 @@ ifdef(`TODO',` ifdef(`distro_gentoo', ` # Gentoo integrated run_init+open_init_pty-runscript: domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t) - domain_make_entrypoint_file(run_init_t,initrc_exec_t) + domain_entry_file(run_init_t,initrc_exec_t) ') ') dnl end TODO @@ -427,34 +427,33 @@ term_use_all_user_ttys(setfiles_t) term_use_all_user_ptys(setfiles_t) term_use_unallocated_tty(setfiles_t) -init_use_file_descriptors(setfiles_t) -init_script_use_file_descriptors(setfiles_t) -init_script_use_pseudoterminal(setfiles_t) +init_use_fd(setfiles_t) +init_use_script_fd(setfiles_t) +init_use_script_pty(setfiles_t) -domain_use_widely_inheritable_file_descriptors(setfiles_t) +domain_use_wide_inherit_fd(setfiles_t) -libraries_use_dynamic_loader(setfiles_t) -libraries_use_shared_libraries(setfiles_t) +libs_use_ld_so(setfiles_t) +libs_use_shared_libs(setfiles_t) -files_read_runtime_system_config(setfiles_t) -files_read_general_system_config(setfiles_t) +files_read_etc_runtime_files(setfiles_t) +files_read_generic_etc_files(setfiles_t) -logging_send_system_log_message(setfiles_t) +logging_send_syslog_msg(setfiles_t) miscfiles_read_localization(setfiles_t) -userdomain_use_all_users_file_descriptors(setfiles_t) +userdom_use_all_user_fd(setfiles_t) # for config files in a home directory -userdomain_read_all_users_data(setfiles_t) +userdom_read_all_user_data(setfiles_t) # relabeling rules kernel_relabel_unlabeled(setfiles_t) dev_relabel_all_dev_nodes(setfiles_t) - -files_read_all_directories(setfiles_t) +files_list_all_dirs(setfiles_t) files_relabel_all_files(setfiles_t) # this is to satisfy the assertion: -authlogin_relabel_to_shadow_passwords(setfiles_t) +auth_relabelto_shadow(setfiles_t) ifdef(`TODO',` # for upgrading glibc and other shared objects - without this the upgrade diff --git a/refpolicy/policy/modules/system/selinuxutil.if b/refpolicy/policy/modules/system/selinuxutil.if index f3defc7..78fbf0d 100644 --- a/refpolicy/policy/modules/system/selinuxutil.if +++ b/refpolicy/policy/modules/system/selinuxutil.if @@ -2,7 +2,7 @@ ## Policy for SELinux policy and userland applications. ####################################### -## +## ## ## Execute checkpolicy in the checkpolicy domain. ## @@ -11,7 +11,7 @@ ## ## # -define(`selinux_checkpolicy_transition',` +define(`selinux_domtrans_checkpol',` requires_block_template(`$0'_depend) allow $1 checkpolicy_exec_t:file rx_file_perms; @@ -25,7 +25,7 @@ define(`selinux_checkpolicy_transition',` allow checkpolicy_t $1:process sigchld; ') -define(`selinux_checkpolicy_transition_depend',` +define(`selinux_domtrans_checkpol_depend',` type checkpolicy_t, checkpolicy_exec_t; class file rx_file_perms @@ -35,7 +35,7 @@ define(`selinux_checkpolicy_transition_depend',` ') ######################################## -## +## ## ## Execute checkpolicy in the checkpolicy domain, and ## allow the specified role the checkpolicy domain, @@ -53,15 +53,15 @@ define(`selinux_checkpolicy_transition_depend',` ## ## # -define(`selinux_checkpolicy_transition_add_role_use_terminal',` +define(`selinux_run_checkpol',` requires_block_template(`$0'_depend) - selinux_checkpolicy_transition($1) + selinux_domtrans_checkpol($1) role $2 types checkpolicy_t; allow checkpolicy_t $3:chr_file { getattr read write ioctl }; ') -define(`selinux_checkpolicy_transition_add_role_use_terminal_depend',` +define(`selinux_run_checkpol_depend',` type checkpolicy_t; class chr_file { getattr read write ioctl }; @@ -69,22 +69,22 @@ define(`selinux_checkpolicy_transition_add_role_use_terminal_depend',` ####################################### # -# selinux_checkpolicy_execute(domain) +# selinux_exec_checkpol(domain) # -define(`selinux_checkpolicy_execute',` +define(`selinux_exec_checkpol',` requires_block_template(`$0'_depend) can_exec($1,checkpolicy_exec_t) ') -define(`selinux_checkpolicy_execute_depend',` +define(`selinux_exec_checkpol_depend',` type checkpolicy_exec_t; class file { rx_file_perms execute_no_trans }; ') ####################################### -## +## ## ## Execute load_policy in the load_policy domain. ## @@ -93,7 +93,7 @@ define(`selinux_checkpolicy_execute_depend',` ## ## # -define(`selinux_load_policy_transition',` +define(`selinux_domtrans_loadpol',` requires_block_template(`$0'_depend) allow $1 load_policy_exec_t:file rx_file_perms; @@ -107,7 +107,7 @@ define(`selinux_load_policy_transition',` allow load_policy_t $1:process sigchld; ') -define(`selinux_load_policy_transition_depend',` +define(`selinux_domtrans_loadpol_depend',` type load_policy_t, load_policy_exec_t; class file rx_file_perms; @@ -117,7 +117,7 @@ define(`selinux_load_policy_transition_depend',` ') ######################################## -## +## ## ## Execute load_policy in the load_policy domain, and ## allow the specified role the load_policy domain, @@ -135,15 +135,15 @@ define(`selinux_load_policy_transition_depend',` ## ## # -define(`selinux_load_policy_transition_add_role_use_terminal',` +define(`selinux_run_loadpol',` requires_block_template(`$0'_depend) - selinux_load_policy_transition($1) + selinux_domtrans_loadpol($1) role $2 types load_policy_t; allow load_policy_t $3:chr_file { getattr read write ioctl }; ') -define(`selinux_load_policy_transition_add_role_use_terminal_depend',` +define(`selinux_run_loadpol_depend',` type load_policy_t; class chr_file { getattr read write ioctl }; @@ -151,15 +151,15 @@ define(`selinux_load_policy_transition_add_role_use_terminal_depend',` ####################################### # -# selinux_load_policy_execute(domain) +# selinux_exec_loadpol(domain) # -define(`selinux_load_policy_execute',` +define(`selinux_exec_loadpol',` requires_block_template(`$0'_depend) can_exec($1,load_policy_exec_t) ') -define(`selinux_load_policy_execute_depend',` +define(`selinux_exec_loadpol_depend',` type load_policy_exec_t; class file { rx_file_perms execute_no_trans }; @@ -167,22 +167,22 @@ define(`selinux_load_policy_execute_depend',` ####################################### # -# selinux_read_load_policy_binary(domain) +# selinux_read_loadpol(domain) # -define(`selinux_read_load_policy_binary',` +define(`selinux_read_loadpol',` requires_block_template(`$0'_depend) allow $1 load_policy_exec_t:file r_file_perms; ') -define(`selinux_read_load_policy_binary_depend',` +define(`selinux_read_loadpol_depend',` type load_policy_exec_t; class file r_file_perms ') ####################################### -## +## ## ## Execute newrole in the load_policy domain. ## @@ -191,7 +191,7 @@ define(`selinux_read_load_policy_binary_depend',` ## ## # -define(`selinux_newrole_transition',` +define(`selinux_domtrans_newrole',` requires_block_template(`$0'_depend) allow $1 newrole_exec_t:file rx_file_perms; @@ -205,7 +205,7 @@ define(`selinux_newrole_transition',` allow newrole_t $1:process sigchld; ') -define(`selinux_newrole_transition_depend',` +define(`selinux_domtrans_newrole_depend',` type newrole_t, newrole_exec_t; class file rx_file_perms; @@ -215,7 +215,7 @@ define(`selinux_newrole_transition_depend',` ') ######################################## -## +## ## ## Execute newrole in the newrole domain, and ## allow the specified role the newrole domain, @@ -232,15 +232,15 @@ define(`selinux_newrole_transition_depend',` ## ## # -define(`selinux_newrole_transition_add_role_use_terminal',` +define(`selinux_run_newrole',` requires_block_template(`$0'_depend) - selinux_newrole_transition($1) + selinux_domtrans_newrole($1) role $2 types newrole_t; allow newrole_t $3:chr_file { getattr read write ioctl }; ') -define(`selinux_newrole_transition_add_role_use_terminal_depend',` +define(`selinux_run_newrole_depend',` type newrole_t; class chr_file { getattr read write ioctl }; @@ -248,22 +248,22 @@ define(`selinux_newrole_transition_add_role_use_terminal_depend',` ####################################### # -# selinux_newrole_execute(domain) +# selinux_exec_newrole(domain) # -define(`selinux_newrole_execute',` +define(`selinux_exec_newrole',` requires_block_template(`$0'_depend) can_exec($1,newrole_exec_t) ') -define(`selinux_newrole_execute_depend',` +define(`selinux_exec_newrole_depend',` type newrole_t, newrole_exec_t; class file { rx_file_perms execute_no_trans }; ') ######################################## -## +## ## ## Do not audit the caller attempts to send ## a signal to newrole. @@ -273,13 +273,13 @@ define(`selinux_newrole_execute_depend',` ## ## # -define(`selinux_newrole_ignore_signal',` +define(`selinux_dontaudit_newrole_signal',` requires_block_template(`$0'_depend) dontaudit $1 newrole_t:process signal; ') -define(`selinux_newrole_ignore_signal_depend',` +define(`selinux_dontaudit_newrole_signal_depend',` type newrole_t; class process signal; @@ -303,22 +303,22 @@ define(`selinux_newrole_sigchld_depend',` ####################################### # -# selinux_newrole_use_file_descriptors(domain) +# selinux_use_newrole_fd(domain) # -define(`selinux_newrole_use_file_descriptors',` +define(`selinux_use_newrole_fd',` requires_block_template(`$0'_depend) allow $1 newrole_t:fd use; ') -define(`selinux_newrole_use_file_descriptors_depend',` +define(`selinux_use_newrole_fd_depend',` type newrole_t; class fd use; ') ####################################### -## +## ## ## Execute restorecon in the restorecon domain. ## @@ -327,7 +327,7 @@ define(`selinux_newrole_use_file_descriptors_depend',` ## ## # -define(`selinux_restorecon_transition',` +define(`selinux_domtrans_restorecon',` requires_block_template(`$0'_depend) allow $1 restorecon_exec_t:file rx_file_perms; @@ -341,7 +341,7 @@ define(`selinux_restorecon_transition',` allow restorecon_t $1:process sigchld; ') -define(`selinux_restorecon_transition_depend',` +define(`selinux_domtrans_restorecon_depend',` type restorecon_t, restorecon_exec_t; class file rx_file_perms; @@ -351,7 +351,7 @@ define(`selinux_restorecon_transition_depend',` ') ######################################## -## +## ## ## Execute restorecon in the restorecon domain, and ## allow the specified role the restorecon domain, @@ -368,15 +368,15 @@ define(`selinux_restorecon_transition_depend',` ## ## # -define(`selinux_restorecon_transition_add_role_use_terminal',` +define(`selinux_run_restorecon',` requires_block_template(`$0'_depend) - selinux_restorecon_transition($1) + selinux_domtrans_restorecon($1) role $2 types restorecon_t; allow restorecon_t $3:chr_file { getattr read write ioctl }; ') -define(`selinux_restorecon_transition_add_role_use_terminal_depend',` +define(`selinux_run_restorecon_depend',` type restorecon_t; class chr_file { getattr read write ioctl }; @@ -384,21 +384,21 @@ define(`selinux_restorecon_transition_add_role_use_terminal_depend',` ####################################### # -# selinux_restorecon_execute(domain) +# selinux_exec_restorecon(domain) # -define(`selinux_restorecon_execute',` +define(`selinux_exec_restorecon',` requires_block_template(`$0'_depend) can_exec($1,restorecon_exec_t) ') -define(`selinux_restorecon_execute_depend',` +define(`selinux_exec_restorecon_depend',` type restorecon_t, restorecon_exec_t; class file { rx_file_perms execute_no_trans }; ') ######################################## -## +## ## ## Execute run_init in the run_init domain. ## @@ -407,7 +407,7 @@ define(`selinux_restorecon_execute_depend',` ## ## # -define(`selinux_run_init_transition',` +define(`selinux_domtrans_runinit',` requires_block_template(`$0'_depend) allow $1 run_init_exec_t:file rx_file_perms; @@ -421,7 +421,7 @@ define(`selinux_run_init_transition',` allow run_init_t $1:process sigchld; ') -define(`selinux_run_init_transition_depend',` +define(`selinux_domtrans_runinit_depend',` type run_init_t, run_init_exec_t; class file rx_file_perms; @@ -431,7 +431,7 @@ define(`selinux_run_init_transition_depend',` ') ######################################## -## +## ## ## Execute run_init in the run_init domain, and ## allow the specified role the run_init domain, @@ -448,15 +448,15 @@ define(`selinux_run_init_transition_depend',` ## ## # -define(`selinux_run_init_transition_add_role_use_terminal',` +define(`selinux_run_runinit',` requires_block_template(`$0'_depend) - selinux_run_init_transition($1) + selinux_domtrans_runinit($1) role $2 types run_init_t; allow run_init_t $3:chr_file { getattr read write ioctl }; ') -define(`selinux_run_init_transition_add_role_use_terminal_depend',` +define(`selinux_run_runinit_depend',` type run_init_t; class chr_file { getattr read write ioctl }; @@ -464,22 +464,22 @@ define(`selinux_run_init_transition_add_role_use_terminal_depend',` ######################################## # -# selinux_run_init_use_file_descriptors(domain) +# selinux_use_runinit_fd(domain) # -define(`selinux_run_init_use_file_descriptors',` +define(`selinux_use_runinit_fd',` requires_block_template(`$0'_depend) allow $1 run_init_t:fd use; ') -define(`selinux_run_init_use_file_descriptors_depend',` +define(`selinux_use_runinit_fd_depend',` type run_init_t; class fd use; ') ######################################## -## +## ## ## Execute setfiles in the setfiles domain. ## @@ -488,7 +488,7 @@ define(`selinux_run_init_use_file_descriptors_depend',` ## ## # -define(`selinux_setfiles_transition',` +define(`selinux_domtrans_setfiles',` requires_block_template(`$0'_depend) allow $1 setfiles_exec_t:file rx_file_perms; @@ -502,7 +502,7 @@ define(`selinux_setfiles_transition',` allow setfiles_t $1:process sigchld; ') -define(`selinux_setfiles_transition_depend',` +define(`selinux_domtrans_setfiles_depend',` type setfiles_t, setfiles_exec_t; class file rx_file_perms; @@ -512,7 +512,7 @@ define(`selinux_setfiles_transition_depend',` ') ######################################## -## +## ## ## Execute setfiles in the setfiles domain, and ## allow the specified role the setfiles domain, @@ -529,15 +529,15 @@ define(`selinux_setfiles_transition_depend',` ## ## # -define(`selinux_setfiles_transition_add_role_use_terminal',` +define(`selinux_run_setfiles',` requires_block_template(`$0'_depend) - selinux_setfiles_transition($1) + selinux_domtrans_setfiles($1) role $2 types setfiles_t; allow setfiles_t $3:chr_file { getattr read write ioctl }; ') -define(`selinux_setfiles_transition_add_role_use_terminal_depend',` +define(`selinux_run_setfiles_depend',` type setfiles_t; class chr_file { getattr read write ioctl }; @@ -545,15 +545,15 @@ define(`selinux_setfiles_transition_add_role_use_terminal_depend',` ####################################### # -# selinux_setfiles_execute(domain) +# selinux_exec_setfiles(domain) # -define(`selinux_setfiles_execute',` +define(`selinux_exec_setfiles',` requires_block_template(`$0'_depend) can_exec($1,setfiles_exec_t) ') -define(`selinux_setfiles_execute_depend',` +define(`selinux_exec_setfiles_depend',` type setfiles_exec_t; class file { rx_file_perms