diff --git a/refpolicy/policy/modules/admin/consoletype.if b/refpolicy/policy/modules/admin/consoletype.if index a23dc42..daee8c0 100644 --- a/refpolicy/policy/modules/admin/consoletype.if +++ b/refpolicy/policy/modules/admin/consoletype.if @@ -4,7 +4,7 @@ # consoletype_domtrans(domain) # define(`consoletype_domtrans',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) domain_auto_trans($1,consoletype_exec_t,consoletype_t) @@ -28,7 +28,7 @@ define(`consoletype_domtrans_depend',` # consoletype_exec(domain) # define(`consoletype_exec',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) can_exec($1,consoletype_exec_t) diff --git a/refpolicy/policy/modules/admin/dmesg.if b/refpolicy/policy/modules/admin/dmesg.if index 7bf8885..b43e318 100644 --- a/refpolicy/policy/modules/admin/dmesg.if +++ b/refpolicy/policy/modules/admin/dmesg.if @@ -12,7 +12,7 @@ ## # define(`dmesg_domtrans',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 dmesg_exec_t:file rx_file_perms; allow $1 dmesg_t:process transition; @@ -45,7 +45,7 @@ define(`dmesg_domtrans_depend',` ## # define(`dmesg_exec',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) can_exec($1,dmesg_exec_t) diff --git a/refpolicy/policy/modules/admin/netutils.if b/refpolicy/policy/modules/admin/netutils.if index 7b53ac3..8ad4c0a 100644 --- a/refpolicy/policy/modules/admin/netutils.if +++ b/refpolicy/policy/modules/admin/netutils.if @@ -4,7 +4,7 @@ # netutils_domtrans(domain) # define(`netutils_domtrans',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 netutils_exec_t:file rx_file_perms; allow $1 netutils_t:process transition; @@ -31,7 +31,7 @@ define(`netutils_domtrans_depend',` # netutils_exec(domain) # define(`netutils_exec',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) can_exec($1,netutils_exec_t) diff --git a/refpolicy/policy/modules/admin/rpm.if b/refpolicy/policy/modules/admin/rpm.if index 82b9fe5..9469e07 100644 --- a/refpolicy/policy/modules/admin/rpm.if +++ b/refpolicy/policy/modules/admin/rpm.if @@ -12,7 +12,7 @@ ## # define(`rpm_domtrans',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 rpm_exec_t:file rx_file_perms; allow $1 rpm_t:process transition; @@ -51,7 +51,7 @@ define(`rpm_domtrans_depend',` ## # define(`rpm_run',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) rpm_domtrans($1) role $2 types rpm_t; @@ -76,7 +76,7 @@ define(`rpm_run_depend',` ## # define(`rpm_use_fd',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 rpm_t:fd use; ') @@ -98,7 +98,7 @@ define(`rpm_use_fd_depend',` ## # define(`rpm_read_pipe',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 rpm_t:fifo_file r_file_perms; ') @@ -120,7 +120,7 @@ define(`rpm_read_pipe_depend',` ## # define(`rpm_read_db',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 rpm_var_lib_t:dir r_dir_perms; allow $1 rpm_var_lib_t:file r_file_perms; @@ -140,7 +140,7 @@ define(`rpm_read_db_depend',` # rpm_manage_db(domain) # define(`rpm_manage_db',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 rpm_var_lib_t:dir rw_dir_perms; allow $1 rpm_var_lib_t:file { getattr create read write append unlink }; diff --git a/refpolicy/policy/modules/admin/usermanage.if b/refpolicy/policy/modules/admin/usermanage.if index a7a9037..eb3a539 100644 --- a/refpolicy/policy/modules/admin/usermanage.if +++ b/refpolicy/policy/modules/admin/usermanage.if @@ -12,7 +12,7 @@ ## # define(`usermanage_domtrans_chfn',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 chfn_exec_t:file rx_file_perms; allow $1 chfn_t:process transition; @@ -52,7 +52,7 @@ define(`usermanage_domtrans_chfn_depend',` ## # define(`usermanage_run_chfn',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) usermanage_domtrans_chfn($1) role $2 types chfn_t; @@ -76,7 +76,7 @@ define(`usermanage_run_chfn_depend',` ## # define(`usermanage_domtrans_groupadd',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) domain_auto_trans($1,groupadd_exec_t,groupadd_t) @@ -113,7 +113,7 @@ define(`usermanage_domtrans_groupadd_depend',` ## # define(`usermanage_run_groupadd',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) usermanage_domtrans_groupadd($1) role $2 types groupadd_t; @@ -137,7 +137,7 @@ define(`usermanage_run_groupadd_depend',` ## # define(`usermanage_domtrans_passwd',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 passwd_exec_t:file rx_file_perms; allow $1 passwd_t:process transition; @@ -177,7 +177,7 @@ define(`usermanage_domtrans_passwd_depend',` ## # define(`usermanage_run_passwd',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) usermanage_domtrans_passwd($1) role $2 types passwd_t; @@ -201,7 +201,7 @@ define(`usermanage_run_passwd_depend',` ## # define(`usermanage_domtrans_useradd',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 useradd_exec_t:file rx_file_perms; allow $1 useradd_t:process transition; @@ -241,7 +241,7 @@ define(`usermanage_domtrans_useradd_depend',` ## # define(`usermanage_run_useradd',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) usermanage_domtrans_useradd($1) role $2 types useradd_t; diff --git a/refpolicy/policy/modules/apps/gpg.if b/refpolicy/policy/modules/apps/gpg.if index 6e25d42..0af217d 100644 --- a/refpolicy/policy/modules/apps/gpg.if +++ b/refpolicy/policy/modules/apps/gpg.if @@ -6,7 +6,7 @@ # gpg_per_userdomain_template(userdomain_prefix) # define(`gpg_per_userdomain_template',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) ######################################## # diff --git a/refpolicy/policy/modules/kernel/bootloader.if b/refpolicy/policy/modules/kernel/bootloader.if index ffbfd27..753d039 100644 --- a/refpolicy/policy/modules/kernel/bootloader.if +++ b/refpolicy/policy/modules/kernel/bootloader.if @@ -12,7 +12,7 @@ ## # define(`bootloader_domtrans',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) domain_auto_trans($1, bootloader_exec_t, bootloader_t) @@ -49,7 +49,7 @@ define(`bootloader_domtrans_depend',` ## # define(`bootloader_run',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) bootloader_domtrans($1) @@ -73,7 +73,7 @@ define(`bootloader_run_depend',` ## # define(`bootloader_search_boot_dir',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 boot_t:dir search; ') @@ -95,7 +95,7 @@ define(`bootloader_search_boot_dir_depend',` ## # define(`bootloader_dontaudit_search_boot',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dontaudit $1 boot_t:dir search; ') @@ -118,7 +118,7 @@ define(`bootloader_dontaudit_search_boot_depend',` ## # define(`bootloader_rw_boot_symlinks',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 boot_t:dir r_dir_perms; allow $1 boot_t:lnk_file rw_file_perms; @@ -142,7 +142,7 @@ define(`bootloader_rw_boot_symlinks_depend',` ## # define(`bootloader_create_kernel',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 boot_t:dir ra_dir_perms; allow $1 boot_t:file { getattr read write create }; @@ -168,7 +168,7 @@ define(`bootloader_create_kernel_depend',` ## # define(`bootloader_create_kernel_symbol_table',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 boot_t:dir ra_dir_perms; allow $1 system_map_t:file { rw_file_perms create }; @@ -192,7 +192,7 @@ define(`bootloader_create_kernel_symbol_table_depend',` ## # define(`bootloader_read_kernel_symbol_table',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 boot_t:dir r_dir_perms; allow $1 system_map_t:file r_file_perms; @@ -216,7 +216,7 @@ define(`bootloader_read_kernel_symbol_table_depend',` ## # define(`bootloader_delete_kernel',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 boot_t:dir { r_dir_perms write remove_name }; allow $1 boot_t:file { getattr unlink }; @@ -240,7 +240,7 @@ define(`bootloader_delete_kernel_depend',` ## # define(`bootloader_delete_kernel_symbol_table',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 boot_t:dir { r_dir_perms write remove_name }; allow $1 system_map_t:file { getattr unlink }; @@ -264,7 +264,7 @@ define(`bootloader_delete_kernel_symbol_table_depend',` ## # define(`bootloader_read_config',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 bootloader_etc_t:file r_file_perms; ') @@ -287,7 +287,7 @@ define(`bootloader_read_config_depend',` ## # define(`bootloader_rw_config',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 bootloader_etc_t:file rw_file_perms; ') @@ -310,7 +310,7 @@ define(`bootloader_rw_config_depend',` ## # define(`bootloader_rw_tmp_file',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) # FIXME: read tmp_t allow $1 bootloader_tmp_t:file rw_file_perms; @@ -334,7 +334,7 @@ define(`bootloader_rw_tmp_file_depend',` ## # define(`bootloader_create_runtime_file',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 boot_t:dir rw_dir_perms; allow $1 boot_runtime_t:file { rw_file_perms create unlink }; @@ -359,7 +359,7 @@ define(`bootloader_create_runtime_file_depend',` ## # define(`bootloader_list_kernel_modules',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 modules_object_t:dir r_dir_perms; ') @@ -381,7 +381,7 @@ define(`bootloader_list_kernel_modules_depend',` ## # define(`bootloader_read_kernel_modules',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 modules_object_t:dir r_dir_perms; allow $1 modules_object_t:lnk_file r_file_perms; @@ -407,7 +407,7 @@ define(`bootloader_read_kernel_modules_depend',` ## # define(`bootloader_write_kernel_modules',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 modules_object_t:dir r_dir_perms; allow $1 modules_object_t:file { write append }; @@ -436,7 +436,7 @@ define(`bootloader_write_kernel_modules_depend',` ## # define(`bootloader_manage_kernel_modules',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 modules_object_t:file { rw_file_perms create setattr unlink }; allow $1 modules_object_t:dir rw_dir_perms; @@ -458,7 +458,7 @@ define(`bootloader_manage_kernel_modules_depend',` # bootloader_create_private_module_dir_entry(domain,privatetype,[class(es)]) # define(`bootloader_create_private_module_dir_entry',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 modules_object_t:dir { getattr search read write add_name remove_name }; diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if index 2497b20..9f1cb67 100644 --- a/refpolicy/policy/modules/kernel/devices.if +++ b/refpolicy/policy/modules/kernel/devices.if @@ -37,7 +37,7 @@ ## # define(`dev_node',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) typeattribute $1 device_node; @@ -63,7 +63,7 @@ define(`dev_node_depend',` ## # define(`dev_relabel_all_dev_nodes',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 device_node:dir { getattr relabelfrom }; allow $1 device_node:file { getattr relabelfrom }; @@ -99,7 +99,7 @@ define(`dev_relabel_all_dev_nodes_depend',` ## # define(`dev_list_all_dev_nodes',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 device_t:lnk_file { getattr read }; @@ -123,7 +123,7 @@ define(`dev_list_all_dev_nodes_depend',` ## # define(`dev_dontaudit_list_all_dev_nodes',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dontaudit $1 device_t:dir r_dir_perms; ') @@ -145,7 +145,7 @@ define(`dev_dontaudit_list_all_dev_nodes_depend',` ## # define(`dev_create_dir',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 device_t:dir { ra_dir_perms create }; ') @@ -167,7 +167,7 @@ define(`dev_create_dir_depend',` ## # define(`dev_relabel_dev_dirs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 device_t:dir { r_dir_perms relabelfrom relabelto }; ') @@ -189,7 +189,7 @@ define(`dev_relabel_dev_dirs_depend',` ## # define(`dev_dontaudit_getattr_generic_pipe',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dontaudit $1 device_t:fifo_file getattr; ') @@ -211,7 +211,7 @@ define(`dev_dontaudit_getattr_generic_pipe_depend',` ## # define(`dev_getattr_generic_blk_file',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 device_t:blk_file getattr; @@ -235,7 +235,7 @@ define(`ddev_getattr_generic_blk_file_depend',` ## # define(`dev_dontaudit_getattr_generic_blk_file',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dontaudit $1 device_t:blk_file getattr; ') @@ -258,7 +258,7 @@ define(`dev_dontaudit_getattr_generic_blk_file_depend',` ## # define(`dev_manage_generic_blk_file',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 device_t:dir rw_dir_perms; allow $1 device_t:blk_file create_file_perms; @@ -281,7 +281,7 @@ define(`dev_manage_generic_blk_file_depend',` ## # define(`dev_create_generic_chr_file',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 device_t:dir ra_dir_perms; allow $1 device_t:chr_file create; @@ -308,7 +308,7 @@ define(`dev_create_generic_chr_file_depend',` ## # define(`dev_getattr_generic_chr_file',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 device_t:chr_file getattr; @@ -332,7 +332,7 @@ define(`dev_getattr_generic_chr_file_depend',` ## # define(`dev_dontaudit_getattr_generic_chr_file',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dontaudit $1 device_t:chr_file getattr; ') @@ -354,7 +354,7 @@ define(`dev_dontaudit_getattr_generic_chr_file_depend',` ## # define(`dev_del_generic_symlinks',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 device_t:dir { getattr read write remove_name }; allow $1 device_t:lnk_file unlink; @@ -380,7 +380,7 @@ define(`dev_del_generic_symlinks_depend',` ## # define(`dev_manage_generic_symlinks',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 device_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto }; allow $1 device_t:lnk_file { create read getattr setattr link unlink rename }; @@ -404,7 +404,7 @@ define(`dev_manage_generic_symlinks_depend',` ## # define(`dev_manage_dev_nodes',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 device_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto }; allow $1 device_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; @@ -446,7 +446,7 @@ define(`dev_manage_dev_nodes_depend',` ## # define(`dev_dontaudit_rw_generic_dev_nodes',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dontaudit $1 device_t:{ chr_file blk_file } { getattr read write ioctl }; ') @@ -469,7 +469,7 @@ define(`dev_dontaudit_rw_generic_dev_nodes_depend',` ## # define(`dev_manage_generic_blk_file',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 device_t:dir rw_dir_perms; allow $1 device_t:blk_file create_file_perms; @@ -493,7 +493,7 @@ define(`dev_manage_generic_blk_file_depend',` ## # define(`dev_manage_generic_chr_file',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 device_t:dir rw_dir_perms; allow $1 device_t:chr_file create_file_perms; @@ -525,7 +525,7 @@ define(`dev_manage_generic_chr_file_depend',` ## # define(`dev_create_dev_node',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 device_t:dir rw_dir_perms; type_transition $1 device_t:$3 $2; @@ -552,7 +552,7 @@ define(`dev_create_dev_node_depend',` ## # define(`dev_getattr_all_blk_files',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 device_node:blk_file getattr; @@ -576,7 +576,7 @@ define(`dev_getattr_all_blk_files_depend',` ## # define(`dev_dontaudit_getattr_all_blk_files',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 device_node:blk_file getattr; ') @@ -598,7 +598,7 @@ define(`dev_dontaudit_getattr_all_blk_files_depend',` ## # define(`dev_getattr_all_chr_files',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 device_node:chr_file getattr; @@ -622,7 +622,7 @@ define(`dev_getattr_all_chr_files_depend',` ## # define(`dev_dontaudit_getattr_all_chr_files',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dontaudit $1 device_node:chr_file getattr; ') @@ -644,7 +644,7 @@ define(`dev_dontaudit_getattr_all_chr_files_depend',` ## # define(`dev_setattr_all_blk_files',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 device_node:blk_file setattr; @@ -668,7 +668,7 @@ define(`dev_setattr_all_blk_files_depend',` ## # define(`dev_setattr_all_chr_files',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 device_node:chr_file setattr; @@ -692,7 +692,7 @@ define(`dev_setattr_all_chr_files_depend',` ## # define(`dev_manage_all_blk_files',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 device_t:dir rw_dir_perms; allow $1 device_node:blk_file create_file_perms; @@ -722,7 +722,7 @@ define(`dev_manage_all_blk_files_depend',` ## # define(`dev_manage_all_chr_files',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 device_t:dir rw_dir_perms; allow $1 device_node:chr_file create_file_perms; @@ -748,7 +748,7 @@ define(`dev_manage_all_chr_files_depend',` ## # define(`dev_read_raw_memory',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 memory_device_t:chr_file r_file_perms; @@ -776,7 +776,7 @@ define(`dev_read_raw_memory_depend',` ## # define(`dev_write_raw_memory',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 memory_device_t:chr_file write; @@ -804,7 +804,7 @@ define(`dev_write_raw_memory_depend',` ## # define(`dev_rx_raw_memory',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dev_read_raw_memory($1) allow $1 memory_device_t:chr_file execute; @@ -827,7 +827,7 @@ define(`dev_rx_raw_memory_depend',` ## # define(`dev_wx_raw_memory',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dev_write_raw_memory($1) allow $1 memory_device_t:chr_file execute; @@ -850,7 +850,7 @@ define(`dev_wx_raw_memory_depend',` ## # define(`dev_read_rand',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 random_device_t:chr_file r_file_perms; @@ -874,7 +874,7 @@ define(`dev_read_rand_depend',` ## # define(`dev_read_urand',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 urandom_device_t:chr_file r_file_perms; @@ -900,7 +900,7 @@ define(`dev_read_urand_depend',` ## # define(`dev_write_rand',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 random_device_t:chr_file { getattr write ioctl }; @@ -925,7 +925,7 @@ define(`dev_write_rand_depend',` ## # define(`dev_write_urand',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 urandom_device_t:chr_file { getattr write ioctl }; @@ -949,7 +949,7 @@ define(`dev_write_urand_depend',` ## # define(`dev_rw_null_dev',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 null_device_t:chr_file rw_file_perms; @@ -973,7 +973,7 @@ define(`dev_rw_null_dev_depend',` ## # define(`dev_rw_zero_dev',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 zero_device_t:chr_file rw_file_perms; @@ -997,7 +997,7 @@ define(`dev_rw_zero_dev_depend',` ## # define(`dev_rwx_zero_dev',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dev_rw_zero_dev($1) allow $1 zero_device_t:chr_file execute; @@ -1020,7 +1020,7 @@ define(`dev_rwx_zero_dev_depend',` ## # define(`dev_read_realtime_clock',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 clock_device_t:chr_file r_file_perms; @@ -1043,7 +1043,7 @@ class chr_file r_file_perms; ## # define(`dev_write_realtime_clock',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 clock_device_t:chr_file { setattr lock write append ioctl }; @@ -1082,7 +1082,7 @@ define(`dev_rw_realtime_clock',` ## # define(`dev_read_snd_dev',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 sound_device_t:chr_file r_file_perms; @@ -1105,7 +1105,7 @@ define(`dev_read_snd_dev_depend',` ## # define(`dev_write_snd_dev',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 sound_device_t:chr_file { getattr write ioctl }; @@ -1129,7 +1129,7 @@ define(`dev_write_snd_dev_depend',` ## # define(`dev_read_snd_mixer_dev',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 sound_device_t:chr_file { getattr read ioctl }; @@ -1153,7 +1153,7 @@ define(`dev_read_snd_mixer_dev_depend',` ## # define(`dev_write_snd_mixer_dev',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 sound_device_t:chr_file { getattr write ioctl }; @@ -1177,7 +1177,7 @@ define(`dev_write_snd_mixer_dev_depend',` ## # define(`dev_rw_agp_dev',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 agp_device_t:chr_file rw_file_perms; @@ -1201,7 +1201,7 @@ define(`dev_rw_agp_dev_depend',` ## # define(`dev_getattr_agp_dev',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 dri_device_t:chr_file getattr; @@ -1225,7 +1225,7 @@ define(`dev_getattr_agp_dev_depend',` ## # define(`dev_rw_dri_dev',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 dri_device_t:chr_file rw_file_perms; @@ -1249,7 +1249,7 @@ define(`dev_rw_dri_dev_depend',` ## # define(`dev_dontaudit_rw_dri_dev',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dontaudit $1 dri_device_t:chr_file { getattr read write ioctl }; ') @@ -1271,7 +1271,7 @@ define(`dev_dontaudit_rw_dri_dev_depend',` ## # define(`dev_read_mtrr',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 mtrr_device_t:chr_file r_file_perms; @@ -1295,7 +1295,7 @@ define(`dev_read_mtrr_depend',` ## # define(`dev_write_mtrr',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 mtrr_device_t:chr_file { getattr write ioctl }; @@ -1319,7 +1319,7 @@ define(`dev_write_mtrr_depend',` ## # define(`dev_read_framebuffer',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 framebuf_device_t:chr_file r_file_perms; @@ -1343,7 +1343,7 @@ define(`dev_read_framebuffer_depend',` ## # define(`dev_write_framebuffer',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 framebuf_device_t:chr_file { getattr write ioctl }; @@ -1367,7 +1367,7 @@ define(`dev_write_framebuffer_depend',` ## # define(`dev_read_lvm_control',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 lvm_control_t:chr_file r_file_perms; @@ -1391,7 +1391,7 @@ define(`dev_read_lvm_control_depend',` ## # define(`dev_rw_lvm_control',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 lvm_control_t:chr_file rw_file_perms; @@ -1415,7 +1415,7 @@ define(`dev_rw_lvm_control_depend',` ## # define(`dev_delete_lvm_control',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 device_t:dir { getattr search read write remove_name }; allow $1 lvm_control_t:chr_file unlink; @@ -1439,7 +1439,7 @@ define(`dev_delete_lvm_control_depend',` ## # define(`dev_read_misc',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 misc_device_t:chr_file r_file_perms; @@ -1463,7 +1463,7 @@ define(`dev_read_misc_depend',` ## # define(`dev_write_misc',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 misc_device_t:chr_file { getattr write ioctl }; @@ -1487,7 +1487,7 @@ define(`dev_write_misc_depend',` ## # define(`dev_read_mouse',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 mouse_device_t:chr_file r_file_perms; @@ -1511,7 +1511,7 @@ define(`dev_read_mouse_depend',` ## # define(`dev_read_input',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 event_device_t:chr_file r_file_perms; @@ -1535,7 +1535,7 @@ define(`dev_read_input_depend',` ## # define(`dev_read_cpuid',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 cpu_device_t:chr_file r_file_perms; @@ -1560,7 +1560,7 @@ define(`dev_read_cpuid_depend',` ## # define(`dev_rw_cpu_microcode',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 cpu_device_t:chr_file rw_file_perms; @@ -1584,7 +1584,7 @@ define(`dev_rw_cpu_microcode_depend',` ## # define(`dev_rw_scanner',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 scanner_device_t:chr_file rw_file_perms; @@ -1608,7 +1608,7 @@ define(`dev_rw_scanner_depend',` ## # define(`dev_rw_power_management',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 power_device_t:chr_file rw_file_perms; diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if index 8d4b1bd..2c03327 100644 --- a/refpolicy/policy/modules/kernel/filesystem.if +++ b/refpolicy/policy/modules/kernel/filesystem.if @@ -12,7 +12,7 @@ ## # define(`fs_make_fs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) typeattribute $1 fs_type; ') @@ -34,7 +34,7 @@ define(`fs_make_fs_depend',` ## # define(`fs_make_noxattr_fs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) fs_make_fs($1) @@ -59,7 +59,7 @@ define(`fs_make_noxattr_fs_depend',` ## # define(`fs_associate',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 fs_t:filesystem associate; ') @@ -85,7 +85,7 @@ define(`fs_associate_depend',` ## # define(`fs_associate_noxattr',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 noxattrfs:filesystem associate; ') @@ -109,7 +109,7 @@ define(`fs_associate_noxattr_depend',` ## # define(`fs_mount_xattr_fs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 fs_t:filesystem mount; ') @@ -134,7 +134,7 @@ define(`fs_mount_xattr_fs_depend',` ## # define(`fs_remount_xattr_fs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 fs_t:filesystem remount; ') @@ -158,7 +158,7 @@ define(`fs_remount_xattr_fs_depend',` ## # define(`fs_unmount_xattr_fs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 fs_t:filesystem mount; ') @@ -183,7 +183,7 @@ define(`fs_unmount_xattr_fs_depend',` ## # define(`fs_getattr_xattr_fs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 fs_t:filesystem getattr; ') @@ -208,7 +208,7 @@ define(`fs_getattr_xattr_fs_depend',` ## # define(`fs_dontaudit_getattr_xattr_fs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dontaudit $1 fs_t:filesystem getattr; ') @@ -232,7 +232,7 @@ define(`fs_dontaudit_getattr_xattr_fs_depend',` ## # define(`fs_relabelfrom_xattr_fs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 fs_t:filesystem relabelfrom; ') @@ -254,7 +254,7 @@ define(`fs_relabelfrom_xattr_fs_depend',` ## # define(`fs_mount_autofs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 autofs_t:filesystem mount; ') @@ -277,7 +277,7 @@ define(`fs_mount_autofs_depend',` ## # define(`fs_remount_autofs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 autofs_t:filesystem remount; ') @@ -299,7 +299,7 @@ define(`fs_remount_autofs_depend',` ## # define(`fs_unmount_autofs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 autofs_t:filesystem mount; ') @@ -323,7 +323,7 @@ define(`fs_unmount_autofs_depend',` ## # define(`fs_getattr_autofs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 autofs_t:filesystem getattr; ') @@ -352,7 +352,7 @@ define(`fs_getattr_autofs_depend',` ## # define(`fs_register_binary_executable_type',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 binfmt_misc_fs_t:dir { getattr search }; allow $1 binfmt_misc_fs_t:file { getattr ioctl write }; @@ -376,7 +376,7 @@ define(`fs_register_binary_executable_type_depend',` ## # define(`fs_mount_cifs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 cifs_t:filesystem mount; ') @@ -399,7 +399,7 @@ define(`fs_mount_cifs_depend',` ## # define(`fs_remount_cifs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 cifs_t:filesystem remount; ') @@ -421,7 +421,7 @@ define(`fs_remount_cifs_depend',` ## # define(`fs_unmount_cifs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 cifs_t:filesystem mount; ') @@ -445,7 +445,7 @@ define(`fs_unmount_cifs_depend',` ## # define(`fs_getattr_cifs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 cifs_t:filesystem getattr; ') @@ -469,7 +469,7 @@ define(`fs_getattr_cifs_depend',` ## # define(`fs_execute_cifs_files',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 cifs_t:dir r_dir_perms; can_exec($1, cifs_t) @@ -494,7 +494,7 @@ define(`fs_execute_cifs_files_depend',` ## # define(`fs_manage_cifs_dirs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 cifs_t:dir create_file_perms; ') @@ -517,7 +517,7 @@ define(`fs_manage_cifs_dirs_depend',` ## # define(`fs_manage_cifs_files',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 cifs_t:dir rw_dir_perms; allow $1 cifs_t:file create_file_perms; @@ -542,7 +542,7 @@ define(`fs_manage_cifs_files_depend',` ## # define(`fs_manage_cifs_symlinks',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 cifs_t:dir rw_dir_perms; allow $1 cifs_t:lnk_file create_lnk_perms; @@ -567,7 +567,7 @@ define(`fs_manage_cifs_symlinks_depend',` ## # define(`fs_manage_cifs_named_pipes',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 cifs_t:dir rw_dir_perms; allow $1 cifs_t:fifo_file create_file_perms; @@ -592,7 +592,7 @@ define(`fs_manage_cifs_named_pipes_depend',` ## # define(`fs_manage_cifs_named_sockets',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 cifs_t:dir rw_file_perms; allow $1 cifs_t:sock_file create_file_perms; @@ -617,7 +617,7 @@ define(`fs_manage_cifs_named_sockets_depend',` ## # define(`fs_mount_dos_fs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 dosfs_t:filesystem mount; ') @@ -641,7 +641,7 @@ define(`fs_mount_dos_fs_depend',` ## # define(`fs_remount_dos_fs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 dosfs_t:filesystem remount; ') @@ -664,7 +664,7 @@ define(`fs_remount_dos_fs_depend',` ## # define(`fs_unmount_dos_fs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 dosfs_t:filesystem mount; ') @@ -688,7 +688,7 @@ define(`fs_unmount_dos_fs_depend',` ## # define(`fs_getattr_dos_fs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 dosfs_t:filesystem getattr; ') @@ -711,7 +711,7 @@ define(`fs_getattr_dos_fs_depend',` ## # define(`fs_relabelfrom_dos_fs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 dosfs_t:filesystem relabelfrom; ') @@ -734,7 +734,7 @@ define(`fs_relabelfrom_dos_fs_depend',` ## # define(`fs_mount_iso9660_fs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 iso9660_t:filesystem mount; ') @@ -758,7 +758,7 @@ define(`fs_mount_iso9660_fs_depend',` ## # define(`fs_remount_iso9660_fs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 iso9660_t:filesystem remount; ') @@ -781,7 +781,7 @@ define(`fs_remount_iso9660_fs_depend',` ## # define(`fs_unmount_iso9660_fs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 iso9660_t:filesystem mount; ') @@ -805,7 +805,7 @@ define(`fs_unmount_iso9660_fs_depend',` ## # define(`fs_getattr_iso9660_fs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 iso9660_t:filesystem getattr; ') @@ -827,7 +827,7 @@ define(`fs_getattr_iso9660_fs_depend',` ## # define(`fs_mount_nfs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 nfs_t:filesystem mount; ') @@ -850,7 +850,7 @@ define(`fs_mount_nfs_depend',` ## # define(`fs_remount_nfs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 nfs_t:filesystem remount; ') @@ -872,7 +872,7 @@ define(`fs_remount_nfs_depend',` ## # define(`fs_unmount_nfs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 nfs_t:filesystem mount; ') @@ -895,7 +895,7 @@ define(`fs_unmount_nfs_depend',` ## # define(`fs_getattr_nfs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 nfs_t:filesystem getattr; ') @@ -917,7 +917,7 @@ define(`fs_getattr_nfs_depend',` ## # define(`fs_execute_nfs_files',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 nfs_t:dir r_dir_perms; can_exec($1, nfs_t) @@ -942,7 +942,7 @@ define(`fs_execute_nfs_files_depend',` ## # define(`fs_manage_nfs_dirs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 nfs_t:dir create_dir_perms; ') @@ -965,7 +965,7 @@ define(`fs_manage_nfs_dirs_depend',` ## # define(`fs_manage_nfs_files',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 nfs_t:dir rw_dir_perms; allow $1 nfs_t:file create_file_perms; @@ -990,7 +990,7 @@ define(`fs_manage_nfs_files_depend',` ## # define(`fs_manage_nfs_symlinks',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 nfs_t:dir rw_dir_perms; allow $1 nfs_t:lnk_file create_lnk_perms; @@ -1015,7 +1015,7 @@ define(`fs_manage_nfs_symlinks_depend',` ## # define(`fs_manage_nfs_named_pipes',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 nfs_t:dir rw_dir_perms; allow $1 nfs_t:fifo_file create_file_perms; @@ -1040,7 +1040,7 @@ define(`fs_manage_nfs_named_pipes_depend',` ## # define(`fs_manage_nfs_named_sockets',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 nfs_t:dir rw_dir_perms; allow $1 nfs_t:sock_file create_file_perms; @@ -1064,7 +1064,7 @@ define(`fs_manage_nfs_named_sockets_depend',` ## # define(`fs_mount_nfsd_fs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 nfsd_fs_t:filesystem mount; ') @@ -1087,7 +1087,7 @@ define(`fs_mount_nfsd_fs_depend',` ## # define(`fs_remount_nfsd_fs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 nfsd_fs_t:filesystem remount; ') @@ -1109,7 +1109,7 @@ define(`fs_remount_nfsd_fs_depend',` ## # define(`fs_unmount_nfsd_fs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 nfsd_fs_t:filesystem mount; ') @@ -1133,7 +1133,7 @@ define(`fs_unmount_nfsd_fs_depend',` ## # define(`fs_getattr_nfsd_fs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 nfsd_fs_t:filesystem getattr; ') @@ -1155,7 +1155,7 @@ define(`fs_getattr_nfsd_fs_depend',` ## # define(`fs_mount_ramfs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 ramfs_t:filesystem mount; ') @@ -1178,7 +1178,7 @@ define(`fs_mount_ramfs_depend',` ## # define(`fs_remount_ramfs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 ramfs_t:filesystem remount; ') @@ -1200,7 +1200,7 @@ define(`fs_remount_ramfs_depend',` ## # define(`fs_unmount_ramfs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 ramfs_t:filesystem mount; ') @@ -1223,7 +1223,7 @@ define(`fs_unmount_ramfs_depend',` ## # define(`fs_getattr_ramfs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 ramfs_t:filesystem getattr; ') @@ -1245,7 +1245,7 @@ define(`fs_getattr_ramfs_depend',` ## # define(`fs_mount_romfs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 romfs_t:filesystem mount; ') @@ -1268,7 +1268,7 @@ define(`fs_mount_romfs_depend',` ## # define(`fs_remount_romfs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 romfs_t:filesystem remount; ') @@ -1290,7 +1290,7 @@ define(`fs_remount_romfs_depend',` ## # define(`fs_unmount_romfs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 romfs_t:filesystem mount; ') @@ -1314,7 +1314,7 @@ define(`fs_unmount_romfs_depend',` ## # define(`fs_getattr_romfs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 romfs_t:filesystem getattr; ') @@ -1336,7 +1336,7 @@ define(`fs_getattr_romfs_depend',` ## # define(`fs_mount_rpc_pipefs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 rpc_pipefs_t:filesystem mount; ') @@ -1359,7 +1359,7 @@ define(`fs_mount_rpc_pipefs_depend',` ## # define(`fs_remount_rpc_pipefs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 rpc_pipefs_t:filesystem remount; ') @@ -1381,7 +1381,7 @@ define(`fs_remount_rpc_pipefs_depend',` ## # define(`fs_unmount_rpc_pipefs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 rpc_pipefs_t:filesystem mount; ') @@ -1405,7 +1405,7 @@ define(`fs_unmount_rpc_pipefs_depend',` ## # define(`fs_getattr_rpc_pipefs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 rpc_pipefs_t:filesystem getattr; ') @@ -1427,7 +1427,7 @@ define(`fs_getattr_rpc_pipefs_depend',` ## # define(`fs_mount_tmpfs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 tmpfs_t:filesystem mount; ') @@ -1449,7 +1449,7 @@ define(`fs_mount_tmpfs_depend',` ## # define(`fs_remount_tmpfs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 tmpfs_t:filesystem remount; ') @@ -1471,7 +1471,7 @@ define(`fs_remount_tmpfs_depend',` ## # define(`fs_unmount_tmpfs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 tmpfs_t:filesystem mount; ') @@ -1495,7 +1495,7 @@ define(`fs_unmount_tmpfs_depend',` ## # define(`fs_getattr_tmpfs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 tmpfs_t:filesystem getattr; ') @@ -1517,7 +1517,7 @@ define(`fs_getattr_tmpfs_depend',` ## # define(`fs_associate_tmpfs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 tmpfs_t:filesystem associate; ') @@ -1533,7 +1533,7 @@ define(`fs_associate_tmpfs_depend',` # fs_create_tmpfs_data(domain,derivedtype,[class]) # define(`fs_create_tmpfs_data',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $2 tmpfs_t:filesystem associate; allow $1 tmpfs_t:dir rw_dir_perms; @@ -1563,7 +1563,7 @@ define(`fs_create_tmpfs_data_depend',` ## # define(`fs_use_tmpfs_character_devices',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 tmpfs_t:dir r_dir_perms; allow $1 tmpfs_t:chr_file rw_file_perms; @@ -1587,7 +1587,7 @@ define(`fs_use_tmpfs_character_devices_depend',` ## # define(`fs_relabel_tmpfs_character_devices',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 tmpfs_t:dir r_dir_perms; allow $1 tmpfs_t:chr_file { getattr relabelfrom relabelto }; @@ -1611,7 +1611,7 @@ define(`fs_relabel_tmpfs_character_devices_depend',` ## # define(`fs_use_tmpfs_block_devices',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 tmpfs_t:dir r_dir_perms; allow $1 tmpfs_t:blk_file rw_file_perms; @@ -1635,7 +1635,7 @@ define(`fs_use_tmpfs_block_devices_depend',` ## # define(`fs_relabel_tmpfs_block_devices',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 tmpfs_t:dir r_dir_perms; allow $1 tmpfs_t:blk_file { getattr relabelfrom relabelto }; @@ -1660,7 +1660,7 @@ define(`fs_use_tmpfs_block_devices_depend',` ## # define(`fs_manage_tmpfs_character_devices',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 tmpfs_t:dir rw_dir_perms; allow $1 tmpfs_t:chr_file create_file_perms; @@ -1685,7 +1685,7 @@ define(`fs_manage_tmpfs_character_devices_depend',` ## # define(`fs_manage_tmpfs_block_devices',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 tmpfs_t:dir rw_dir_perms; allow $1 tmpfs_t:blk_file create_file_perms; @@ -1709,7 +1709,7 @@ define(`fs_manage_tmpfs_block_devices_depend',` ## # define(`fs_mount_all_fs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 fs_type:filesystem mount; ') @@ -1732,7 +1732,7 @@ define(`fs_mount_all_fs_depend',` ## # define(`fs_remount_all_fs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 fs_type:filesystem remount; ') @@ -1754,7 +1754,7 @@ define(`fs_remount_all_fs_depend',` ## # define(`fs_unmount_all_fs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 fs_type:filesystem