diff --git a/refpolicy/doc/policy.dtd b/refpolicy/doc/policy.dtd index 46fab3e..73ecc41 100644 --- a/refpolicy/doc/policy.dtd +++ b/refpolicy/doc/policy.dtd @@ -19,7 +19,7 @@ name CDATA #REQUIRED dftval CDATA #REQUIRED> - + diff --git a/refpolicy/policy/modules/admin/usermanage.if b/refpolicy/policy/modules/admin/usermanage.if index 463a155..e832948 100644 --- a/refpolicy/policy/modules/admin/usermanage.if +++ b/refpolicy/policy/modules/admin/usermanage.if @@ -1,9 +1,9 @@ ## Policy for managing user accounts. ######################################## -## +## ## Execute chfn in the chfn domain. -## +## ## ## The type of the process performing this action. ## @@ -27,10 +27,10 @@ interface(`usermanage_domtrans_chfn',` ') ######################################## -## +## ## Execute chfn in the chfn domain, and ## allow the specified role the chfn domain. -## +## ## ## The type of the process performing this action. ## @@ -53,9 +53,9 @@ interface(`usermanage_run_chfn',` ') ######################################## -## +## ## Execute groupadd in the groupadd domain. -## +## ## ## The type of the process performing this action. ## @@ -79,10 +79,10 @@ interface(`usermanage_domtrans_groupadd',` ') ######################################## -## +## ## Execute groupadd in the groupadd domain, and ## allow the specified role the groupadd domain. -## +## ## ## The type of the process performing this action. ## @@ -105,9 +105,9 @@ interface(`usermanage_run_groupadd',` ') ######################################## -## +## ## Execute passwd in the passwd domain. -## +## ## ## The type of the process performing this action. ## @@ -131,10 +131,10 @@ interface(`usermanage_domtrans_passwd',` ') ######################################## -## +## ## Execute passwd in the passwd domain, and ## allow the specified role the passwd domain. -## +## ## ## The type of the process performing this action. ## @@ -157,9 +157,9 @@ interface(`usermanage_run_passwd',` ') ######################################## -## +## ## Execute useradd in the useradd domain. -## +## ## ## The type of the process performing this action. ## @@ -183,10 +183,10 @@ interface(`usermanage_domtrans_useradd',` ') ######################################## -## +## ## Execute useradd in the useradd domain, and ## allow the specified role the useradd domain. -## +## ## ## The type of the process performing this action. ## diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if index 07b1892..36c1184 100644 --- a/refpolicy/policy/modules/kernel/terminal.if +++ b/refpolicy/policy/modules/kernel/terminal.if @@ -1,9 +1,9 @@ ## Policy for terminals. ######################################## -## +## ## Transform specified type into a pty type. -## +## ## ## An object type that will applied to a pty. ## @@ -20,11 +20,11 @@ interface(`term_pty',` ') ######################################## -## +## ## Transform specified type into an user ## pty type. This allows it to be relabeled via ## type change by login programs such as ssh. -## +## ## ## The type of the user domain associated with ## this pty. @@ -43,10 +43,10 @@ interface(`term_user_pty',` ') ######################################## -## +## ## Transform specified type into a pty type ## used by login programs, such as sshd. -## +## ## ## An object type that will applied to a pty. ## @@ -61,9 +61,9 @@ interface(`term_login_pty',` ') ######################################## -## +## ## Transform specified type into a tty type. -## +## ## ## An object type that will applied to a tty. ## @@ -89,9 +89,9 @@ interface(`term_tty',` ') ######################################## -## +## ## Create a pty in the /dev/pts directory. -## +## ## ## The type of the process creating the pty. ## @@ -117,10 +117,10 @@ interface(`term_create_pty',` ') ######################################## -## +## ## Read and write the console, all ## ttys and all ptys. -## +## ## ## The type of the process performing this action. ## @@ -139,9 +139,9 @@ interface(`term_use_all_terms',` ') ######################################## -## +## ## Write to the console. -## +## ## ## The type of the process performing this action. ## @@ -157,9 +157,9 @@ interface(`term_write_console',` ') ######################################## -## +## ## Read from and write to the console. -## +## ## ## The type of the process performing this action. ## @@ -175,10 +175,10 @@ interface(`term_use_console',` ') ######################################## -## +## ## Do not audit attemtps to read from ## or write to the console. -## +## ## ## The type of the process performing this action. ## @@ -193,10 +193,10 @@ interface(`term_dontaudit_use_console',` ') ######################################## -## +## ## Set the attributes of the console ## device node. -## +## ## ## The type of the process performing this action. ## @@ -212,10 +212,10 @@ interface(`term_setattr_console',` ') ######################################## -## +## ## Read the /dev/pts directory to ## list all ptys. -## +## ## ## The type of the process performing this action. ## @@ -231,10 +231,10 @@ interface(`term_list_ptys',` ') ######################################## -## +## ## Do not audit attempts to read the ## /dev/pts directory to. -## +## ## ## The type of the process to not audit. ## @@ -249,11 +249,11 @@ interface(`term_dontaudit_list_ptys',` ') ######################################## -## +## ## Read and write the generic pty ## type. This is generally only used in ## the targeted policy. -## +## ## ## The type of the process performing this action. ## @@ -269,11 +269,11 @@ interface(`term_use_generic_pty',` ') ######################################## -## +## ## Dot not audit attempts to read and ## write the generic pty type. This is ## generally only used in the targeted policy. -## +## ## ## The type of the process to not audit. ## @@ -288,10 +288,10 @@ interface(`term_dontaudit_use_generic_pty',` ') ######################################## -## +## ## Read and write the controlling ## terminal (/dev/tty). -## +## ## ## The type of the process performing this action. ## @@ -307,10 +307,10 @@ interface(`term_use_controlling_term',` ') ######################################## -## +## ## Do not audit attempts to read and ## write the pty multiplexor (/dev/ptmx). -## +## ## ## The type of the process to not audit. ## @@ -325,10 +325,10 @@ interface(`term_dontaudit_use_ptmx',` ') ######################################## -## +## ## Get the attributes of all user ## pty device nodes. -## +## ## ## The type of the process performing this action. ## @@ -346,11 +346,11 @@ interface(`term_getattr_all_user_ptys',` ') ######################################## -## +## ## Do not audit attempts to get the ## attributes of any user pty ## device nodes. -## +## ## ## The type of the process performing this action. ## @@ -405,9 +405,9 @@ interface(`term_relabelto_all_user_ptys',` ') ######################################## -## +## ## Read and write all user ptys. -## +## ## ## The type of the process performing this action. ## @@ -425,10 +425,10 @@ interface(`term_use_all_user_ptys',` ') ######################################## -## +## ## Do not audit attempts to read any ## user ptys. -## +## ## ## The type of the process to not audit. ## @@ -443,10 +443,10 @@ interface(`term_dontaudit_use_all_user_ptys',` ') ######################################## -## +## ## Relabel from and to all user ## user pty device nodes. -## +## ## ## The type of the process performing this action. ## @@ -464,10 +464,10 @@ interface(`term_relabel_all_user_ptys',` ') ######################################## -## +## ## Get the attributes of all unallocated ## tty device nodes. -## +## ## ## The type of the process performing this action. ## @@ -483,10 +483,10 @@ interface(`term_getattr_unallocated_ttys',` ') ######################################## -## +## ## Do not audit attempts to get the attributes ## of all unallocated tty device nodes. -## +## ## ## The type of the process performing this action. ## @@ -501,10 +501,10 @@ interface(`term_dontaudit_getattr_unallocated_ttys',` ') ######################################## -## +## ## Set the attributes of all unallocated ## tty device nodes. -## +## ## ## The type of the process performing this action. ## @@ -520,10 +520,10 @@ interface(`term_setattr_unallocated_ttys',` ') ######################################## -## +## ## Relabel from and to the unallocated ## tty type. -## +## ## ## The type of the process performing this action. ## @@ -539,10 +539,10 @@ interface(`term_relabel_unallocated_ttys',` ') ######################################## -## +## ## Relabel from all user tty types to ## the unallocated tty type. -## +## ## ## The type of the process performing this action. ## @@ -560,9 +560,9 @@ interface(`term_reset_tty_labels',` ') ######################################## -## +## ## Write to unallocated ttys. -## +## ## ## The type of the process performing this action. ## @@ -578,9 +578,9 @@ interface(`term_write_unallocated_ttys',` ') ######################################## -## +## ## Read and write unallocated ttys. -## +## ## ## The type of the process performing this action. ## @@ -596,10 +596,10 @@ interface(`term_use_unallocated_tty',` ') ######################################## -## +## ## Do not audit attempts to read or ## write unallocated ttys. -## +## ## ## The type of the process to not audit. ## @@ -614,10 +614,10 @@ interface(`term_dontaudit_use_unallocated_tty',` ') ######################################## -## +## ## Get the attributes of all user tty ## device nodes. -## +## ## ## The type of the process performing this action. ## @@ -633,11 +633,11 @@ interface(`term_getattr_all_user_ttys',` ') ######################################## -## +## ## Do not audit attempts to get the ## attributes of any user tty ## device nodes. -## +## ## ## The type of the process performing this action. ## @@ -653,10 +653,10 @@ interface(`term_dontaudit_getattr_all_user_ttys',` ') ######################################## -## +## ## Set the attributes of all user tty ## device nodes. -## +## ## ## The type of the process performing this action. ## @@ -672,10 +672,10 @@ interface(`term_setattr_all_user_ttys',` ') ######################################## -## +## ## Relabel from and to all user ## user tty device nodes. -## +## ## ## The type of the process performing this action. ## @@ -691,9 +691,9 @@ interface(`term_relabel_all_user_ttys',` ') ######################################## -## +## ## Write to all user ttys. -## +## ## ## The type of the process performing this action. ## @@ -709,9 +709,9 @@ interface(`term_write_all_user_ttys',` ') ######################################## -## +## ## Read and write all user to all user ttys. -## +## ## ## The type of the process performing this action. ## @@ -727,10 +727,10 @@ interface(`term_use_all_user_ttys',` ') ######################################## -## +## ## Do not audit attempts to read or write ## any user ttys. -## +## ## ## The type of the process performing this action. ## diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if index aec6b43..87f132c 100644 --- a/refpolicy/policy/modules/services/mta.if +++ b/refpolicy/policy/modules/services/mta.if @@ -228,9 +228,9 @@ interface(`mta_exec',` ') ######################################## -## +## ## Read mail address aliases. -## +## ## ## The type of the process performing this action. ## diff --git a/refpolicy/policy/modules/services/remotelogin.if b/refpolicy/policy/modules/services/remotelogin.if index d25467a..55a519f 100644 --- a/refpolicy/policy/modules/services/remotelogin.if +++ b/refpolicy/policy/modules/services/remotelogin.if @@ -1,9 +1,9 @@ ## Policy for rshd, rlogind, and telnetd. ######################################## -## +## ## Domain transition to the remote login domain. -## +## ## ## The type of the process performing this action. ## diff --git a/refpolicy/policy/modules/services/sendmail.if b/refpolicy/policy/modules/services/sendmail.if index 8923bb3..908ac9c 100644 --- a/refpolicy/policy/modules/services/sendmail.if +++ b/refpolicy/policy/modules/services/sendmail.if @@ -1,9 +1,9 @@ ## Policy for sendmail. ######################################## -## +## ## Domain transition to sendmail. -## +## ## ## The type of the process performing this action. ## diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if index cc296e6..7037a40 100644 --- a/refpolicy/policy/modules/system/authlogin.if +++ b/refpolicy/policy/modules/system/authlogin.if @@ -114,9 +114,9 @@ template(`authlogin_per_userdomain_template',` ') ######################################## -## +## ## Use the login program as an entry point program. -## +## ## ## The type of process using the login program as entry point. ## @@ -130,9 +130,9 @@ interface(`auth_login_entry_type',` ') ######################################## -## +## ## Execute a login_program in the target domain. -## +## ## ## The type of the process performing this action. ## @@ -158,9 +158,9 @@ interface(`auth_domtrans_login_program',` ') ######################################## -## +## ## Run unix_chkpwd to check a password. -## +## ## ## The type of the process performing this action. ## @@ -243,9 +243,9 @@ interface(`auth_dontaudit_getattr_shadow',` ') ######################################## -## +## ## Read the shadow passwords file (/etc/shadow) -## +## ## ## The type of the process performing this action. ## @@ -263,10 +263,10 @@ interface(`auth_read_shadow',` ') ######################################## -## +## ## Do not audit attempts to read the shadow ## password file (/etc/shadow). -## +## ## ## The type of the domain to not audit. ## @@ -281,9 +281,9 @@ interface(`auth_dontaudit_read_shadow',` ') ######################################## -## +## ## Read and write the shadow password file (/etc/shadow). -## +## ## ## The type of the process performing this action. ## @@ -362,9 +362,9 @@ interface(`auth_rw_lastlog',` ') ######################################## -## +## ## Execute pam programs in the pam domain. -## +## ## ## The type of the process performing this action. ## @@ -386,9 +386,9 @@ interface(`auth_domtrans_pam',` ') ######################################## -## +## ## Execute pam programs in the PAM domain. -## +## ## ## The type of the process performing this action. ## @@ -411,9 +411,9 @@ interface(`auth_run_pam',` ') ######################################## -## +## ## Execute the pam program. -## +## ## ## The type of the process performing this action. ## @@ -444,9 +444,9 @@ interface(`auth_read_pam_pid',` ') ######################################## -## +## ## Delete pam PID files. -## +## ## ## The type of the process performing this action. ## @@ -536,10 +536,10 @@ interface(`auth_manage_pam_console_data',` ') ######################################## -## +## ## Relabel all files on the filesystem, except ## the shadow passwords and listed exceptions. -## +## ## ## The type of the domain perfoming this action. ## @@ -558,10 +558,10 @@ interface(`auth_relabel_all_files_except_shadow',` ') ######################################## -## +## ## Manage all files on the filesystem, except ## the shadow passwords and listed exceptions. -## +## ## ## The type of the domain perfoming this action. ## @@ -580,9 +580,9 @@ interface(`auth_manage_all_files_except_shadow',` ') ######################################## -## +## ## Execute utempter programs in the utempter domain. -## +## ## ## The type of the process performing this action. ## @@ -604,9 +604,9 @@ interface(`auth_domtrans_utempter',` ') ######################################## -## +## ## Execute utempter programs in the utempter domain. -## +## ## ## The type of the process performing this action. ## diff --git a/refpolicy/policy/modules/system/clock.if b/refpolicy/policy/modules/system/clock.if index 2f7e62c..46a3aee 100644 --- a/refpolicy/policy/modules/system/clock.if +++ b/refpolicy/policy/modules/system/clock.if @@ -1,9 +1,9 @@ ## Policy for reading and setting the hardware clock. ######################################## -## +## ## Execute hwclock in the clock domain. -## +## ## ## The type of the process performing this action. ## @@ -24,10 +24,10 @@ interface(`clock_domtrans',` ') ######################################## -## +## ## Execute hwclock in the clock domain, and ## allow the specified role the hwclock domain. -## +## ## ## The type of the process performing this action. ## @@ -50,9 +50,9 @@ interface(`clock_run',` ') ######################################## -## +## ## Execute hwclock in the caller domain. -## +## ## ## The type of the process performing this action. ## @@ -66,9 +66,9 @@ interface(`clock_exec',` ') ######################################## -## +## ## Allow executing domain to modify clock drift -## +## ## ## The type of the process performing this action. ## diff --git a/refpolicy/policy/modules/system/corecommands.if b/refpolicy/policy/modules/system/corecommands.if index 3f4587a..8b089a1 100644 --- a/refpolicy/policy/modules/system/corecommands.if +++ b/refpolicy/policy/modules/system/corecommands.if @@ -3,6 +3,7 @@ ## in /bin, /sbin, /usr/bin, and /usr/sbin. ## +######################################## ## ## Make the shell an entrypoint for the specified domain. ## @@ -374,6 +375,11 @@ interface(`corecmd_exec_ls',` ') ######################################## +## +## Execute a shell in the target domain. This +## is an explicit transition, requiring the +## caller to use setexeccon(). +## ## ##