execute_no_trans }; @@ -617,16 +617,16 @@ define(`selinux_read_file_contexts_depend',` ######################################## # -# selinux_read_binary_policy(domain) +# selinux_read_binary_pol(domain) # -define(`selinux_read_binary_policy',` +define(`selinux_read_binary_pol',` requires_block_template(`$0'_depend) allow $1 policy_config_t:dir r_dir_perms; allow $1 policy_config_t:file r_file_perms; ') -define(`selinux_read_binary_policy_depend',` +define(`selinux_read_binary_pol_depend',` type policy_config_t; class dir r_dir_perms; @@ -635,9 +635,9 @@ define(`selinux_read_binary_policy_depend',` ######################################## # -# selinux_write_binary_policy(domain) +# selinux_write_binary_pol(domain) # -define(`selinux_write_binary_policy',` +define(`selinux_write_binary_pol',` requires_block_template(`$0'_depend) allow $1 policy_config_t:dir rw_dir_perms; @@ -645,7 +645,7 @@ define(`selinux_write_binary_policy',` typeattribute $1 can_write_binary_policy; ') -define(`selinux_write_binary_policy_depend',` +define(`selinux_write_binary_pol_depend',` attribute can_write_binary_policy; type policy_config_t; @@ -655,7 +655,7 @@ define(`selinux_write_binary_policy_depend',` ') ######################################## -## +## ## ## Allow the caller to relabel a file to the binary policy type. ## @@ -664,14 +664,14 @@ define(`selinux_write_binary_policy_depend',` ## ## # -define(`selinux_relabelto_binary_policy',` +define(`selinux_relabelto_binary_pol',` requires_block_template(`$0'_depend) allow $1 policy_config_t:file relabelto; typeattribute $1 can_relabelto_binary_policy; ') -define(`selinux_relabelto_binary_policy_depend',` +define(`selinux_relabelto_binary_pol_depend',` attribute can_relabelto_binary_policy; type policy_config_t; @@ -681,9 +681,9 @@ define(`selinux_relabelto_binary_policy_depend',` ######################################## # -# selinux_manage_binary_policy(domain) +# selinux_manage_binary_pol(domain) # -define(`selinux_manage_binary_policy',` +define(`selinux_manage_binary_pol',` requires_block_template(`$0'_depend) # FIXME: search etc_t:dir @@ -693,7 +693,7 @@ define(`selinux_manage_binary_policy',` typeattribute $1 can_write_binary_policy; ') -define(`selinux_manage_binary_policy_depend',` +define(`selinux_manage_binary_pol_depend',` attribute can_write_binary_policy; type selinux_config_t, policy_config_t; @@ -703,9 +703,9 @@ define(`selinux_manage_binary_policy_depend',` ######################################## # -# selinux_read_source_policy(domain) +# selinux_read_src_pol(domain) # -define(`selinux_read_source_policy',` +define(`selinux_read_src_pol',` requires_block_template(`$0'_depend) # FIXME: search etc_t:dir @@ -714,7 +714,7 @@ define(`selinux_read_source_policy',` allow $1 policy_src_t:file r_file_perms; ') -define(`selinux_read_source_policy_depend',` +define(`selinux_read_src_pol_depend',` type selinux_config_t, policy_src_t; class dir r_dir_perms; @@ -723,9 +723,9 @@ define(`selinux_read_source_policy_depend',` ######################################## # -# selinux_manage_source_policy(domain) +# selinux_manage_src_pol(domain) # -define(`selinux_manage_source_policy',` +define(`selinux_manage_src_pol',` requires_block_template(`$0'_depend) # FIXME: search etc_t:dir @@ -734,7 +734,7 @@ define(`selinux_manage_source_policy',` allow $1 policy_src_t:file create_file_perms; ') -define(`selinux_manage_source_policy_depend',` +define(`selinux_manage_src_pol_depend',` type selinux_config_t, policy_src_t; class dir create_dir_perms; diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te index ab8e283..4926625 100644 --- a/refpolicy/policy/modules/system/selinuxutil.te +++ b/refpolicy/policy/modules/system/selinuxutil.te @@ -10,48 +10,48 @@ attribute can_write_binary_policy; attribute can_relabelto_binary_policy; type checkpolicy_t, can_write_binary_policy; -domain_make_domain(checkpolicy_t) +domain_type(checkpolicy_t) role system_r types checkpolicy_t; type checkpolicy_exec_t; -domain_make_entrypoint_file(checkpolicy_t,checkpolicy_exec_t) +domain_entry_file(checkpolicy_t,checkpolicy_exec_t) # # default_context_t is the type applied to # /etc/selinux/*/contexts/* # type default_context_t; -files_make_file(default_context_t) +files_file_type(default_context_t) # # file_context_t is the type applied to # /etc/selinux/*/contexts/files # type file_context_t; -files_make_file(file_context_t) +files_file_type(file_context_t) type load_policy_t; -domain_make_domain(load_policy_t) +domain_type(load_policy_t) role system_r types load_policy_t; type load_policy_exec_t; -domain_make_entrypoint_file(load_policy_t,load_policy_exec_t) +domain_entry_file(load_policy_t,load_policy_exec_t) type newrole_t; # nscd_client_domain, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl; -kernel_make_role_change_constraint_exception(newrole_t) -kernel_make_object_identity_change_constraint_exception(newrole_t) -domain_make_domain(newrole_t) -domain_make_file_descriptors_widely_inheritable(newrole_t) +kernel_role_change_exempt(newrole_t) +kernel_obj_id_change_exempt(newrole_t) +domain_type(newrole_t) +domain_wide_inherit_fd(newrole_t) type newrole_exec_t; -domain_make_entrypoint_file(newrole_t,newrole_exec_t) +domain_entry_file(newrole_t,newrole_exec_t) # # policy_config_t is the type of /etc/security/selinux/* # the security server policy configuration. # type policy_config_t; -files_make_file(policy_config_t) +files_file_type(policy_config_t) neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto; neverallow ~can_write_binary_policy policy_config_t:file { write append }; @@ -61,34 +61,34 @@ neverallow ~can_write_binary_policy policy_config_t:file { write append }; # files. # type policy_src_t; -files_make_file(policy_src_t) +files_file_type(policy_src_t) type restorecon_t, can_relabelto_binary_policy; type restorecon_exec_t; -kernel_make_object_identity_change_constraint_exception(restorecon_t) -init_make_system_domain(restorecon_t,restorecon_exec_t) +kernel_obj_id_change_exempt(restorecon_t) +init_system_domain(restorecon_t,restorecon_exec_t) role system_r types restorecon_t; type run_init_t; -domain_make_domain(run_init_t) +domain_type(run_init_t) type run_init_exec_t; -domain_make_entrypoint_file(run_init_t,run_init_exec_t) +domain_entry_file(run_init_t,run_init_exec_t) # # selinux_config_t is the type applied to # /etc/selinux/config # type selinux_config_t; -files_make_file(selinux_config_t) +files_file_type(selinux_config_t) type setfiles_t, can_relabelto_binary_policy; -kernel_make_object_identity_change_constraint_exception(setfiles_t) -domain_make_domain(setfiles_t) +kernel_obj_id_change_exempt(setfiles_t) +domain_type(setfiles_t) role system_r types setfiles_t; type setfiles_exec_t; -domain_make_entrypoint_file(setfiles_t,setfiles_exec_t) +domain_entry_file(setfiles_t,setfiles_exec_t) ######################################## # @@ -115,18 +115,18 @@ fs_getattr_xattr_fs(checkpolicy_t) term_use_console(checkpolicy_t) -domain_use_widely_inheritable_file_descriptors(checkpolicy_t) +domain_use_wide_inherit_fd(checkpolicy_t) # directory search permissions for path to source and binary policy files -files_search_general_system_config_directory(checkpolicy_t) +files_search_etc(checkpolicy_t) -init_use_file_descriptors(checkpolicy_t) -init_script_use_pseudoterminal(checkpolicy_t) +init_use_fd(checkpolicy_t) +init_use_script_pty(checkpolicy_t) -libraries_use_dynamic_loader(checkpolicy_t) -libraries_use_shared_libraries(checkpolicy_t) +libs_use_ld_so(checkpolicy_t) +libs_use_shared_libs(checkpolicy_t) -userdomain_use_all_users_file_descriptors(checkpolicy_t) +userdom_use_all_user_fd(checkpolicy_t) ifdef(`TODO',` # Read the devpts root directory. @@ -158,19 +158,19 @@ fs_getattr_xattr_fs(load_policy_t) term_use_console(load_policy_t) term_list_ptys(load_policy_t) -init_script_use_file_descriptors(load_policy_t) -init_script_use_pseudoterminal(load_policy_t) +init_use_script_fd(load_policy_t) +init_use_script_pty(load_policy_t) -domain_use_widely_inheritable_file_descriptors(load_policy_t) +domain_use_wide_inherit_fd(load_policy_t) -files_search_general_system_config_directory(load_policy_t) +files_search_etc(load_policy_t) -libraries_use_dynamic_loader(load_policy_t) -libraries_use_shared_libraries(load_policy_t) +libs_use_ld_so(load_policy_t) +libs_use_shared_libs(load_policy_t) miscfiles_read_localization(load_policy_t) -userdomain_use_all_users_file_descriptors(load_policy_t) +userdom_use_all_user_fd(load_policy_t) ######################################## # @@ -210,23 +210,23 @@ fs_getattr_xattr_fs(newrole_t) term_use_all_user_ttys(newrole_t) term_use_all_user_ptys(newrole_t) -authlogin_check_password_transition(newrole_t) +auth_domtrans_chk_passwd(newrole_t) -domain_use_widely_inheritable_file_descriptors(newrole_t) +domain_use_wide_inherit_fd(newrole_t) # Write to utmp. -init_script_modify_runtime_data(newrole_t) +init_rw_script_pid(newrole_t) -files_read_general_system_config(newrole_t) +files_read_generic_etc_files(newrole_t) -libraries_use_dynamic_loader(newrole_t) -libraries_use_shared_libraries(newrole_t) +libs_use_ld_so(newrole_t) +libs_use_shared_libs(newrole_t) -logging_send_system_log_message(newrole_t) +logging_send_syslog_msg(newrole_t) miscfiles_read_localization(newrole_t) -userdomain_use_all_unprivileged_users_file_descriptors(newrole_t) +userdom_use_unpriv_users_fd(newrole_t) ifdef(`TODO',` @@ -291,23 +291,23 @@ fs_getattr_xattr_fs(restorecon_t) term_use_unallocated_tty(restorecon_t) -init_use_file_descriptors(restorecon_t) -init_script_use_pseudoterminal(restorecon_t) +init_use_fd(restorecon_t) +init_use_script_pty(restorecon_t) -domain_use_widely_inheritable_file_descriptors(restorecon_t) +domain_use_wide_inherit_fd(restorecon_t) -files_read_runtime_system_config(restorecon_t) -files_read_general_system_config(restorecon_t) +files_read_etc_runtime_files(restorecon_t) +files_read_generic_etc_files(restorecon_t) -libraries_use_dynamic_loader(restorecon_t) -libraries_use_shared_libraries(restorecon_t) +libs_use_ld_so(restorecon_t) +libs_use_shared_libs(restorecon_t) -logging_send_system_log_message(restorecon_t) +logging_send_syslog_msg(restorecon_t) -userdomain_use_all_users_file_descriptors(restorecon_t) +userdom_use_all_user_fd(restorecon_t) optional_policy(`hotplug.te',` - hotplug_use_file_descriptors(restorecon_t) + hotplug_use_fd(restorecon_t) ') # relabeling rules @@ -315,9 +315,9 @@ kernel_relabel_unlabeled(restorecon_t) dev_relabel_all_dev_nodes(restorecon_t) files_relabel_all_files(restorecon_t) -files_read_all_directories(restorecon_t) +files_list_all_dirs(restorecon_t) # this is to satisfy the assertion: -authlogin_relabel_to_shadow_passwords(restorecon_t) +auth_relabelto_shadow(restorecon_t) ifdef(`distro_redhat', ` fs_use_tmpfs_character_devices(restorecon_t) @@ -363,34 +363,34 @@ ifdef(`targeted_policy',`',` fs_getattr_xattr_fs(run_init_t) - dev_dontaudit_list_all_nodes(run_init_t) + dev_dontaudit_list_all_dev_nodes(run_init_t) term_dontaudit_list_ptys(run_init_t) - authlogin_check_password_transition(run_init_t) - authlogin_ignore_read_shadow_passwords(run_init_t) + auth_domtrans_chk_passwd(run_init_t) + auth_dontaudit_read_shadow(run_init_t) - corecommands_execute_general_programs(run_init_t) - corecommands_execute_shell(run_init_t) + corecmd_exec_bin(run_init_t) + corecmd_exec_shell(run_init_t) - domain_use_widely_inheritable_file_descriptors(run_init_t) + domain_use_wide_inherit_fd(run_init_t) - files_read_general_system_config(run_init_t) - files_ignore_search_all_directories(run_init_t) + files_read_generic_etc_files(run_init_t) + files_dontaudit_search_all_dirs(run_init_t) - init_script_transition(run_init_t) + init_domtrans_script(run_init_t) # for utmp - init_script_modify_runtime_data(run_init_t) + init_rw_script_pid(run_init_t) - libraries_use_dynamic_loader(run_init_t) - libraries_use_shared_libraries(run_init_t) + libs_use_ld_so(run_init_t) + libs_use_shared_libs(run_init_t) selinux_read_config(run_init_t) selinux_read_default_contexts(run_init_t) miscfiles_read_localization(run_init_t) - logging_send_system_log_message(run_init_t) + logging_send_syslog_msg(run_init_t) ') dnl end ifdef targeted policy ifdef(`TODO',` @@ -398,7 +398,7 @@ ifdef(`TODO',` ifdef(`distro_gentoo', ` # Gentoo integrated run_init+open_init_pty-runscript: domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t) - domain_make_entrypoint_file(run_init_t,initrc_exec_t) + domain_entry_file(run_init_t,initrc_exec_t) ') ') dnl end TODO @@ -427,34 +427,33 @@ term_use_all_user_ttys(setfiles_t) term_use_all_user_ptys(setfiles_t) term_use_unallocated_tty(setfiles_t) -init_use_file_descriptors(setfiles_t) -init_script_use_file_descriptors(setfiles_t) -init_script_use_pseudoterminal(setfiles_t) +init_use_fd(setfiles_t) +init_use_script_fd(setfiles_t) +init_use_script_pty(setfiles_t) -domain_use_widely_inheritable_file_descriptors(setfiles_t) +domain_use_wide_inherit_fd(setfiles_t) -libraries_use_dynamic_loader(setfiles_t) -libraries_use_shared_libraries(setfiles_t) +libs_use_ld_so(setfiles_t) +libs_use_shared_libs(setfiles_t) -files_read_runtime_system_config(setfiles_t) -files_read_general_system_config(setfiles_t) +files_read_etc_runtime_files(setfiles_t) +files_read_generic_etc_files(setfiles_t) -logging_send_system_log_message(setfiles_t) +logging_send_syslog_msg(setfiles_t) miscfiles_read_localization(setfiles_t) -userdomain_use_all_users_file_descriptors(setfiles_t) +userdom_use_all_user_fd(setfiles_t) # for config files in a home directory -userdomain_read_all_users_data(setfiles_t) +userdom_read_all_user_data(setfiles_t) # relabeling rules kernel_relabel_unlabeled(setfiles_t) dev_relabel_all_dev_nodes(setfiles_t) - -files_read_all_directories(setfiles_t) +files_list_all_dirs(setfiles_t) files_relabel_all_files(setfiles_t) # this is to satisfy the assertion: -authlogin_relabel_to_shadow_passwords(setfiles_t) +auth_relabelto_shadow(setfiles_t) ifdef(`TODO',` # for upgrading glibc and other shared objects - without this the upgrade diff --git a/refpolicy/policy/modules/system/sysnetwork.if b/refpolicy/policy/modules/system/sysnetwork.if index 534e5f5..ae3481d 100644 --- a/refpolicy/policy/modules/system/sysnetwork.if +++ b/refpolicy/policy/modules/system/sysnetwork.if @@ -2,7 +2,7 @@ ## Policy for network configuration: ifconfig and dhcp client. ####################################### -## +## ## ## Execute dhcp client in dhcpc domain. ## @@ -11,7 +11,7 @@ ## ## # -define(`sysnetwork_dhcpc_transition',` +define(`sysnet_domtrans_dhcpc',` requires_block_template(`$0'_depend) domain_auto_trans($1, dhcpc_exec_t, dhcpc_t) @@ -22,7 +22,7 @@ define(`sysnetwork_dhcpc_transition',` allow dhcpc_t $1:process