unmount; ') @@ -1778,7 +1778,7 @@ define(`fs_mount_all_fs_depend',` ## # define(`fs_getattr_all_fs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 fs_type:filesystem getattr; ') @@ -1800,7 +1800,7 @@ define(`fs_getattr_all_fs_depend',` ## # define(`fs_get_all_fs_quotas',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 fs_type:filesystem quotaget; ') @@ -1822,7 +1822,7 @@ define(`fs_get_all_fs_quotas_depend',` ## # define(`fs_set_all_quotas',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 fs_type:filesystem quotamod; ') @@ -1838,7 +1838,7 @@ define(`fs_set_all_quotas_depend',` # fs_getattr_all_files(type) # define(`fs_getattr_all_files',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 fs_type:dir { search getattr }; allow $1 fs_type:file getattr; diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if index 1284c68..e61d608 100644 --- a/refpolicy/policy/modules/kernel/kernel.if +++ b/refpolicy/policy/modules/kernel/kernel.if @@ -19,7 +19,7 @@ ## # define(`kernel_userland_entry',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) domain_auto_trans(kernel_t, $2, $1) @@ -50,7 +50,7 @@ define(`kernel_userland_entry_depend',` ## # define(`kernel_rootfs_mountpoint',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow kernel_t $1:dir mounton; ') @@ -73,7 +73,7 @@ define(`kernel_rootfs_mountpoint_depend',` ## # define(`kernel_share_state',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow kernel_t $1:process share; ') @@ -95,7 +95,7 @@ define(`kernel_share_state_depend',` ## # define(`kernel_use_fd',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 kernel_t:fd use; ') @@ -118,7 +118,7 @@ define(`kernel_use_fd_depend',` ## # define(`kernel_dontaudit_use_fd',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dontaudit $1 kernel_t:fd use; ') @@ -141,7 +141,7 @@ define(`kernel_dontaudit_use_fd_depend',` ## # define(`kernel_subj_id_change_exempt',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) typeattribute $1 can_change_process_identity; ') @@ -162,7 +162,7 @@ define(`kernel_subj_id_change_exempt_depend',` ## # define(`kernel_role_change_exempt',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) typeattribute $1 can_change_process_role; ') @@ -183,7 +183,7 @@ define(`kernel_role_change_exempt_depend',` ## # define(`kernel_obj_id_change_exempt',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) typeattribute $1 can_change_object_identity; ') @@ -203,7 +203,7 @@ define(`kernel_obj_id_change_exempt_depend',` ## # define(`kernel_load_module',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 self:capability sys_module; typeattribute $1 can_load_kernmodule; @@ -227,7 +227,7 @@ define(`kernel_load_module_depend',` ## # define(`kernel_get_selinux_enforcement_mode',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 security_t:dir { read search getattr }; allow $1 security_t:file { getattr read }; @@ -252,7 +252,7 @@ define(`kernel_get_selinux_enforcement_mode_depend',` ## # define(`kernel_set_enforcement_mode',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 security_t:dir { read search getattr }; allow $1 security_t:file { getattr read write }; @@ -282,7 +282,7 @@ define(`kernel_set_enforcement_mode_depend',` ## # define(`kernel_load_policy',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 security_t:dir { read search getattr }; allow $1 security_t:file { getattr read write }; @@ -316,7 +316,7 @@ define(`kernel_load_policy_depend',` ## # define(`kernel_set_boolean',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) ifelse(`$2',`',` allow $1 security_t:dir { getattr search read }; @@ -350,7 +350,7 @@ define(`kernel_set_boolean_depend',` ## # define(`kernel_set_security_parameters',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 security_t:dir { read search getattr }; allow $1 security_t:file { getattr read write }; @@ -380,7 +380,7 @@ define(`kernel_set_security_parameters_depend',` ## # define(`kernel_validate_context',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 security_t:dir { read search getattr }; allow $1 security_t:file { getattr read write }; @@ -406,7 +406,7 @@ define(`kernel_validate_context_depend',` ## # define(`kernel_compute_access_vector',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 security_t:dir { read search getattr }; allow $1 security_t:file { getattr read write }; @@ -432,7 +432,7 @@ define(`kernel_compute_access_vector_depend',` ## # define(`kernel_compute_create_context',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 security_t:dir { read search getattr }; allow $1 security_t:file { getattr read write }; @@ -458,7 +458,7 @@ define(`kernel_compute_create_context_depend',` ## # define(`kernel_compute_relabel_context',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 security_t:dir { read search getattr }; allow $1 security_t:file { getattr read write }; @@ -484,7 +484,7 @@ define(`kernel_compute_relabel_context_depend',` ## # define(`kernel_compute_reachable_user_contexts',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 security_t:dir { read search getattr }; allow $1 security_t:file { getattr read write }; @@ -510,7 +510,7 @@ define(`kernel_compute_reachable_user_contexts_depend',` ## # define(`kernel_read_ring_buffer',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 kernel_t:system syslog_read; ') @@ -532,7 +532,7 @@ define(`kernel_read_ring_buffer_depend',` ## # define(`kernel_dontaudit_read_ring_buffer',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dontaudit $1 kernel_t:system syslog_read; ') @@ -554,7 +554,7 @@ define(`kernel_dontaudit_read_ring_buffer_depend',` ## # define(`kernel_change_ring_buffer_level',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 kernel_t:system syslog_console; ') @@ -576,7 +576,7 @@ define(`kernel_change_ring_buffer_level_depend',` ## # define(`kernel_clear_ring_buffer',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 kernel_t:system syslog_mod; ') @@ -598,7 +598,7 @@ define(`kernel_clear_ring_buffer_depend',` ## # define(`kernel_get_sysvipc_info',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 kernel_t:system ipc_info; ') @@ -620,7 +620,7 @@ define(`kernel_get_sysvipc_info_depend',` ## # define(`kernel_get_selinuxfs_mount_point',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 proc_t:dir search; allow $1 proc_t:{ file lnk_file } read; @@ -647,7 +647,7 @@ define(`kernel_get_selinuxfs_mount_point_depend',` ## # define(`kernel_read_system_state',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 proc_t:dir r_dir_perms; allow $1 proc_t:lnk_file { getattr read }; @@ -674,7 +674,7 @@ define(`kernel_read_system_state_depend',` ## # define(`kernel_dontaudit_read_system_state',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 proc_t:file read; ') @@ -696,7 +696,7 @@ define(`kernel_dontaudit_read_system_state_depend',` ## # define(`kernel_read_software_raid_state',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 proc_t:dir r_dir_perms; allow $1 proc_mdstat_t:file r_file_perms; @@ -720,7 +720,7 @@ define(`kernel_read_software_raid_state_depend',` ## # define(`kernel_getattr_core',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 proc_t:dir r_dir_perms; allow $1 proc_kcore_t:file getattr; @@ -745,7 +745,7 @@ define(`kernel_getattr_core_depend',` ## # define(`kernel_dontaudit_getattr_core',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dontaudit $1 proc_kcore_t:file getattr; ') @@ -768,7 +768,7 @@ define(`kernel_dontaudit_getattr_core_depend',` ## # define(`kernel_read_messages',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 proc_t:dir search; allow $1 proc_kmsg_t:file r_file_perms; @@ -796,7 +796,7 @@ define(`kernel_read_messages_depend',` ## # define(`kernel_getattr_message_if',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 proc_t:dir search; allow $1 proc_kmsg_t:file getattr; @@ -821,7 +821,7 @@ define(`kernel_getattr_message_if_depend',` ## # define(`kernel_dontaudit_getattr_message_if',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dontaudit $1 proc_kmsg_t:file getattr; ') @@ -844,7 +844,7 @@ define(`kernel_dontaudit_getattr_message_if_depend',` ## # define(`kernel_read_network_state',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 proc_t:dir search; allow $1 proc_net_t:dir r_dir_perms; @@ -870,7 +870,7 @@ define(`kernel_read_network_state_depend',` ## # define(`kernel_dontaudit_search_sysctl_dir',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dontaudit $1 sysctl_t:dir search; ') @@ -892,7 +892,7 @@ define(`kernel_dontaudit_search_sysctl_dir_depend',` ## # define(`kernel_read_device_sysctl',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 proc_t:dir search; allow $1 sysctl_t:dir r_dir_perms; @@ -918,7 +918,7 @@ define(`kernel_read_device_sysctl_depend',` ## # define(`kernel_rw_device_sysctl',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 proc_t:dir search; allow $1 sysctl_t:dir r_dir_perms; @@ -944,7 +944,7 @@ define(`kernel_rw_device_sysctl_depend',` ## # define(`kernel_read_vm_sysctl',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 proc_t:dir search; allow $1 sysctl_t:dir r_dir_perms; @@ -969,7 +969,7 @@ define(`kernel_read_vm_sysctl_depend',` ## # define(`kernel_rw_vm_sysctl',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 proc_t:dir search; allow $1 sysctl_t:dir r_dir_perms; @@ -994,7 +994,7 @@ define(`kernel_rw_vm_sysctl_depend',` ## # define(`kernel_dontaudit_search_network_sysctl_dir',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dontaudit $1 sysctl_net_t:dir search; ') @@ -1017,7 +1017,7 @@ define(`kernel_dontaudit_search_network_sysctl_dir_depend',` ## # define(`kernel_read_net_sysctl',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 proc_t:dir search; allow $1 sysctl_t:dir r_dir_perms; @@ -1043,7 +1043,7 @@ define(`kernel_read_net_sysctl_depend',` ## # define(`kernel_rw_net_sysctl',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 proc_t:dir search; allow $1 sysctl_t:dir r_dir_perms; @@ -1070,7 +1070,7 @@ define(`kernel_rw_net_sysctl_depend',` ## # define(`kernel_read_unix_sysctl',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 proc_t:dir search; allow $1 sysctl_t:dir r_dir_perms; @@ -1097,7 +1097,7 @@ define(`kernel_read_unix_sysctl_depend',` ## # define(`kernel_rw_unix_sysctl',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 proc_t:dir search; allow $1 sysctl_t:dir r_dir_perms; @@ -1123,7 +1123,7 @@ define(`kernel_rw_net_sysctl_depend',` ## # define(`kernel_read_hotplug_sysctl',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 proc_t:dir search; allow $1 sysctl_t:dir r_dir_perms; @@ -1149,7 +1149,7 @@ define(`kernel_read_hotplug_sysctl_depend',` ## # define(`kernel_rw_hotplug_sysctl',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 proc_t:dir search; allow $1 sysctl_t:dir r_dir_perms; @@ -1175,7 +1175,7 @@ define(`kernel_rw_hotplug_sysctl_depend',` ## # define(`kernel_read_modprobe_sysctl',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 proc_t:dir search; allow $1 sysctl_t:dir r_dir_perms; @@ -1201,7 +1201,7 @@ define(`kernel_read_modprobe_sysctl_depend',` ## # define(`kernel_rw_modprobe_sysctl',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 proc_t:dir search; allow $1 sysctl_t:dir r_dir_perms; @@ -1227,7 +1227,7 @@ define(`kernel_rw_modprobe_sysctl_depend',` ## # define(`kernel_read_kernel_sysctl',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 proc_t:dir search; allow $1 sysctl_t:dir r_dir_perms; @@ -1253,7 +1253,7 @@ define(`kernel_read_kernel_sysctl_depend',` ## # define(`kernel_rw_kernel_sysctl',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 proc_t:dir search; allow $1 sysctl_t:dir r_dir_perms; @@ -1279,7 +1279,7 @@ define(`kernel_rw_kernel_sysctl_depend',` ## # define(`kernel_read_fs_sysctl',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 proc_t:dir search; allow $1 sysctl_t:dir r_dir_perms; @@ -1305,7 +1305,7 @@ define(`kernel_read_fs_sysctl_depend',` ## # define(`kernel_rw_fs_sysctl',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 proc_t:dir search; allow $1 sysctl_t:dir r_dir_perms; @@ -1331,7 +1331,7 @@ define(`kernel_rw_fs_sysctl_depend',` ## # define(`kernel_read_irq_sysctl',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 proc_t:dir search; allow $1 sysctl_irq_t:dir r_dir_perms; @@ -1357,7 +1357,7 @@ define(`kernel_read_irq_sysctl_depend',` ## # define(`kernel_rw_irq_sysctl',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 