## Execute a shell in the target domain. This diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if index d8790b8..c8e2ac1 100644 --- a/refpolicy/policy/modules/system/domain.if +++ b/refpolicy/policy/modules/system/domain.if @@ -107,10 +107,10 @@ interface(`domain_dyntrans_type',` ') ######################################## -## +##

## Makes caller an exception to the constraint preventing ## changing of user identity. -## +## ## ## The process type to make an exception to the constraint. ## @@ -124,10 +124,10 @@ interface(`domain_subj_id_change_exempt',` ') ######################################## -## +## ## Makes caller an exception to the constraint preventing ## changing of role. -## +## ## ## The process type to make an exception to the constraint. ## @@ -141,10 +141,10 @@ interface(`domain_role_change_exempt',` ') ######################################## -## +## ## Makes caller an exception to the constraint preventing ## changing the user identity in object contexts. -## +## ## ## The process type to make an exception to the constraint. ## @@ -216,9 +216,9 @@ interface(`domain_setpriority_all_domains',` ') ######################################## -## +## ## Send general signals to all domains. -## +## ## ## The type of the process performing this action. ## @@ -233,9 +233,9 @@ interface(`domain_signal_all_domains',` ') ######################################## -## +## ## Send a null signal to all domains. -## +## ## ## The type of the process performing this action. ## @@ -250,9 +250,9 @@ interface(`domain_signull_all_domains',` ') ######################################## -## +## ## Send a stop signal to all domains. -## +## ## ## The type of the process performing this action. ## @@ -267,9 +267,9 @@ interface(`domain_sigstop_all_domains',` ') ######################################## -## +## ## Send a child terminated signal to all domains. -## +## ## ## The type of the process performing this action. ## @@ -284,9 +284,9 @@ interface(`domain_sigchld_all_domains',` ') ######################################## -## +## ## Send a kill signal to all domains. -## +## ## ## The type of the process performing this action. ## @@ -362,10 +362,10 @@ interface(`domain_dontaudit_read_all_domains_state',` ') ######################################## -## +## ## Do not audit attempts to read the process state ## directories of all domains. -## +## ## ## The type of the process performing this action. ## @@ -541,10 +541,10 @@ interface(`domain_dontaudit_rw_all_key_sockets',` ') ######################################## -## +## ## Do not audit attempts to get the attributes ## of all domains unix datagram sockets. -## +## ## ## The type of the process performing this action. ## @@ -559,10 +559,10 @@ interface(`domain_dontaudit_getattr_all_unix_dgram_sockets',` ') ######################################## -## +## ## Do not audit attempts to get the attributes ## of all domains unnamed pipes. -## +## ## ## The type of the process performing this action. ## diff --git a/refpolicy/policy/modules/system/fstools.if b/refpolicy/policy/modules/system/fstools.if index bda311a..bb2f5fa 100644 --- a/refpolicy/policy/modules/system/fstools.if +++ b/refpolicy/policy/modules/system/fstools.if @@ -1,9 +1,9 @@ ## Tools for filesystem management, such as mkfs and fsck. ######################################## -## +## ## Execute fs tools in the fstools domain. -## +## ## ## The type of the process performing this action. ## @@ -25,10 +25,10 @@ interface(`fstools_domtrans',` ') ######################################## -## +## ## Execute fs tools in the fstools domain, and ## allow the specified role the fs tools domain. -## +## ## ## The type of the process performing this action. ## @@ -51,12 +51,12 @@ interface(`fstools_run',` ') ######################################## -## -## Execute fsadm in the caller domain. -## -## -## The type of the process performing this action. -## +## +## Execute fsadm in the caller domain. +## +## +## The type of the process performing this action. +## # interface(`fstools_exec',` gen_require(` diff --git a/refpolicy/policy/modules/system/getty.if b/refpolicy/policy/modules/system/getty.if index dd1ec0e..93d8149 100644 --- a/refpolicy/policy/modules/system/getty.if +++ b/refpolicy/policy/modules/system/getty.if @@ -1,12 +1,12 @@ ## Policy for getty. ######################################## -## -## Execute gettys in the getty domain. -## -## -## The type of the process performing this action. -## +## +## Execute gettys in the getty