sigchld; ') -define(`sysnetwork_dhcpc_transition_depend',` +define(`sysnet_domtrans_dhcpc_depend',` type dhcpc_t, dhcpc_exec_t; class file { getattr read execute }; @@ -32,7 +32,7 @@ define(`sysnetwork_dhcpc_transition_depend',` ') ####################################### -## +## ## ## Execute ifconfig in the ifconfig domain. ## @@ -41,7 +41,7 @@ define(`sysnetwork_dhcpc_transition_depend',` ## ## # -define(`sysnetwork_ifconfig_transition',` +define(`sysnet_domtrans_ifconfig',` requires_block_template(`$0'_depend) domain_auto_trans($1, ifconfig_exec_t, ifconfig_t) @@ -52,7 +52,7 @@ define(`sysnetwork_ifconfig_transition',` allow ifconfig_t $1:process sigchld; ') -define(`sysnetwork_ifconfig_transition_depend',` +define(`sysnet_domtrans_ifconfig_depend',` type ifconfig_t, ifconfig_exec_t; class file { getattr read execute }; @@ -62,7 +62,7 @@ define(`sysnetwork_ifconfig_transition_depend',` ') ######################################## -## +## ## ## Execute ifconfig in the ifconfig domain, and ## allow the specified role the ifconfig domain, @@ -79,22 +79,22 @@ define(`sysnetwork_ifconfig_transition_depend',` ## ## # -define(`sysnetwork_ifconfig_transition_add_role_use_terminal',` +define(`sysnet_run_ifconfig',` requires_block_template(`$0'_depend) - sysnetwork_ifconfig_transition($1) + sysnet_domtrans_ifconfig($1) role $2 types ifconfig_t; allow ifconfig_t $3:chr_file { getattr read write ioctl }; ') -define(`sysnetwork_ifconfig_transition_add_role_use_terminal_depend',` +define(`sysnet_run_ifconfig_depend',` type ifconfig_t; class chr_file { getattr read write ioctl }; ') ####################################### -## +## ## ## Allow network init to read network config files. ## @@ -103,14 +103,14 @@ define(`sysnetwork_ifconfig_transition_add_role_use_terminal_depend',` ## ## # -define(`sysnetwork_read_network_config',` +define(`sysnet_read_config',` requires_block_template(`$0'_depend) - files_search_general_system_config_directory($1) + files_search_etc($1) allow $1 net_conf_t:file r_file_perms; ') -define(`sysnetwork_read_network_config_depend',` +define(`sysnet_read_config_depend',` type net_conf_t; class file r_file_perms; diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te index 13e5fb5..4b8e79d 100644 --- a/refpolicy/policy/modules/system/sysnetwork.te +++ b/refpolicy/policy/modules/system/sysnetwork.te @@ -9,33 +9,33 @@ policy_module(sysnetwork,1.0) # this is shared between dhcpc and dhcpd: type dhcp_etc_t; #, usercanread; typealias dhcp_etc_t alias { etc_dhcp_t etc_dhcpc_t etc_dhcpd_t }; -files_make_file(dhcp_etc_t) +files_file_type(dhcp_etc_t) # this is shared between dhcpc and dhcpd: type dhcp_state_t; -files_make_file(dhcp_state_t) +files_file_type(dhcp_state_t) type dhcpc_t; type dhcpc_exec_t; -init_make_daemon_domain(dhcpc_t,dhcpc_exec_t) +init_daemon_domain(dhcpc_t,dhcpc_exec_t) role system_r types dhcpc_t; type dhcpc_state_t; -files_make_file(dhcpc_state_t) +files_file_type(dhcpc_state_t) type dhcpc_tmp_t; -files_make_temporary_file(dhcpc_tmp_t) +files_tmp_file(dhcpc_tmp_t) type dhcpc_var_run_t; -files_make_daemon_runtime_file(dhcpc_var_run_t) +files_pid_file(dhcpc_var_run_t) type ifconfig_t; type ifconfig_exec_t; -init_make_system_domain(ifconfig_t, ifconfig_exec_t) +init_system_domain(ifconfig_t, ifconfig_exec_t) role system_r types ifconfig_t; type net_conf_t alias resolv_conf_t; -files_make_file(net_conf_t) +files_file_type(net_conf_t) ######################################## # @@ -62,17 +62,17 @@ type_transition dhcpc_t dhcp_state_t:file dhcpc_state_t; # create pid file allow dhcpc_t dhcpc_var_run_t:file create_file_perms; -files_create_daemon_runtime_data(dhcpc_t,dhcpc_var_run_t) +files_create_pid(dhcpc_t,dhcpc_var_run_t) # Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files # in /etc created by dhcpcd will be labelled net_conf_t. allow dhcpc_t net_conf_t:file create_file_perms; -files_create_private_config(dhcpc_t,net_conf_t,file) +files_create_etc_config(dhcpc_t,net_conf_t,file) # create temp files allow dhcpc_t dhcpc_tmp_t:dir create_dir_perms; allow dhcpc_t dhcpc_tmp_t:file create_file_perms; -files_create_private_tmp_data(dhcpc_t, dhcpc_tmp_t, { file dir }) +files_create_tmp_files(dhcpc_t, dhcpc_tmp_t, { file dir }) can_exec(dhcpc_t, dhcpc_exec_t) @@ -111,45 +111,45 @@ term_dontaudit_use_all_user_ttys(dhcpc_t) term_dontaudit_use_all_user_ptys(dhcpc_t) term_dontaudit_use_unallocated_tty(dhcpc_t) -corecommands_execute_general_programs(dhcpc_t) -corecommands_execute_system_programs(dhcpc_t) -corecommands_execute_shell(dhcpc_t) +corecmd_exec_bin(dhcpc_t) +corecmd_exec_sbin(dhcpc_t) +corecmd_exec_shell(dhcpc_t) -domain_use_widely_inheritable_file_descriptors(dhcpc_t) +domain_use_wide_inherit_fd(dhcpc_t) -files_read_general_system_config(dhcpc_t) -files_read_runtime_system_config(dhcpc_t) +files_read_generic_etc_files(dhcpc_t) +files_read_etc_runtime_files(dhcpc_t) -init_use_file_descriptors(dhcpc_t) -init_script_use_pseudoterminal(dhcpc_t) -init_script_modify_runtime_data(dhcpc_t) +init_use_fd(dhcpc_t) +init_use_script_pty(dhcpc_t) +init_rw_script_pid(dhcpc_t) -logging_send_system_log_message(dhcpc_t) +logging_send_syslog_msg(dhcpc_t) -libraries_use_dynamic_loader(dhcpc_t) -libraries_use_shared_libraries(dhcpc_t) +libs_use_ld_so(dhcpc_t) +libs_use_shared_libs(dhcpc_t) miscfiles_read_localization(dhcpc_t) -modutils_insmod_transition(dhcpc_t) +modutils_domtrans_insmod(dhcpc_t) ifdef(`distro_redhat', ` - files_execute_system_config_script(dhcpc_t) + files_exec_generic_etc_files(dhcpc_t) ') ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(dhcpc_t) terminal_ignore_use_general_pseudoterminal(dhcpc_t) - files_ignore_read_rootfs_file(dhcpc_t) + files_dontaudit_read_root_file(dhcpc_t) ') optional_policy(`consoletype.te',` - consoletype_transition(dhcpc_t) + consoletype_domtrans(dhcpc_t) ') optional_policy(`hostname.te',` - hostname_transition(dhcpc_t) + hostname_domtrans(dhcpc_t) ') optional_policy(`nscd.te',` @@ -161,17 +161,17 @@ optional_policy(`selinux.te',` ') optional_policy(`udev.te',` - udev_read_database(dhcpc_t) + udev_read_db(dhcpc_t) ') optional_policy(`userdomain.te',` - userdomain_use_all_users_file_descriptors(dhcpc_t) + userdom_use_all_user_fd(dhcpc_t) ') # # dhclient sometimes starts ypbind and ntpd # -init_script_execute(dhcpc_t) +init_exec_script(dhcpc_t) optional_policy(`ypbind.te',` ypbind_transition(dhcpc_t) ') @@ -257,7 +257,7 @@ allow ifconfig_t self:udp_socket create_socket_perms; # for /sbin/ip allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms; allow ifconfig_t self:tcp_socket { create ioctl }; -files_read_general_system_config(ifconfig_t); +files_read_generic_etc_files(ifconfig_t); kernel_use_fd(ifconfig_t) kernel_read_system_state(ifconfig_t) @@ -270,24 +270,24 @@ fs_getattr_xattr_fs(ifconfig_t) term_dontaudit_use_all_user_ttys(ifconfig_t) term_dontaudit_use_all_user_ptys(ifconfig_t) -domain_use_widely_inheritable_file_descriptors(ifconfig_t) +domain_use_wide_inherit_fd(ifconfig_t) -files_ignore_read_rootfs_file(ifconfig_t) +files_dontaudit_read_root_file(ifconfig_t) -init_use_file_descriptors(ifconfig_t) -init_script_use_pseudoterminal(ifconfig_t) +init_use_fd(ifconfig_t) +init_use_script_pty(ifconfig_t) -libraries_use_dynamic_loader(ifconfig_t) -libraries_use_shared_libraries(ifconfig_t) -libraries_read_library_resources(ifconfig_t) +libs_use_ld_so(ifconfig_t) +libs_use_shared_libs(ifconfig_t) +libs_read_lib(ifconfig_t) -logging_send_system_log_message(ifconfig_t) +logging_send_syslog_msg(ifconfig_t) miscfiles_read_localization(ifconfig_t) -selinux_run_init_use_file_descriptors(ifconfig_t) +selinux_use_runinit_fd(ifconfig_t) -userdomain_use_all_users_file_descriptors(ifconfig_t) +userdom_use_all_user_fd(ifconfig_t) ifdef(`TODO',` diff --git a/refpolicy/policy/modules/system/udev.if b/refpolicy/policy/modules/system/udev.if index a8eb6e1..f0a43db 100644 --- a/refpolicy/policy/modules/system/udev.if +++ b/refpolicy/policy/modules/system/udev.if @@ -2,7 +2,7 @@ ## Policy for udev. ######################################## -## +## ## ## Execute udev in the udev domain. ## @@ -11,7 +11,7 @@ ## ## # -define(`udev_transition',` +define(`udev_domtrans',` requires_block_template(`$0'_depend) domain_auto_trans($1, udev_exec_t, udev_t) @@ -22,7 +22,7 @@ define(`udev_transition',` allow udev_t $1:process sigchld; ') -define(`udev_transition_depend',` +define(`udev_domtrans_depend',` type udev_t, udev_exec_t; class file { getattr read execute }; @@ -32,7 +32,7 @@ define(`udev_transition_depend',` ') ######################################## -## +## ## ## Allow process to read list of devices. ## @@ -41,20 +41,20 @@ define(`udev_transition_depend',` ## ## # -define(`udev_read_database',` +define(`udev_read_db',` requires_block_template(`$0'_depend) allow $1 udev_tdb_t:file r_file_perms; ') -define(`udev_read_database_depend',` +define(`udev_read_db_depend',` type udev_tdb_t; class file r_file_perms; ') ######################################## -## +## ## ## Allow process to modify list of devices. ## @@ -63,13 +63,13 @@ define(`udev_read_database_depend',` ## ## # -define(`udev_modify_database',` +define(`udev_rw_db',` requires_block_template(`$0'_depend) allow $1 udev_tdb_t:file rw_file_perms; ') -define(`udev_modify_database_depend',` +define(`udev_rw_db_depend',` type udev_tdb_t; class file rw_file_perms; diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te index e12d946..bd6cc1a 100644 --- a/refpolicy/policy/modules/system/udev.te +++ b/refpolicy/policy/modules/system/udev.te @@ -10,24 +10,24 @@ type udev_t; # nscd_client_domain type udev_exec_t; type udev_helper_exec_t; kernel_userland_entry(udev_t,udev_exec_t) -kernel_make_object_identity_change_constraint_exception(udev_t) -domain_make_entrypoint_file(udev_t,udev_helper_exec_t) -domain_make_file_descriptors_widely_inheritable(udev_t) -init_make_daemon_domain(udev_t,udev_exec_t) +kernel_obj_id_change_exempt(udev_t) +domain_entry_file(udev_t,udev_helper_exec_t) +domain_wide_inherit_fd(udev_t) +init_daemon_domain(udev_t,udev_exec_t) type udev_etc_t alias etc_udev_t; -files_make_file(udev_etc_t) +files_file_type(udev_etc_t) # udev_runtime_t is the type of the udev table file # cjp: this is probably a copy of udev_tbl_t and can be removed type udev_runtime_t; -files_make_file(udev_runtime_t) +files_file_type(udev_runtime_t) type udev_tbl_t alias udev_tdb_t; -files_make_file(udev_tbl_t) +files_file_type(udev_tbl_t) type udev_var_run_t; -files_make_daemon_runtime_file(udev_var_run_t) +files_pid_file(udev_var_run_t) ######################################## # @@ -82,53 +82,53 @@ dev_manage_dev_nodes(udev_t) fs_getattr_all_fs(udev_t) -corecommands_execute_general_programs(udev_t) -corecommands_execute_system_programs(udev_t) -corecommands_execute_shell(udev_t) +corecmd_exec_bin(udev_t) +corecmd_exec_sbin(udev_t) +corecmd_exec_shell(udev_t) -domain_execute_all_entrypoint_programs(udev_t) -domain_ignore_read_all_domains_process_dirs(udev_t) +domain_exec_all_entry_files(udev_t) +domain_dontaudit_list_all_domains_proc(udev_t) -files_read_runtime_system_config(udev_t) -files_read_general_system_config(udev_t) -files_execute_system_config_script(udev_t) -files_ignore_search_isid_type_dir(udev_t) +files_read_etc_runtime_files(udev_t) +files_read_generic_etc_files(udev_t) +files_exec_generic_etc_files(udev_t) +files_dontaudit_search_isid_type_dir(udev_t) -init_use_file_descriptors(udev_t) -init_script_read_runtime_data(udev_t) -init_script_ignore_write_runtime_data(udev_t) +init_use_fd(udev_t) +init_read_script_pid(udev_t) +init_dontaudit_write_script_pid(udev_t) -libraries_use_dynamic_loader(udev_t) -libraries_use_shared_libraries(udev_t) +libs_use_ld_so(udev_t) +libs_use_shared_libs(udev_t) -logging_send_system_log_message(udev_t) +logging_send_syslog_msg(udev_t) miscfiles_read_localization(udev_t) -modutils_insmod_transition(udev_t) +modutils_domtrans_insmod(udev_t) selinux_read_config(udev_t) selinux_read_default_contexts(udev_t) selinux_read_file_contexts(udev_t) -selinux_restorecon_transition(udev_t) +selinux_domtrans_restorecon(udev_t) -sysnetwork_ifconfig_transition(udev_t) +sysnet_domtrans_ifconfig(udev_t) ifdef(`distro_redhat',` fs_manage_tmpfs_block_devices(udev_t) fs_manage_tmpfs_character_devices(udev_t) # for arping used for static IP addresses on PCMCIA ethernet - netutils_transition(udev_t) + netutils_domtrans(udev_t) ') optional_policy(`authlogin.te',` - authlogin_pam_console_read_runtime_data(udev_t) - authlogin_pam_console_transition(udev_t) + auth_read_pam_console_data(udev_t) + auth_domtrans_pam_console(udev_t) ') optional_policy(`consoletype.te',` - consoletype_execute(udev_t) + consoletype_exec(udev_t) ') optional_policy(`hotplug.te',` @@ -136,7 +136,7 @@ optional_policy(`hotplug.te',` ') optional_policy(`sysnetwork.te',` - sysnetwork_dhcpc_transition(udev_t) + sysnet_domtrans_dhcpc(udev_t) ') ifdef(`TODO',` diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index 43957db..90253f6 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -12,8 +12,8 @@ define(`base_user_domain',` attribute $1_file_type; type $1_t, userdomain; - domain_make_domain($1_t) - corecommands_make_shell_entrypoint($1_t) + domain_type($1_t) + corecmd_shell_entry_type($1_t) role $1_r types $1_t; allow system_r $1_r; @@ -23,17 +23,17 @@ define(`base_user_domain',` # type for contents of home directory type $1_home_t, $1_file_type, home_type; - files_make_file($1_home_t) + files_file_type($1_home_t) # type of home directory type $1_home_dir_t, home_dir_type, home_type; - files_make_file($1_home_t) + files_file_type($1_home_t) type $1_tmp_t, $1_file_type; - files_make_temporary_file($1_tmp_t) + files_tmp_file($1_tmp_t) type $1_tmpfs_t; - files_make_tmpfs_file($1_tmpfs_t) + files_tmpfs_file($1_tmpfs_t) type $1_tty_device_t; term_tty($1_t,$1_tty_device_t) @@ -142,37 +142,37 @@ define(`base_user_domain',` # for eject storage_getattr_fixed_disk($1_t) - authlogin_read_login_records($1_t) - authlogin_ignore_write_login_records($1_t) - authlogin_pam_transition_add_role_use_terminal($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) - authlogin_utempter_transition_add_role_use_terminal($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) + auth_read_login_records($1_t) + auth_dontaudit_write_login_records($1_t) + auth_run_pam($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) + auth_run_utempter($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) - corecommands_execute_general_programs($1_t) - corecommands_execute_system_programs($1_t) - corecommands_execute_ls($1_t) + corecmd_exec_bin($1_t) + corecmd_exec_sbin($1_t) + corecmd_exec_ls($1_t) - domain_execute_all_entrypoint_programs($1_t) - domain_use_widely_inheritable_file_descriptors($1_t) + domain_exec_all_entry_files($1_t) + domain_use_wide_inherit_fd($1_t) - files_execute_system_config_script($1_t) - files_read_system_source_code($1_t) + files_exec_generic_etc_files($1_t) + files_read_usr_src($1_t) # Caused by su - init scripts - init_script_ignore_use_pseudoterminal($1_t) + init_dontaudit_use_script_pty($1_t) - libraries_use_dynamic_loader($1_t) - libraries_use_shared_libraries($1_t) - libraries_execute_dynamic_loader($1_t) - libraries_execute_library_scripts($1_t) + libs_use_ld_so($1_t) + libs_use_shared_libs($1_t) + libs_exec_ld_so($1_t) + libs_exec_lib_files($1_t) - logging_ignore_get_all_logs_attributes($1_t) + logging_dontaudit_getattr_all_logs($1_t) miscfiles_read_localization($1_t) - miscfiles_manage_man_page_cache($1_t) + miscfiles_rw_man_cache($1_t) - selinux_newrole_transition_add_role_use_terminal($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) + selinux_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) - mta_modify_mail_spool($1_t) + mta_rw_spool($1_t) if (allow_execmem) { # Allow loading DSOs that require executable stack. @@ -206,8 +206,8 @@ define(`base_user_domain',` } optional_policy(`usermanage.te',` - usermanage_chfn_transition_add_role_use_terminal($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) - usermanage_passwd_transition_add_role_use_terminal($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) + usermanage_run_chfn($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) + usermanage_run_passwd($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) ') ifdef(`TODO',` @@ -411,7 +411,7 @@ define(`user_domain_template', ` base_user_domain($1) typeattribute $1_t unpriv_userdomain; #, web_client_domain, nscd_client_domain; - domain_make_file_descriptors_widely_inheritable($1_t) + domain_wide_inherit_fd($1_t) #typeattribute $1_devpts_t userpty_type, user_tty_type; #typeattribute $1_home_dir_t user_home_dir_type; @@ -439,7 +439,7 @@ define(`user_domain_template', ` allow $1_t $1_tmp_t:dir create_dir_perms; allow $1_t $1_tmp_t:sock_file create_file_perms; allow $1_t $1_tmp_t:fifo_file create_file_perms; - files_create_private_tmp_data($1_t, $1_tmp_t, { dir notdevfile_class_set }) + files_create_tmp_files($1_t, $1_tmp_t, { dir notdevfile_class_set }) # privileged home directory writers allow privhome $1_home_t:file create_file_perms; @@ -459,24 +459,24 @@ define(`user_domain_template', ` # port access is audited even if dac would not have allowed it, so dontaudit it here corenet_dontaudit_tcp_bind_all_reserved_ports($1_t) - files_read_general_system_config($1_t) - files_list_home_directories($1_t) - files_read_general_application_resources($1_t) + files_read_generic_etc_files($1_t) + files_list_home($1_t) + files_read_usr_files($1_t) - init_script_read_runtime_data($1_t) + init_read_script_pid($1_t) # The library functions always try to open read-write first, # then fall back to read-only if it fails. - init_script_ignore_write_runtime_data($1_t) + init_dontaudit_write_script_pid($1_t) # Stop warnings about access to /dev/console - init_ignore_use_file_descriptors($1_t) - init_script_ignore_use_file_descriptors($1_t) + init_dontaudit_use_fd($1_t) + init_dontaudit_use_script_fd($1_t) miscfiles_read_man_pages($1_t) selinux_read_config($1_t) # Allow users to execute checkpolicy without a domain transition # so it can be used without privilege to write real binary policy file - selinux_checkpolicy_execute($1_t) + selinux_exec_checkpol($1_t) if (user_dmesg) { kernel_read_ring_buffer($1_t) @@ -493,12 +493,12 @@ define(`user_domain_template', ` # for running depmod as part of the kernel packaging process optional_policy(`modutils.te',` - modutils_read_kernel_module_loading_config($1_t) + modutils_read_module_conf($1_t) ') optional_policy(`selinux.te',` # for when the network connection is killed - selinux_newrole_ignore_signal($1_t) + selinux_dontaudit_newrole_signal($1_t) ') # Need the following rule to allow users to run vpnc @@ -612,7 +612,7 @@ define(`admin_domain_template',` base_user_domain($1) typeattribute $1_t privhome; #, admin, web_client_domain, nscd_client_domain; - kernel_make_object_identity_change_constraint_exception($1_t) + kernel_obj_id_change_exempt($1_t) role system_r types $1_t; #ifdef(`direct_sysadm_daemon', `, priv_system_role') @@ -650,7 +650,7 @@ define(`admin_domain_template',` allow $1_t $1_tmp_t:lnk_file create_file_perms; allow $1_t $1_tmp_t:fifo_file create_file_perms; allow $1_t $1_tmp_t:sock_file create_file_perms; - files_create_private_tmp_data($1_t, $1_tmp_t, { dir notdevfile_class_set }) + files_create_tmp_files($1_t, $1_tmp_t, { dir notdevfile_class_set }) kernel_read_system_state($1_t) kernel_read_network_state($1_t) @@ -698,12 +698,12 @@ define(`admin_domain_template',` term_use_all_user_ttys($1_t) # Manage almost all files - authlogin_manage_all_files_except_shadow($1_t) + auth_manage_all_files_except_shadow($1_t) # Relabel almost all files - authlogin_relabel_all_files_except_shadow($1_t) + auth_relabel_all_files_except_shadow($1_t) - domain_set_all_domains_priorities($1_t) - domain_read_all_domains_process_state($1_t) + domain_setpriority_all_domains($1_t) + domain_read_all_domains_state($1_t) # signal all domains: domain_kill_all_domains($1_t) domain_signal_all_domains($1_t) @@ -712,22 +712,22 @@ define(`admin_domain_template',` domain_sigstop_all_domains($1_t) domain_sigchld_all_domains($1_t) - files_execute_system_source_code_scripts($1_t) + files_exec_usr_files($1_t) - init_use_control_channel($1_t) + init_use_initctl($1_t) - logging_send_system_log_message($1_t) + logging_send_syslog_msg($1_t) - modutils_insmod_transition($1_t) + modutils_domtrans_insmod($1_t) selinux_read_config($1_t) # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator # cannot directly manipulate policy files with arbitrary programs. - selinux_manage_source_policy($1_t) + selinux_manage_src_pol($1_t) # Violates the goal of limiting write access to checkpolicy. # But presently necessary for installing the file_contexts file. - selinux_manage_binary_policy($1_t) + selinux_manage_binary_pol($1_t) optional_policy(`cron.te',` cron_admin_template($1) @@ -807,7 +807,7 @@ define(`admin_domain_template',` ') ######################################## -## +## ## ## Execute a shell in all user domains. This ## is an explicit transition, requiring the @@ -818,17 +818,17 @@ define(`admin_domain_template',` ## ## # -define(`userdomain_all_users_explicit_transition',` +define(`userdom_spec_domtrans_all_users',` requires_block_template(`$0'_depend) - corecommands_shell_explicit_transition($1,userdomain) + corecmd_shell_spec_domtrans($1,userdomain) ') -define(`userdomain_all_users_explicit_transition_depend',` +define(`userdom_spec_domtrans_all_users_depend',` type sysadm_t; ') ######################################## -## +## ## ## Execute a shell in the sysadm domain. ## @@ -837,18 +837,18 @@ define(`userdomain_all_users_explicit_transition_depend',` ## ## # -define(`userdomain_sysadm_shell_transition',` +define(`userdom_shell_domtrans_sysadm',` requires_block_template(`$0'_depend) - corecommands_shell_transition($1,sysadm_t) + corecmd_domtrans_shell($1,sysadm_t) ') -define(`userdomain_sysadm_shell_transition_depend',` +define(`userdom_shell_domtrans_sysadm_depend',` type sysadm_t; ') ######################################## -## +## ## ## Read and write administrative users ## physical and pseudo terminals. @@ -858,7 +858,7 @@ define(`userdomain_sysadm_shell_transition_depend',` ## ## # -define(`userdomain_use_admin_terminals',` +define(`userdom_use_sysadm_terms',` requires_block_template(`$0'_depend) dev_list_all_dev_nodes($1) @@ -866,14 +866,14 @@ define(`userdomain_use_admin_terminals',` allow $1 admin_terminal:chr_file { getattr read write ioctl }; ') -define(`userdomain_use_admin_terminals_depend',` +define(`userdom_use_sysadm_terms_depend',` attribute admin_terminal; class chr_file { getattr read write ioctl }; ') ######################################## -## +## ## ## Do not audit attempts to use admin ttys and ptys. ## @@ -882,20 +882,20 @@ define(`userdomain_use_admin_terminals_depend',` ## ## # -define(`userdomain_dontaudit_use_admin_terminals',` +define(`userdom_dontaudit_use_sysadm_terms',` requires_block_template(`$0'_depend) dontaudit $1 admin_terminal:chr_file { read write }; ') -define(`userdomain_dontaudit_use_admin_terminals_depend',` +define(`userdom_dontaudit_use_sysadm_terms_depend',` attribute admin_terminal; class chr_file { read write }; ') ######################################## -## +## ## ## Search all users home directories. ## @@ -904,21 +904,21 @@ define(`userdomain_dontaudit_use_admin_terminals_depend',` ## ## # -define(`userdomain_search_all_users_home_dirs',` +define(`userdom_search_all_users_home',` requires_block_template(`$0'_depend) - files_list_home_directories($1) + files_list_home($1) allow $1 { home_dir_type home_type }:dir search; ') -define(`userdomain_search_all_users_home_dirs_depend',` +define(`userdom_search_all_users_home_depend',` attribute home_dir_type, home_type; class dir search; ') ######################################## -## +## ## ## Read all files in all users home directories. ## @@ -927,15 +927,15 @@ define(`userdomain_search_all_users_home_dirs_depend',` ## ## # -define(`userdomain_read_all_users_data',` +define(`userdom_read_all_user_data',` requires_block_template(`$0'_depend) - files_list_home_directories($1) + files_list_home($1) allow $1 home_type:dir r_dir_perms; allow $1 home_type:file r_file_perms; ') -define(`userdomain_read_all_users_data_depend',` +define(`userdom_read_all_user_data_depend',` attribute home_type; class dir r_dir_perms; @@ -943,7 +943,7 @@ define(`userdomain_read_all_users_data_depend',` ') ######################################## -## +## ## ## Inherit the file descriptors from all user domains ## @@ -952,20 +952,20 @@ define(`userdomain_read_all_users_data_depend',` ## ## # -define(`userdomain_use_all_users_file_descriptors',` +define(`userdom_use_all_user_fd',` requires_block_template(`$0'_depend) allow $1 userdomain:fd use; ') -define(`userdomain_use_all_users_file_descriptors_depend',` +define(`userdom_use_all_user_fd_depend',` attribute userdomain; class fd use; ') ######################################## -## +## ## ## Send general signals to all user domains. ## @@ -974,20 +974,20 @@ define(`userdomain_use_all_users_file_descriptors_depend',` ## ## # -define(`userdomain_signal_all_userdomains',` +define(`userdom_signal_all_users',` requires_block_template(`$0'_depend) allow $1 userdomain:process signal; ') -define(`userdomain_signal_all_userdomains_depend',` +define(`userdom_signal_all_users_depend',` attribute userdomain; class process signal; ') ######################################## -## +## ## ## Inherit the file descriptors from all user domains. ## @@ -996,20 +996,20 @@ define(`userdomain_signal_all_userdomains_depend',` ## ## # -define(`userdomain_use_all_unprivileged_users_file_descriptors',` +define(`userdom_use_unpriv_users_fd',` requires_block_template(`$0'_depend) allow $1 unpriv_userdomain:fd use; ') -define(`userdomain_use_all_unprivileged_users_file_descriptors_depend',` +define(`userdom_use_unpriv_users_fd_depend',` attribute unpriv_userdomain; class fd use; ') ######################################## -## +## ## ## Do not audit attempts to inherit the ## file descriptors from all user domains. @@ -1019,13 +1019,13 @@ define(`userdomain_use_all_unprivileged_users_file_descriptors_depend',` ## ## # -define(`userdomain_ignore_use_all_unprivileged_users_file_descriptors',` +define(`userdom_dontaudit_use_unpriv_user_fd',` requires_block_template(`$0'_depend) dontaudit $1 unpriv_userdomain:fd use; ') -define(`userdomain_ignore_use_all_unprivileged_users_file_descriptors_depend',` +define(`userdom_dontaudit_use_unpriv_user_fd_depend',` attribute unpriv_userdomain; class fd use; diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te index a3b414f..003cb57 100644 --- a/refpolicy/policy/modules/system/userdomain.te +++ b/refpolicy/policy/modules/system/userdomain.te @@ -126,54 +126,54 @@ optional_policy(`bootloader.te',` ') optional_policy(`clock.te',` - clock_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) + clock_run(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(`hostname.te',` - hostname_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) + hostname_run(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(`iptables.te',` - iptables_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) + iptables_run(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(`libraries.te',` - libraries_ldconfig_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) + libs_run_ldconfig(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(`lvm.te',` - lvm_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) + lvm_run(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(`modutils.te',` - modutils_depmod_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) - modutils_insmod_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) - modutils_update_modules_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) + modutils_run_depmod(sysadm_t,sysadm_r,admin_terminal) + modutils_run_insmod(sysadm_t,sysadm_r,admin_terminal) + modutils_run_update_mods(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(`mount.te',` - mount_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) + mount_run(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(`rpm.te',` - rpm_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) + rpm_run(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(`selinux.te',` - selinux_checkpolicy_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) - selinux_load_policy_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) - selinux_restorecon_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) - selinux_setfiles_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) + selinux_run_checkpol(sysadm_t,sysadm_r,admin_terminal) + selinux_run_loadpol(sysadm_t,sysadm_r,admin_terminal) + selinux_run_restorecon(sysadm_t,sysadm_r,admin_terminal) + selinux_run_setfiles(sysadm_t,sysadm_r,admin_terminal) optional_policy(`targeted_policy',`',` - selinux_run_init_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) + selinux_run_runinit(sysadm_t,sysadm_r,admin_terminal) ') ') optional_policy(`sysnetwork.te',` - sysnetwork_ifconfig_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) + sysnet_run_ifconfig(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(`usermanage.te',` - usermanage_groupadd_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) - usermanage_useradd_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) + usermanage_run_groupadd(sysadm_t,sysadm_r,admin_terminal) + usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal) ')