domain. +## +## +## The type of the process performing this action. +## # interface(`getty_domtrans',` gen_require(` @@ -26,12 +26,12 @@ interface(`getty_domtrans',` ') ######################################## -## -## Allow process to read getty log file. -## -## -## The type of the process performing this action. -## +## +## Allow process to read getty log file. +## +## +## The type of the process performing this action. +## # interface(`getty_read_log',` gen_require(` @@ -44,12 +44,12 @@ interface(`getty_read_log',` ') ######################################## -## -## Allow process to read getty config file. -## -## -## The type of the process performing this action. -## +## +## Allow process to read getty config file. +## +## +## The type of the process performing this action. +## # interface(`getty_read_config',` gen_require(` @@ -62,12 +62,12 @@ interface(`getty_read_config',` ') ######################################## -## -## Allow process to edit getty config file. -## -## -## The type of the process performing this action. -## +## +## Allow process to edit getty config file. +## +## +## The type of the process performing this action. +## # interface(`getty_modify_config',` gen_require(` @@ -78,4 +78,3 @@ interface(`getty_modify_config',` files_search_etc($1) allow $1 getty_etc_t:file rw_file_perms; ') - diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if index 4383272..d9c14e9 100644 --- a/refpolicy/policy/modules/system/init.if +++ b/refpolicy/policy/modules/system/init.if @@ -298,9 +298,9 @@ interface(`init_domtrans_script',` ') ######################################## -## +## ## Start and stop daemon programs directly. -## +## ## ## The type of the process performing this action. ## diff --git a/refpolicy/policy/modules/system/iptables.if b/refpolicy/policy/modules/system/iptables.if index 23d55fa..eeed12f 100644 --- a/refpolicy/policy/modules/system/iptables.if +++ b/refpolicy/policy/modules/system/iptables.if @@ -1,9 +1,9 @@ ## Policy for iptables. ######################################## -## +## ## Execute iptables in the iptables domain. -## +## ## ## The type of the process performing this action. ## @@ -26,10 +26,10 @@ interface(`iptables_domtrans',` ') ######################################## -## +## ## Execute iptables in the iptables domain, and ## allow the specified role the iptables domain. -## +## ## ## The type of the process performing this action. ## @@ -52,9 +52,9 @@ interface(`iptables_run',` ') ######################################## -## +## ## Execute iptables in the caller domain. -## +## ## ## The type of the process performing this action. ## diff --git a/refpolicy/policy/modules/system/logging.if b/refpolicy/policy/modules/system/logging.if index 925d35e..a592aae 100644 --- a/refpolicy/policy/modules/system/logging.if +++ b/refpolicy/policy/modules/system/logging.if @@ -84,11 +84,11 @@ interface(`logging_send_syslog_msg',` ') ######################################## -## +## ## Allows the domain to open a file in the ## log directory, but does not allow the listing ## of the contents of the log directory. -## +## ## ## The type of the process performing this action. ## diff --git a/refpolicy/policy/modules/system/lvm.if b/refpolicy/policy/modules/system/lvm.if index 1f1ee77..c960b6c 100644 --- a/refpolicy/policy/modules/system/lvm.if +++ b/refpolicy/policy/modules/system/lvm.if @@ -1,9 +1,9 @@ ## Policy for logical volume management programs. ######################################## -## +## ## Execute lvm programs in the lvm domain. -## +## ## ## The type of the process performing this action. ## @@ -26,9 +26,9 @@ interface(`lvm_domtrans',` ') ######################################## -## +## ## Execute lvm programs in the lvm domain. -## +## ## ## The type of the process performing this action. ## @@ -51,9 +51,9 @@ interface(`lvm_run',` ') ######################################## -## +## ## Read LVM configuration files. -## +## ## ## The type of the process performing this action. ## diff --git a/refpolicy/policy/modules/system/modutils.if b/refpolicy/policy/modules/system/modutils.if index 199619d..fbe4514 100644 --- a/refpolicy/policy/modules/system/modutils.if +++ b/refpolicy/policy/modules/system/modutils.if @@ -1,9 +1,9 @@ ## Policy for kernel module utilities ######################################## -## +## ## Read the dependencies of kernel modules. -## +## ## ## The type of the process performing this action. ## @@ -19,10 +19,10 @@ interface(`modutils_read_mods_deps',` ') ######################################## -## +## ## Read the configuration options used when ## loading modules. -## +## ## ## The type of the process performing this action. ## @@ -42,9 +42,9 @@ interface(`modutils_read_module_conf',` ') ######################################## -## +## ## Execute insmod in the insmod domain. -## +## ## ## The type of the process performing this action. ## @@ -67,12 +67,12 @@ interface(`modutils_domtrans_insmod',` ') ######################################## -## +## ## Execute insmod in the insmod domain, and ## allow the specified role the insmod domain, ## and use the caller's terminal. Has a sigchld ## backchannel. -## +## ## ## The type of the process performing this action. ## @@ -108,9 +108,9 @@ interface(`modutils_exec_insmod',` ') ######################################## -## +## ## Execute depmod in the depmod domain. -## +## ## ## The type of the process performing this action. ## @@ -133,9 +133,9 @@ interface(`modutils_domtrans_depmod',` ') ######################################## -## +## ## Execute depmod in the depmod domain. -## +## ## ## The type of the process performing this action. ## @@ -171,9 +171,9 @@ interface(`modutils_exec_depmod',` ') ######################################## -## +## ## Execute depmod in the depmod domain. -## +## ## ## The type of the process performing this action. ## @@ -196,9 +196,9 @@ interface(`modutils_domtrans_update_mods',` ') ######################################## -## +## ## Execute update_modules in the update_modules domain. -## +## ## ## The type of the process performing this action. ## diff --git a/refpolicy/policy/modules/system/mount.if b/refpolicy/policy/modules/system/mount.if index 03f6d50..569f616 100644 --- a/refpolicy/policy/modules/system/mount.if +++ b/refpolicy/policy/modules/system/mount.if @@ -1,9 +1,9 @@ ## Policy for mount. ######################################## -## +## ## Execute mount in the mount domain. -## +## ## ## The type of the process performing this action. ## @@ -25,11 +25,11 @@ interface(`mount_domtrans',` ') ######################################## -## +## ## Execute mount in the mount domain, and ## allow the specified role the mount domain, ## and use the caller's terminal. -## +## ## ## The type of the process performing this action. ## @@ -52,12 +52,12 @@ interface(`mount_run',` ') ######################################## -## -## Use file descriptors for mount. -## -## -## The type of the process performing this action. -## +## +## Use file descriptors for mount. +## +## +## The type of the process performing this action. +## # interface(`mount_use_fd',` gen_require(` @@ -69,13 +69,13 @@ interface(`mount_use_fd',` ') ######################################## -## -## Allow the mount domain to send nfs requests for mounting -## network drives -## -## -## The type of the process performing this action. -## +## +## Allow the mount domain to send nfs requests for mounting +## network drives +## +## +## The type of the process performing this action. +## # interface(`mount_send_nfs_client_request',` gen_require(` diff --git a/refpolicy/policy/modules/system/selinuxutil.if b/refpolicy/policy/modules/system/selinuxutil.if index 3591f09..6119e4b 100644 --- a/refpolicy/policy/modules/system/selinuxutil.if +++ b/refpolicy/policy/modules/system/selinuxutil.if @@ -1,9 +1,9 @@ ## Policy for SELinux policy and userland applications. ####################################### -## +## ## Execute checkpolicy in the checkpolicy domain. -## +## ## ## The type of the process performing this action. ## @@ -27,12 +27,12 @@ interface(`seutil_domtrans_checkpol',` ') ######################################## -## +## ## Execute checkpolicy in the checkpolicy domain, and ## allow the specified role the checkpolicy domain, ## and use the caller's terminal. ## Has a SIGCHLD signal backchannel. -## +## ## ## The type of the process performing this action. ## @@ -69,9 +69,9 @@ interface(`seutil_exec_checkpol',` ') ####################################### -## +## ## Execute load_policy in the load_policy domain. -## +## ## ## The type of the process performing this action. ## @@ -94,12 +94,12 @@ interface(`seutil_domtrans_loadpol',` ') ######################################## -## +## ## Execute load_policy in the load_policy domain, and ## allow the specified role the load_policy domain, ## and use the caller's terminal. ## Has a SIGCHLD signal backchannel. -## +## ## ## The type of the process performing this action. ## @@ -149,9 +149,9 @@ interface(`seutil_read_loadpol',` ') ####################################### -## +## ## Execute newrole in the load_policy domain. -## +## ## ## The type of the process performing this action. ## @@ -175,11 +175,11 @@ interface(`seutil_domtrans_newrole',` ') ######################################## -## +## ## Execute newrole in the newrole domain, and ## allow the specified role the newrole domain, ## and use the caller's terminal. -## +## ## ## The type of the process performing this action. ## @@ -216,10 +216,10 @@ interface(`seutil_exec_newrole',` ') ######################################## -## +## ## Do not audit the caller attempts to send ## a signal to newrole. -## +## ## ## The type of the process performing this action. ## @@ -260,9 +260,9 @@ interface(`seutil_use_newrole_fd',` ') ####################################### -## +## ## Execute restorecon in the restorecon domain. -## +## ## ## The type of the process performing this action. ## @@ -285,11 +285,11 @@ interface(`seutil_domtrans_restorecon',` ') ######################################## -## +## ## Execute restorecon in the restorecon domain, and ## allow the specified role the restorecon domain, ## and use the caller's terminal. -## +## ## ## The type of the process performing this action. ## @@ -325,9 +325,9 @@ interface(`seutil_exec_restorecon',` ') ######################################## -## +## ## Execute run_init in the run_init domain. -## +## ## ## The type of the process performing this action. ## @@ -351,11 +351,11 @@ interface(`seutil_domtrans_runinit',` ') ######################################## -## +## ## Execute run_init in the run_init domain, and ## allow the specified role the run_init domain, ## and use the caller's terminal. -## +## ## ## The type of the process performing this action. ## @@ -391,9 +391,9 @@ interface(`seutil_use_runinit_fd',` ') ######################################## -## +## ## Execute setfiles in the setfiles domain. -## +## ## ## The type of the process performing this action. ## @@ -417,11 +417,11 @@ interface(`seutil_domtrans_setfiles',` ') ######################################## -## +## ## Execute setfiles in the setfiles domain, and ## allow the specified role the setfiles domain, ## and use the caller's terminal. -## +## ## ## The type of the process performing this action. ## @@ -581,9 +581,9 @@ interface(`seutil_create_binary_pol',` ') ######################################## -## +## ## Allow the caller to relabel a file to the binary policy type. -## +## ## ## The type of the process performing this action. ## diff --git a/refpolicy/policy/modules/system/sysnetwork.if b/refpolicy/policy/modules/system/sysnetwork.if index 4008974..fc7109b 100644 --- a/refpolicy/policy/modules/system/sysnetwork.if +++ b/refpolicy/policy/modules/system/sysnetwork.if @@ -1,12 +1,12 @@ ## Policy for network configuration: ifconfig and dhcp client. ####################################### -## -## Execute dhcp client in dhcpc domain. -## -## -## The type of the process performing this action. -## +## +## Execute dhcp client in dhcpc domain. +## +## +## The type of the process performing this action. +## # interface(`sysnet_domtrans_dhcpc',` gen_require(` @@ -200,9 +200,9 @@ interface(`sysnet_read_dhcpc_pid',` ') ####################################### -## +## ## Execute ifconfig in the ifconfig domain. -## +## ## ## The type of the process performing this action. ## @@ -225,11 +225,11 @@ interface(`sysnet_domtrans_ifconfig',` ') ######################################## -## +## ## Execute ifconfig in the ifconfig domain, and ## allow the specified role the ifconfig domain, ## and use the caller's terminal. -## +## ## ## The type of the process performing this action. ## diff --git a/refpolicy/policy/modules/system/unconfined.if b/refpolicy/policy/modules/system/unconfined.if index 9da3a48..97d701d 100644 --- a/refpolicy/policy/modules/system/unconfined.if +++ b/refpolicy/policy/modules/system/unconfined.if @@ -98,9 +98,9 @@ interface(`unconfined_domtrans',` ') ######################################## -## +## ## Execute specified programs in the unconfined domain. -## +## ## ## The type of the process performing this action. ##