proc_t:dir search; allow $1 sysctl_irq_t:dir r_dir_perms; @@ -1376,7 +1376,7 @@ define(`kernel_rw_irq_sysctl_depend',` # kernel_read_rpc_sysctl(domain) # define(`kernel_read_rpc_sysctl',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 proc_t:dir search; allow $1 proc_net_t:dir search; @@ -1396,7 +1396,7 @@ define(`kernel_read_rpc_sysctl_depend',` # kernel_rw_rpc_sysctl(domain) # define(`kernel_rw_rpc_sysctl',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 proc_t:dir search; allow $1 proc_net_t:dir search; @@ -1468,7 +1468,7 @@ define(`kernel_rw_all_sysctl',` ## # define(`kernel_search_sysfs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 sysfs_t:dir search; ') @@ -1490,7 +1490,7 @@ define(`kernel_search_sysfs_depend',` ## # define(`kernel_read_hardware_state',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 sysfs_t:dir r_dir_perms; allow $1 sysfs_t:{ file lnk_file } r_file_perms; @@ -1515,7 +1515,7 @@ define(`kernel_read_hardware_state_depend',` ## # define(`kernel_rw_hardware_config_option',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 sysfs_t:dir r_dir_perms; allow $1 sysfs_t:lnk_file r_file_perms; @@ -1541,7 +1541,7 @@ define(`kernel_rw_hardware_config_option_depend',` ## # define(`kernel_kill_unlabeled',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 unlabeled_t:process sigkill; ') @@ -1563,7 +1563,7 @@ define(`kernel_kill_unlabeled_depend',` ## # define(`kernel_signal_unlabeled',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 unlabeled_t:process signal; ') @@ -1585,7 +1585,7 @@ define(`kernel_signal_unlabeled_depend',` ## # define(`kernel_signull_unlabeled',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 unlabeled_t:process signull; ') @@ -1607,7 +1607,7 @@ define(`kernel_signull_unlabeled_depend',` ## # define(`kernel_sigstop_unlabeled',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 unlabeled_t:process sigstop; ') @@ -1629,7 +1629,7 @@ define(`kernel_sigstop_unlabeled_depend',` ## # define(`kernel_sigchld_unlabeled',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 unlabeled_t:process sigchld; ') @@ -1652,7 +1652,7 @@ define(`kernel_sigchld_unlabeled_depend',` ## # define(`kernel_dontaudit_getattr_unlabeled_blk_dev',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 unlabeled_t:blk_file getattr; ') @@ -1674,7 +1674,7 @@ define(`kernel_dontaudit_getattr_unlabeled_blk_dev_depend',` ## # define(`kernel_relabel_unlabeled',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 unlabeled_t:dir_file_class_set { getattr relabelfrom }; ') @@ -1702,7 +1702,7 @@ define(`kernel_relabel_unlabeled_depend',` ## # define(`kernel_search_usbfs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 usbfs_t:dir search; ') @@ -1724,7 +1724,7 @@ define(`kernel_search_usbfs_depend',` ## # define(`kernel_list_usb_hardware',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 usbfs_t:dir r_dir_perms; allow $1 usbfs_t:lnk_file r_file_perms; @@ -1751,7 +1751,7 @@ define(`kernel_list_usb_hardware_depend',` ## # define(`kernel_read_usb_hardware_state',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 usbfs_t:dir r_dir_perms; allow $1 usbfs_t:{ file lnk_file } r_file_perms; @@ -1776,7 +1776,7 @@ define(`kernel_read_usb_hardware_state_depend',` ## # define(`kernel_rw_usb_hardware_config_option',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 usbfs_t:dir r_dir_perms; allow $1 usbfs_t:lnk_file r_file_perms; diff --git a/refpolicy/policy/modules/kernel/storage.if b/refpolicy/policy/modules/kernel/storage.if index 2439fcb..f081d53 100644 --- a/refpolicy/policy/modules/kernel/storage.if +++ b/refpolicy/policy/modules/kernel/storage.if @@ -13,7 +13,7 @@ ## # define(`storage_getattr_fixed_disk',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dev_list_all_dev_nodes($1) allow $1 fixed_disk_device_t:blk_file getattr; @@ -37,7 +37,7 @@ define(`storage_getattr_fixed_disk_depend',` ## # define(`storage_dontaudit_getattr_fixed_disk',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dontaudit $1 fixed_disk_device_t:blk_file getattr; ') @@ -60,7 +60,7 @@ define(`storage_dontaudit_getattr_fixed_disk_depend',` ## # define(`storage_setattr_fixed_disk',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dev_list_all_dev_nodes($1) allow $1 fixed_disk_device_t:blk_file setattr; @@ -86,7 +86,7 @@ define(`storage_setattr_fixed_disk_depend',` ## # define(`storage_raw_read_fixed_disk',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dev_list_all_dev_nodes($1) allow $1 fixed_disk_device_t:blk_file r_file_perms; @@ -115,7 +115,7 @@ define(`storage_raw_read_fixed_disk_depend',` ## # define(`storage_raw_write_fixed_disk',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dev_list_all_dev_nodes($1) allow $1 fixed_disk_device_t:blk_file { getattr write ioctl }; @@ -141,7 +141,7 @@ define(`storage_raw_write_fixed_disk_depend',` ## # define(`storage_create_fixed_disk_dev_entry',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 fixed_disk_device_t:blk_file create_file_perms; dev_create_dev_node($1,fixed_disk_device_t,blk_file) @@ -165,7 +165,7 @@ define(`storage_create_fixed_disk_dev_entry_depend',` ## # define(`storage_manage_fixed_disk',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dev_list_all_dev_nodes($1) allow $1 fixed_disk_device_t:blk_file create_file_perms; @@ -194,7 +194,7 @@ define(`storage_manage_fixed_disk_depend',` ## # define(`storage_raw_read_lvm_volume',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dev_list_all_dev_nodes($1) allow $1 lvm_vg_t:blk_file r_file_perms; @@ -223,7 +223,7 @@ define(`storage_raw_read_lvm_volume_depend',` ## # define(`storage_raw_write_lvm_volume',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dev_list_all_dev_nodes($1) allow $1 lvm_vg_t:blk_file { getattr write ioctl }; @@ -253,7 +253,7 @@ define(`storage_raw_write_lvm_volume_depend',` ## # define(`storage_read_scsi_generic',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dev_list_all_dev_nodes($1) allow $1 scsi_generic_device_t:blk_file r_file_perms; @@ -283,7 +283,7 @@ define(`storage_read_scsi_generic_depend',` ## # define(`storage_write_scsi_generic',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dev_list_all_dev_nodes($1) allow $1 scsi_generic_device_t:blk_file { getattr write ioctl }; @@ -310,7 +310,7 @@ define(`storage_write_scsi_generic_depend',` ## # define(`storage_getattr_scsi_generic',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dev_list_all_dev_nodes($1) allow $1 scsi_generic_device_t:blk_file getattr; @@ -334,7 +334,7 @@ define(`storage_getattr_scsi_generic_depend',` ## # define(`storage_set_scsi_generic_attributes',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dev_list_all_dev_nodes($1) allow $1 scsi_generic_device_t:blk_file setattr; @@ -358,7 +358,7 @@ define(`storage_set_scsi_generic_attributes_depend',` ## # define(`storage_getattr_removable_device',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dev_list_all_dev_nodes($1) allow $1 removable_device_t:blk_file getattr; @@ -382,7 +382,7 @@ define(`storage_getattr_removable_device_depend',` ## # define(`storage_dontaudit_getattr_removable_device',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dontaudit $1 removable_device_t:blk_file getattr; ') @@ -405,7 +405,7 @@ define(`storage_dontaudit_getattr_removable_device_depend',` ## # define(`storage_setattr_removable_device',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dev_list_all_dev_nodes($1) allow $1 removable_device_t:blk_file setattr; @@ -432,7 +432,7 @@ define(`storage_setattr_removable_device_depend',` ## # define(`storage_raw_read_removable_device',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dev_list_all_dev_nodes($1) allow $1 removable_device_t:blk_file r_file_perms; @@ -459,7 +459,7 @@ define(`storage_raw_read_removable_device_depend',` ## # define(`storage_raw_write_removable_device',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dev_list_all_dev_nodes($1) allow $1 removable_device_t:blk_file { getattr write ioctl }; @@ -483,7 +483,7 @@ define(`storage_raw_write_removable_device_depend',` ## # define(`storage_read_tape_device',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dev_list_all_dev_nodes($1) allow $1 tape_device_t:blk_file r_file_perms; @@ -507,7 +507,7 @@ define(`storage_read_tape_device_depend',` ## # define(`storage_write_tape_device',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dev_list_all_dev_nodes($1) allow $1 tape_device_t:blk_file { getattr write ioctl }; @@ -531,7 +531,7 @@ define(`storage_write_tape_device_depend',` ## # define(`storage_getattr_tape_device',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dev_list_all_dev_nodes($1) allow $1 tape_device_t:blk_file getattr; @@ -555,7 +555,7 @@ define(`storage_getattr_tape_device_depend',` ## # define(`storage_setattr_tape_device',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dev_list_all_dev_nodes($1) allow $1 tape_device_t:blk_file setattr; diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if index a0ef4df..cb592ea 100644 --- a/refpolicy/policy/modules/kernel/terminal.if +++ b/refpolicy/policy/modules/kernel/terminal.if @@ -12,7 +12,7 @@ ## # define(`term_pty',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 devpts_t:filesystem associate; typeattribute $1 ptynode; @@ -43,7 +43,7 @@ define(`term_pty_depend',` ## # define(`term_user_pty',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) term_pty($1) type_change $1 server_ptynode:chr_file $2; @@ -64,7 +64,7 @@ define(`term_user_pty_depend',` ## # define(`term_tty',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) typeattribute $2 ttynode; type_change $1 tty_device_t:chr_file $2; @@ -100,7 +100,7 @@ define(`term_tty_depend',` ## # define(`term_create_pty',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dev_list_all_dev_nodes($1) @@ -132,7 +132,7 @@ define(`term_create_pty_depend',` ## # define(`term_use_all_terms',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dev_list_all_dev_nodes($1) allow $1 devpts_t:dir r_dir_perms; @@ -159,7 +159,7 @@ define(`term_use_all_terms_depend',` ## # define(`term_write_console',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dev_list_all_dev_nodes($1) allow $1 console_device_t:chr_file write; @@ -181,7 +181,7 @@ define(`term_use_console_depend',` ## # define(`term_use_console',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dev_list_all_dev_nodes($1) allow $1 console_device_t:chr_file rw_file_perms; @@ -205,7 +205,7 @@ define(`term_use_console_depend',` ## # define(`term_dontaudit_use_console',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dontaudit $1 console_device_t:chr_file { read write }; ') @@ -228,7 +228,7 @@ define(`term_dontaudit_use_console_depend',` ## # define(`term_setattr_console',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dev_list_all_dev_nodes($1) allow $1 console_device_t:chr_file setattr; @@ -252,7 +252,7 @@ define(`term_setattr_console_depend',` ## # define(`term_list_ptys',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dev_list_all_dev_nodes($1) allow $1 devpts_t:dir r_dir_perms; @@ -276,7 +276,7 @@ define(`term_list_ptys_depend',` ## # define(`term_dontaudit_list_ptys',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dontaudit $1 devpts_t:dir { getattr search read }; ') @@ -300,7 +300,7 @@ define(`term_dontaudit_list_ptys_depend',` ## # define(`term_use_generic_pty',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dev_list_all_dev_nodes($1) allow $1 devpts_t:chr_file { read write }; @@ -325,7 +325,7 @@ define(`term_use_generic_pty_depend',` ## # define(`term_dontaudit_use_generic_pty',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dontaudit $1 devpts_t:chr_file { read write }; ') @@ -348,7 +348,7 @@ define(`term_dontaudit_use_generic_pty_depend',` ## # define(`term_use_controlling_term',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dev_list_all_dev_nodes($1) allow $1 devtty_t:chr_file { getattr read write ioctl }; @@ -372,7 +372,7 @@ define(`term_use_controlling_terminal_depend',` ## # define(`term_dontaudit_use_ptmx',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dontaudit $1 ptmx_t:chr_file { getattr read write }; ') @@ -395,7 +395,7 @@ define(`term_dontaudit_use_ptmx_depend',` ## # define(`term_getattr_all_user_ptys',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dev_list_all_dev_nodes($1) allow $1 devpts_t:dir r_dir_perms; @@ -420,7 +420,7 @@ define(`term_getattr_all_ptys_depend',` ## # define(`term_use_all_user_ptys',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dev_list_all_dev_nodes($1) allow $1 devpts_t:dir r_dir_perms; @@ -446,7 +446,7 @@ define(`term_use_all_user_ptys_depend',` ## # define(`term_dontaudit_use_all_user_ptys',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dontaudit $1 ptynode:chr_file { read write }; ') @@ -469,7 +469,7 @@ define(`term_dontaudit_use_all_user_ptys_depend',` ## # define(`term_getattr_unallocated_ttys',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dev_list_all_dev_nodes($1) allow $1 tty_device_t:chr_file getattr; @@ -493,7 +493,7 @@ define(`term_getattr_unallocated_ttys_depend',` ## # define(`term_setattr_unallocated_ttys',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dev_list_all_dev_nodes($1) allow $1 tty_device_t:chr_file setattr; @@ -517,7 +517,7 @@ define(`term_setattr_unallocated_ttys_depend',` ## # define(`term_relabel_unallocated_ttys',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dev_list_all_dev_nodes($1) allow $1 tty_device_t:chr_file { relabelfrom relabelto }; @@ -541,7 +541,7 @@ define(`term_relabel_unallocated_ttys_depend',` ## # define(`term_reset_tty_labels',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dev_list_all_dev_nodes($1) allow $1 ttynode:chr_file relabelfrom; @@ -566,7 +566,7 @@ define(`term_reset_tty_labels_depend',` ## # define(`term_write_unallocated_ttys',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dev_list_all_dev_nodes($1) allow $1 tty_device_t:chr_file { getattr write }; @@ -589,7 +589,7 @@ define(`term_write_unallocated_ttys_depend',` ## # define(`term_use_unallocated_tty',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dev_list_all_dev_nodes($1) allow $1 tty_device_t:chr_file { getattr read write ioctl }; @@ -613,7 +613,7 @@ define(`term_use_unallocated_tty_depend',` ## # define(`term_dontaudit_use_unallocated_tty',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dontaudit $1 tty_device_t:chr_file { read write }; ') @@ -636,7 +636,7 @@ define(`term_dontaudit_use_unallocated_tty_depend',` ## # define(`term_getattr_all_user_ttys',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dev_list_all_dev_nodes($1) allow $1 ttynode:chr_file getattr; @@ -661,7 +661,7 @@ define(`term_getattr_all_user_ttys_depend',` ## # define(`term_dontaudit_getattr_all_user_ttys',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dev_list_all_dev_nodes($1) dontaudit $1 ttynode:chr_file getattr; @@ -685,7 +685,7 @@ define(`term_dontaudit_getattr_all_user_ttys_depend',` ## # define(`term_setattr_all_user_ttys',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dev_list_all_dev_nodes($1) allow $1 ttynode:chr_file setattr; @@ -709,7 +709,7 @@ define(`term_setattr_all_user_ttys_depend',` ## # define(`term_relabel_all_user_ttys',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dev_list_all_dev_nodes($1) allow $1 ttynode:chr_file { relabelfrom relabelto }; @@ -732,7 +732,7 @@ define(`term_relabel_all_user_ttys_depend',` ## # define(`term_write_all_user_ttys',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dev_list_all_dev_nodes($1) allow $1 ttynode:chr_file { getattr write }; @@ -755,7 +755,7 @@ define(`term_write_all_user_ttys_depend',` ## # define(`term_use_all_user_ttys',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dev_list_all_dev_nodes($1) allow $1 ttynode:chr_file { getattr read write ioctl }; @@ -779,7 +779,7 @@ define(`term_use_all_user_ttys_depend',` ## # define(`term_dontaudit_use_all_user_ttys',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dontaudit $1 ttynode:chr_file { read write }; ') diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if index a1f9c7c..b331576 100644 --- a/refpolicy/policy/modules/services/cron.if +++ b/refpolicy/policy/modules/services/cron.if @@ -244,7 +244,7 @@ define(`cron_admin_template',` # cron_rw_log(domain) # define(`cron_rw_log',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 crond_log_t:file rw_file_perms; ') diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if index 61978f4..2b89a8d 100644 --- a/refpolicy/policy/modules/services/mta.if +++ b/refpolicy/policy/modules/services/mta.if @@ -8,7 +8,7 @@ # mta_per_userdomain_template(userdomain_prefix) # define(`mta_per_userdomain_template',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) type $1_mail_t; # , user_mail_domain, nscd_client_domain; domain_type($1_mail_t) @@ -145,7 +145,7 @@ define(`mta_per_userdomain_template_depend',` # mta_mailserver(domain,entrypointtype) # define(`mta_mailserver',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) init_daemon_domain($1,$2) typeattribute $1 mailserver_domain; @@ -160,7 +160,7 @@ define(`mta_mailserver_depend',` # mta_sendmail_mailserver(domain,entrypointtype) # define(`mta_sendmail_mailserver',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) mta_mailserver($1,sendmail_exec_t) ') @@ -174,7 +174,7 @@ define(`mta_sendmail_mailserver_depend',` # mta_send_mail(domain) # define(`mta_send_mail',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 sendmail_exec_t:lnk_file r_file_perms; domain_auto_trans($1, sendmail_exec_t, system_mail_t) @@ -200,7 +200,7 @@ define(`mta_send_mail_depend',` # mta_exec(domain) # define(`mta_exec',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) can_exec($1, sendmail_exec_t) ') @@ -222,7 +222,7 @@ define(`mta_exec_depend',` ## # define(`mta_read_aliases',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 etc_aliases_t:file r_file_perms; ') @@ -238,7 +238,7 @@ define(`mta_read_aliases_depend',` # mta_rw_aliases(domain) # define(`mta_rw_aliases',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow sendmail_t etc_aliases_t:file { rw_file_perms setattr }; ') @@ -254,7 +254,7 @@ define(`mta_rw_aliases_depend',` # mta_getattr_spool(domain) # define(`mta_getattr_spool',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) files_search_spool($1) allow $1 mail_spool_t:dir r_dir_perms; @@ -275,7 +275,7 @@ define(`mta_getattr_spool_depend',` # mta_rw_spool(domain) # define(`mta_rw_spool',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) files_search_spool($1) allow $1 mail_spool_t:dir rw_dir_perms; @@ -294,7 +294,7 @@ define(`mta_rw_spool_depend',` # mta_manage_spool(domain) # define(`mta_manage_spool',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) files_search_spool($1) allow $1 mail_spool_t:dir rw_dir_perms; @@ -313,7 +313,7 @@ define(`mta_manage_spool_depend',` # mta_manage_queue(domain) # define(`mta_manage_queue',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 mqueue_spool_t:dir rw_dir_perms; allow $1 mqueue_spool_t:file create_file_perms; diff --git a/refpolicy/policy/modules/services/remotelogin.if b/refpolicy/policy/modules/services/remotelogin.if index 6d41c70..0564c5a 100644 --- a/refpolicy/policy/modules/services/remotelogin.if +++ b/refpolicy/policy/modules/services/remotelogin.if @@ -12,7 +12,7 @@ ## # define(`remotelogin_domtrans',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) auth_domtrans_login_program($1,remote_login_t) ') diff --git a/refpolicy/policy/modules/services/sendmail.if b/refpolicy/policy/modules/services/sendmail.if index d0582de..e4270b3 100644 --- a/refpolicy/policy/modules/services/sendmail.if +++ b/refpolicy/policy/modules/services/sendmail.if @@ -12,7 +12,7 @@ ## # define(`sendmail_domtrans',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) domain_auto_trans($1,sendmail_exec_t,sendmail_t) diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if index ad00964..8631a7d 100644 --- a/refpolicy/policy/modules/system/authlogin.if +++ b/refpolicy/policy/modules/system/authlogin.if @@ -23,7 +23,7 @@ # authlogin_per_userdomain_template(userdomain_prefix) # define(`authlogin_per_userdomain_template',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) type $1_chkpwd_t, can_read_shadow_passwords; # , nscd_client_domain; domain_type($1_chkpwd_t) @@ -126,7 +126,7 @@ define(`authlogin_per_userdomain_template_depend',` # auth_login_entry_type(domain) # define(`auth_login_entry_type',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) domain_entry_file($1,login_exec_t) ') @@ -149,7 +149,7 @@ define(`auth_login_entry_type_depend',` ## # define(`auth_domtrans_login_program',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) # FIXME: search bin_t allow $1 login_exec_t:file rx_file_perms; @@ -190,7 +190,7 @@ define(`auth_domtrans_login_program_depend',` # auth_domtrans_chk_passwd(domain) # define(`auth_domtrans_chk_passwd',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) domain_auto_trans($1,chkpwd_exec_t,system_chkpwd_t) @@ -245,7 +245,7 @@ define(`auth_domtrans_chk_passwd_depend',` # auth_dontaudit_getattr_shadow(domain) # define(`auth_dontaudit_getattr_shadow',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dontaudit $1 shadow_t:file getattr; ') @@ -274,7 +274,7 @@ define(`auth_dontaudit_getattr_shadow_depend',` # auth_read_shadow(domain) # define(`auth_read_shadow',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) files_read_generic_etc_files_directory($1) allow $1 shadow_t:file r_file_perms; @@ -307,7 +307,7 @@ define(`auth_read_shadow_depend',` # auth_dontaudit_read_shadow(domain) # define(`auth_dontaudit_read_shadow',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dontaudit $1 shadow_t:file { getattr read }; ') @@ -336,7 +336,7 @@ define(`auth_dontaudit_read_shadow_depend',` # auth_rw_shadow(domain) # define(`auth_rw_shadow',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) files_read_generic_etc_files_directory($1) allow $1 shadow_t:file rw_file_perms; @@ -355,7 +355,7 @@ define(`auth_rw_shadow_depend',` # auth_manage_shadow(domain) # define(`auth_manage_shadow',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 shadow_t:file create_file_perms; files_create_etc_config($1,shadow_t,file) @@ -376,7 +376,7 @@ define(`auth_manage_shadow_depend',` # auth_relabelto_shadow(domain) # define(`auth_relabelto_shadow',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) files_search_etc($1) allow $1 shadow_t:file relabelto; @@ -396,7 +396,7 @@ define(`auth_relabelto_shadow_depend',` # auth_rw_faillog(domain) # define(`auth_rw_faillog',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 faillog_t:file rw_file_perms; logging_search_logs($1) @@ -413,7 +413,7 @@ define(`auth_rw_faillog_depend',` # auth_rw_lastlog(domain) # define(`auth_rw_lastlog',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) logging_search_logs($1) allow $1 lastlog_t:file { getattr read write setattr }; @@ -436,7 +436,7 @@ define(`auth_rw_lastlog_depend',` ## # define(`auth_domtrans_pam',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) domain_auto_trans($1,pam_exec_t,pam_t) @@ -472,7 +472,7 @@ define(`auth_domtrans_pam_depend',` ## # define(`auth_run_pam',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) auth_domtrans_pam($1) role $2 types pam_t; @@ -503,7 +503,7 @@ define(`auth_run_pam_depend',` # auth_exec_pam(domain) # define(`auth_exec_pam',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) can_exec($1,pam_exec_t) ') @@ -519,7 +519,7 @@ define(`auth_exec_pam_depend',` # auth_read_pam_pid(domain) # define(`auth_read_pam_pid',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) files_search_var($1) files_search_pids($1) @@ -552,7 +552,7 @@ define(`auth_read_pam_pid_depend',` # auth_delete_pam_pid(domain) # define(`auth_delete_pam_pid',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) files_search_var($1) files_search_pids($1) @@ -572,7 +572,7 @@ define(`auth_delete_pam_pid_depend',` # auth_domtrans_pam_console(domain) # define(`auth_domtrans_pam_console',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) domain_auto_trans($1,pam_console_exec_t,pam_console_t) @@ -609,7 +609,7 @@ define(`auth_domtrans_pam_console_depend',` # auth_list_pam_console_data(domain) # define(`auth_list_pam_console_data',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) files_search_var($1) files_search_pids($1) @@ -627,7 +627,7 @@ define(`auth_list_pam_console_data_depend',` # auth_read_pam_console_data(domain) # define(`auth_read_pam_console_data',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) files_search_var($1) files_search_pids($1) @@ -647,7 +647,7 @@ define(`auth_read_pam_console_data_depend',` # auth_manage_pam_console_data(domain) # define(`auth_manage_pam_console_data',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) files_search_var($1) files_search_pids($1) @@ -681,7 +681,7 @@ define(`auth_manage_pam_console_data_depend',` # define(`auth_relabel_all_files_except_shadow',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) files_relabel_all_files($1,$2 -shadow_t) ') @@ -707,7 +707,7 @@ define(`auth_relabel_all_files_except_shadow_depend',` # define(`auth_manage_all_files_except_shadow',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) files_manage_all_files($1,$2 -shadow_t) ') @@ -727,7 +727,7 @@ define(`auth_manage_all_files_except_shadow_depend',` ## # define(`auth_domtrans_utempter',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) domain_auto_trans($1,utempter_exec_t,utempter_t) @@ -763,7 +763,7 @@ define(`auth_domtrans_utempter_depend',` ## # define(`auth_run_utempter',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) auth_domtrans_utempter($1) role $2 types utempter_t; @@ -794,7 +794,7 @@ define(`auth_run_utempter_depend',` # auth_read_login_records(domain) # define(`auth_read_login_records',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) logging_search_logs($1) allow $1 wtmp_t:file r_file_perms; @@ -821,7 +821,7 @@ define(`auth_read_login_records_depend',` # auth_dontaudit_write_login_records(domain) # define(`auth_dontaudit_write_login_records',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dontaudit $1 wtmp_t:file write; ') @@ -837,7 +837,7 @@ define(`auth_read_login_records_depend',` # auth_rw_login_records(domain) # define(`auth_rw_login_records',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 wtmp_t:file rw_file_perms; logging_search_logs($1) diff --git a/refpolicy/policy/modules/system/clock.if b/refpolicy/policy/modules/system/clock.if index 01af3c6..21657ac 100644 --- a/refpolicy/policy/modules/system/clock.if +++ b/refpolicy/policy/modules/system/clock.if @@ -12,7 +12,7 @@ ## # define(`clock_domtrans',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) domain_auto_trans($1,hwclock_exec_t,hwclock_t) @@ -49,7 +49,7 @@ define(`clock_domtrans_depend',` ## # define(`clock_run',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) clock_domtrans($1) role $2 types hwclock_t; @@ -73,7 +73,7 @@ define(`clock_run_depend',` ## # define(`clock_exec',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) can_exec($1,hwclock_exec_t) ') @@ -95,7 +95,7 @@ define(`clock_exec_depend',` ## # define(`clock_rw_adjtime',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 adjtime_t:file rw_file_perms; files_read_generic_etc_files_directory($1) diff --git a/refpolicy/policy/modules/system/corecommands.if b/refpolicy/policy/modules/system/corecommands.if index 529a4c6..6e5b95a 100644 --- a/refpolicy/policy/modules/system/corecommands.if +++ b/refpolicy/policy/modules/system/corecommands.if @@ -9,7 +9,7 @@ # corecmd_shell_entry_type(domain) # define(`corecmd_shell_entry_type',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) domain_entry_file($1,shell_exec_t) ') @@ -23,7 +23,7 @@ define(`corecmd_shell_entry_type_depend',` # corecmd_search_bin(domain) # define(`corecmd_search_bin',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 bin_t:dir search; ') @@ -39,7 +39,7 @@ define(`corecmd_search_bin_depend',` # corecmd_list_bin(domain) # define(`corecmd_list_bin',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 bin_t:dir r_dir_perms; ') @@ -55,7 +55,7 @@ define(`corecmd_list_bin_depend',` # corecmd_exec_bin(domain) # define(`corecmd_exec_bin',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 bin_t:dir r_dir_perms; allow $1 bin_t:lnk_file r_file_perms; @@ -76,7 +76,7 @@ define(`corecmd_exec_bin_depend',` # corecmd_search_sbin(domain) # define(`corecmd_search_sbin',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 sbin_t:dir search; ') @@ -92,7 +92,7 @@ define(`corecmd_search_sbin_depend',` # corecmd_list_sbin(domain) # define(`corecmd_list_sbin',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 sbin_t:dir r_dir_perms; ') @@ -108,7 +108,7 @@ define(`corecmd_list_sbin_depend',` # corecmd_dontaudit_getattr_sbin_file(domain) # define(`corecmd_dontaudit_getattr_sbin_file',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 sbin_t:file getattr; ') @@ -124,7 +124,7 @@ define(`corecmd_dontaudit_getattr_sbin_file_depend',` # corecmd_exec_sbin(domain) # define(`corecmd_exec_sbin',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 sbin_t:dir r_dir_perms; allow $1 sbin_t:lnk_file r_file_perms; @@ -145,7 +145,7 @@ define(`corecmd_exec_sbin_depend',` # corecmd_exec_shell(domain) # define(`corecmd_exec_shell',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 bin_t:dir r_dir_perms; allow $1 bin_t:lnk_file r_file_perms; @@ -165,7 +165,7 @@ define(`corecmd_exec_shell_depend',` # corecmd_exec_ls(domain) # define(`corecmd_exec_ls',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 bin_t:dir r_dir_perms; allow $1 bin_t:lnk_file r_file_perms; @@ -196,7 +196,7 @@ define(`corecmd_exec_shell_depend',` ## # define(`corecmd_shell_spec_domtrans',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 bin_t:dir r_dir_perms; allow $1 bin_t:lnk_file r_file_perms; @@ -234,7 +234,7 @@ define(`corecmd_shell_spec_domtrans_depend',` ## # define(`corecmd_domtrans_shell',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) corecmd_shell_spec_domtrans($1,$2) type_transition $1 shell_exec_t:process $2; @@ -249,7 +249,7 @@ define(`corecmd_domtrans_shell_depend',` # corecmd_chroot_exec_chroot(domain) # define(`corecmd_chroot_exec_chroot',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 chroot_exec_t:file { getattr read execute execute_no_trans }; allow $1 self:capability sys_chroot; diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if index ab6cc0d..57f6fec 100644 --- a/refpolicy/policy/modules/system/domain.if +++ b/refpolicy/policy/modules/system/domain.if @@ -6,7 +6,7 @@ # domain_base_domain_type(domain) # define(`domain_base_domain_type',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) # mark as a domain typeattribute $1 domain; @@ -58,7 +58,7 @@ define(`domain_type',` # domain_entry_file(domain,entrypointfile) # define(`domain_entry_file',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) files_file_type($2) allow $1 $2:file entrypoint; @@ -76,7 +76,7 @@ define(`domain_entry_file_depend',` # domain_wide_inherit_fd(domain) # define(`domain_wide_inherit_fd',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) typeattribute $1 privfd; ') @@ -90,7 +90,7 @@ define(`domain_wide_inherit_fd_depend',` # domain_use_wide_inherit_fd(domain) # define(`domain_use_wide_inherit_fd',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 privfd:fd use; ') @@ -106,7 +106,7 @@ define(`domain_use_wide_inherit_fd_depend',` # domain_dontaudit_use_wide_inherit_fd(domain) # define(`domain_dontaudit_use_wide_inherit_fd',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dontaudit $1 privfd:fd use; ') @@ -122,7 +122,7 @@ define(`domain_dontaudit_use_wide_inherit_fd_depend',` # domain_setpriority_all_domains(domain) # define(`domain_setpriority_all_domains',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 domain:process setsched; ') @@ -144,7 +144,7 @@ define(`domain_setpriority_all_domains_depend',` ## # define(`domain_signal_all_domains',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 domain:process signal; ') @@ -166,7 +166,7 @@ define(`domain_signal_all_domains_depend',` ## # define(`domain_signull_all_domains',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 domain:process signull; ') @@ -188,7 +188,7 @@ define(`domain_signull_all_domains_depend',` ## # define(`domain_sigstop_all_domains',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 domain:process sigstop; ') @@ -210,7 +210,7 @@ define(`domain_sigstop_all_domains_depend',` ## # define(`domain_sigchld_all_domains',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 domain:process sigchld; ') @@ -232,7 +232,7 @@ define(`domain_sigchld_all_domains_depend',` ## # define(`domain_kill_all_domains',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 domain:process sigkill; allow $1 self:capability kill; @@ -256,7 +256,7 @@ define(`domain_kill_all_domains_depend',` ## # define(`domain_read_all_domains_state',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 domain:dir r_dir_perms; allow $1 domain:lnk_file r_file_perms; @@ -291,7 +291,7 @@ define(`domain_read_all_domains_state_depend',` ## # define(`domain_dontaudit_list_all_domains_proc',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dontaudit $1 domain:dir r_dir_perms; ') @@ -314,7 +314,7 @@ define(`domain_dontaudit_list_all_domains_proc_depend',` ## # define(`domain_getsession_all_domains',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 domain:process getsession; ') @@ -337,7 +337,7 @@ define(`domain_getsession_all_domains_depend',` ## # define(`domain_dontaudit_getattr_all_udp_sockets',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dontaudit $1 domain:udp_socket getattr; ') @@ -360,7 +360,7 @@ define(`domain_dontaudit_getattr_all_udp_sockets_depend',` ## # define(`domain_dontaudit_getattr_all_tcp_sockets',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dontaudit $1 domain:tcp_socket getattr; ') @@ -383,7 +383,7 @@ define(`domain_dontaudit_getattr_all_tcp_sockets_depend',` ## # define(`domain_dontaudit_getattr_all_unix_dgram_sockets',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dontaudit $1 domain:unix_dgram_socket getattr; ') @@ -406,7 +406,7 @@ define(`domain_dontaudit_getattr_all_unix_dgram_sockets_depend',` ## # define(`domain_dontaudit_getattr_all_unnamed_pipes',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dontaudit $1 domain:fifo_file getattr; ') @@ -422,7 +422,7 @@ define(`domain_dontaudit_getattr_all_unnamed_pipes_depend',` # domain_exec_all_entry_files(domain) # define(`domain_exec_all_entry_files',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) can_exec($1,entry_type) @@ -439,7 +439,7 @@ define(`domain_exec_all_entry_files_depend',` # domain_read_all_entry_files(domain) # define(`domain_read_all_entry_files',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 entry_type:lnk_file r_file_perms; allow $1 entry_type:file r_file_perms; @@ -465,7 +465,7 @@ define(`domain_read_all_entry_files_depend',` # domain_trans(source_domain,entrypoint_file,target_domain) # define(`domain_trans',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 $2:file rx_file_perms; allow $1 $3:process transition; diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if index 1eb8292..4028f3b 100644 --- a/refpolicy/policy/modules/system/files.if +++ b/refpolicy/policy/modules/system/files.if @@ -21,7 +21,7 @@ # files_file_type(type) # define(`files_file_type',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) fs_associate($1) fs_associate_noxattr($1) @@ -37,7 +37,7 @@ define(`files_file_type_depend',` # files_lock_file(type) # define(`files_lock_file',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) files_file_type($1) typeattribute $1 lockfile; @@ -52,7 +52,7 @@ define(`files_lock_file_depend',` # files_mountpoint(type) # define(`files_mountpoint',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) files_file_type($1) typeattribute $1 mountpoint; @@ -67,7 +67,7 @@ define(`files_mountpoint_depend',` # files_pid_file(type) # define(`files_pid_file',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) files_file_type($1) typeattribute $1 pidfile; @@ -82,7 +82,7 @@ define(`files_pid_file_depend',` # files_tmp_file(type) # define(`files_tmp_file',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) files_file_type($1) typeattribute $1 tmpfile; @@ -104,7 +104,7 @@ define(`files_tmp_file_depend',` ## # define(`files_tmpfs_file',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) files_file_type($1) fs_associate_tmpfs($1) @@ -120,7 +120,7 @@ define(`files_tmpfs_file_depend',` # files_getattr_all_files(domain) define(`files_getattr_all_files',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 file_type:dir { search getattr }; allow $1 file_type:file getattr; @@ -155,7 +155,7 @@ define(`files_getattr_all_files_depend',` ## # define(`files_relabel_all_files',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 { file_type $2 }:dir { r_dir_perms relabelfrom relabelto }; allow $1 { file_type $2 }:file { getattr relabelfrom relabelto }; @@ -197,7 +197,7 @@ define(`files_relabel_all_files_depend',` ## # define(`files_manage_all_files',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 { file_type $2 }:dir create_dir_perms; allow $1 { file_type $2 }:file create_file_perms; @@ -225,7 +225,7 @@ define(`files_manage_all_files_depend',` # files_search_all_dirs(domain) # define(`files_search_all_dirs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 file_type:dir search; ') @@ -241,7 +241,7 @@ define(`files_search_all_dirs_depend',` # files_list_all_dirs(domain) # define(`files_list_all_dirs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 file_type:dir r_dir_perms; ') @@ -257,7 +257,7 @@ define(`files_list_all_dirs_depend',` # files_dontaudit_search_all_dirs(domain) # define(`files_dontaudit_search_all_dirs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dontaudit $1 file_type:dir search; ') @@ -273,7 +273,7 @@ define(`files_dontaudit_search_all_dirs_depend',` # files_relabelto_all_file_type_fs(domain) # define(`files_relabelto_all_file_type_fs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 file_type:filesystem relabelto; ') @@ -289,7 +289,7 @@ define(`files_relabelto_all_file_type_fs_depend',` # files_mount_all_file_type_fs(domain) # define(`files_mount_all_file_type_fs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 file_type:filesystem mount; ') @@ -305,7 +305,7 @@ define(`files_mount_all_file_type_fs_depend',` # files_unmount_all_file_type_fs(domain) # define(`files_unmount_all_file_type_fs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 file_type:filesystem mount; ') @@ -321,7 +321,7 @@ define(`files_unmount_all_file_type_fs_depend',` # files_mounton_all_mountpoints(domain) # define(`files_mounton_all_mountpoints',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 mountpoint:dir { getattr search mounton }; ') @@ -337,7 +337,7 @@ define(`files_mounton_all_mountpoints_depend',` # files_list_root(domain) # define(`files_list_root',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 root_t:dir r_dir_perms; allow $1 root_t:lnk_file r_file_perms; @@ -372,7 +372,7 @@ define(`files_list_root_depend',` ## # define(`files_create_root',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 root_t:dir rw_dir_perms; @@ -408,7 +408,7 @@ define(`files_create_root_depend',` # files_dontaudit_read_root_file(domain) # define(`files_dontaudit_read_root_file',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dontaudit $1 root_t:file read; ') @@ -424,7 +424,7 @@ define(`files_dontaudit_read_root_file_depend',` # files_dontaudit_rw_root_file(domain) # define(`files_dontaudit_rw_root_file',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dontaudit $1 root_t:file { read write }; ') @@ -440,7 +440,7 @@ define(`files_dontaudit_rw_root_file_depend',` # files_dontaudit_rw_root_chr_dev(domain) # define(`files_dontaudit_rw_root_chr_dev',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dontaudit $1 root_t:chr_file { read write }; ') @@ -456,7 +456,7 @@ define(`files_dontaudit_rw_root_chr_dev_depend',` # files_delete_root_dir_entry(domain) # define(`files_delete_root_dir_entry',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 root_t:dir rw_dir_perms; ') @@ -472,7 +472,7 @@ define(`files_delete_root_dir_entry_depend',` # files_unmount_rootfs(domain) # define(`files_unmount_rootfs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 root_t:filesystem unmount; ') @@ -488,7 +488,7 @@ define(`files_unmount_rootfs_depend',` # files_search_etc(domain) # define(`files_search_etc',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 etc_t:dir search; ') @@ -504,7 +504,7 @@ define(`files_search_etc_depend',` # files_read_generic_etc_files_directory(domain) # define(`files_read_generic_etc_files_directory',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 etc_t:dir r_dir_perms; ') @@ -520,7 +520,7 @@ define(`files_read_generic_etc_files_directory_depend',` # files_read_generic_etc_files(domain) # define(`files_read_generic_etc_files',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 etc_t:dir r_dir_perms; allow $1 etc_t:file r_file_perms; @@ -540,7 +540,7 @@ define(`files_read_generic_etc_files_depend',` # files_rw_generic_etc_files(domain) # define(`files_rw_generic_etc_files',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 etc_t:dir r_dir_perms; allow $1 etc_t:file rw_file_perms; @@ -560,7 +560,7 @@ define(`files_rw_generic_etc_files_depend',` # files_manage_generic_etc_files(domain) # define(`files_manage_generic_etc_files',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 etc_t:dir rw_dir_perms; allow $1 etc_t:file create_file_perms; @@ -586,7 +586,7 @@ define(`files_manage_generic_etc_files_depend',` ## # define(`files_delete_generic_etc_files',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 etc_t:dir rw_dir_perms; allow $1 etc_t:file unlink; @@ -604,7 +604,7 @@ define(`files_delete_generic_etc_files_depend',` # files_exec_generic_etc_files(domain) # define(`files_exec_generic_etc_files',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 etc_t:dir r_dir_perms; allow $1 etc_t:lnk_file r_file_perms; @@ -627,7 +627,7 @@ define(`files_exec_generic_etc_files_depend',` # /halt, /.autofsck, etc # define(`files_create_boot_flag',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 root_t:dir rw_dir_perms; allow $1 etc_runtime_t:file { create read write setattr unlink }; @@ -646,7 +646,7 @@ define(`files_create_boot_flag_depend',` # files_manage_etc_runtime_files(type) # define(`files_manage_etc_runtime_files',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 etc_t:dir rw_dir_perms; allow $1 etc_runtime_t:file create_file_perms; @@ -665,7 +665,7 @@ define(`files_manage_etc_runtime_files_depend',` # files_read_etc_runtime_files(domain) # define(`files_read_etc_runtime_files',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 etc_t:dir r_dir_perms; allow $1 etc_runtime_t:file r_file_perms; @@ -683,7 +683,7 @@ define(`files_read_etc_runtime_files_depend',` # files_create_etc_config(domain,privatetype,[class(es)]) # define(`files_create_etc_config',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 etc_t:dir rw_dir_perms; ifelse(`$3',`',` @@ -704,7 +704,7 @@ class dir rw_dir_perms; # files_rw_isid_type_dir(domain) # define(`files_rw_isid_type_dir',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 file_t:dir rw_dir_perms; ') @@ -720,7 +720,7 @@ define(`files_rw_isid_type_dir_depend',` # files_dontaudit_getattr_isid_type_dir(domain) # define(`files_dontaudit_getattr_isid_type_dir',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dontaudit $1 file_t:dir search; ') @@ -736,7 +736,7 @@ define(`files_dontaudit_getattr_isid_type_dir_depend',` # files_dontaudit_search_isid_type_dir(domain) # define(`files_dontaudit_search_isid_type_dir',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dontaudit $1 file_t:dir search; ') @@ -758,7 +758,7 @@ define(`files_dontaudit_search_isid_type_dir_depend',` ## # define(`files_list_home',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 home_root_t:dir r_dir_perms; ') @@ -774,7 +774,7 @@ define(`files_list_home_depend',` # files_list_mnt(domain) # define(`files_list_mnt',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 mnt_t:dir r_dir_perms; ') @@ -790,7 +790,7 @@ define(`files_read_etc_runtime_files_depend',` # files_create_tmp_files(domain,private_type,[object class(es)]) # define(`files_create_tmp_files',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 tmp_t:dir rw_dir_perms; @@ -812,7 +812,7 @@ define(`files_create_tmp_files_depend',` # files_delete_all_tmp_files(domain) # define(`files_delete_all_tmp_files',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 tmpfile:dir { getattr search read write add_name remove_name rmdir }; allow $1 tmpfile:file { getattr unlink }; @@ -836,7 +836,7 @@ define(`files_delete_all_tmp_files_depend',` # files_search_usr(domain) # define(`files_search_usr',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 usr_t:dir search; ') @@ -852,7 +852,7 @@ define(`files_search_usr_depend',` # files_read_usr_files(domain) # define(`files_read_usr_files',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 usr_t:dir r_dir_perms; allow $1 usr_t:{ file lnk_file } r_file_perms; @@ -877,7 +877,7 @@ define(`files_read_usr_files_depend',` ## # define(`files_exec_usr_files',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 usr_t:dir search; allow $1 src_t:dir r_dir_perms; @@ -899,7 +899,7 @@ define(`files_read_usr_src_depend',` # files_read_usr_src(domain) # define(`files_read_usr_src',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 usr_t:dir search; allow $1 src_t:dir r_dir_perms; @@ -919,7 +919,7 @@ define(`files_read_usr_src_depend',` # files_search_var(domain) # define(`files_search_var',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 var_t:dir search; ') @@ -935,7 +935,7 @@ define(`files_search_var_depend',` # files_dontaudit_search_var(domain) # define(`files_dontaudit_search_var',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dontaudit $1 var_t:dir search; ') @@ -951,7 +951,7 @@ define(`files_dontaudit_search_var_depend',` # files_manage_urandom_seed(domain) # define(`files_manage_urandom_seed',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 var_t:dir search; allow $1 var_lib_t:dir rw_dir_perms; @@ -970,7 +970,7 @@ define(`files_manage_urandom_seed_depend',` # files_getattr_generic_lock_files(domain) # define(`files_getattr_generic_lock_files',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 var_lock_t:dir r_dir_perms; allow $1 var_lock_t:file getattr; @@ -988,7 +988,7 @@ define(`files_getattr_generic_lock_files_depend',` # files_manage_generic_lock_files(domain) # define(`files_manage_generic_lock_files',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 var_lock_t:dir { getattr search create read write setattr add_name remove_name rmdir }; allow $1 var_lock_t:file { getattr create read write setattr unlink }; @@ -1006,7 +1006,7 @@ define(`files_manage_generic_lock_files_depend',` # files_delete_all_lock_files(domain) # define(`files_delete_all_lock_files',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 lockfile:dir rw_dir_perms; allow $1 lockfile:file { getattr unlink }; @@ -1024,7 +1024,7 @@ define(`files_delete_all_lock_files_depend',` # files_create_lock_file(domain,private_type,[object class(es)]) # define(`files_create_lock_file',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 var_t:dir search; allow $1 var_lock_t:dir rw_dir_perms; @@ -1047,7 +1047,7 @@ define(`files_create_lock_file_depend',` # files_search_pids(domain) # define(`files_search_pids',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 var_t:dir search; allow $1 var_run_t:dir search; @@ -1064,7 +1064,7 @@ define(`files_search_pids_depend',` # files_dontaudit_search_pids(domain) # define(`files_dontaudit_search_pids',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 var_run_t:dir search; ') @@ -1080,7 +1080,7 @@ define(`files_dontaudit_search_pids_depend',` # files_list_pids(domain) # define(`files_list_pids',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 var_t:dir search; allow $1 var_run_t:dir r_dir_perms; @@ -1097,7 +1097,7 @@ define(`files_list_pids_depend',` # files_create_pid(domain,pidfile,[object class(es)]) # define(`files_create_pid',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 var_t:dir search; allow $1 var_run_t:dir rw_dir_perms; @@ -1120,7 +1120,7 @@ define(`files_create_pid_depend',` # files_rw_generic_pids(domain) # define(`files_rw_generic_pids',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 var_t:dir search; allow $1 var_run_t:dir r_dir_perms; @@ -1146,7 +1146,7 @@ define(`files_rw_generic_pids_depend',` # define(`files_dontaudit_write_all_pids',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dontaudit $1 pidfile:file write; ') @@ -1169,7 +1169,7 @@ define(`files_dontaudit_write_all_pids_depend',` # define(`files_dontaudit_ioctl_all_pids',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dontaudit $1 pidfile:file ioctl; ') @@ -1185,7 +1185,7 @@ define(`files_dontaudit_ioctl_all_pids_depend',` # files_read_all_pids(domain) # define(`files_read_all_pids',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 var_t:dir search; allow $1 pidfile:dir r_dir_perms; @@ -1205,7 +1205,7 @@ define(`files_read_all_pids_depend',` # files_delete_all_pids(domain) # define(`files_delete_all_pids',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 var_t:dir search; allow $1 var_run_t:{ sock_file lnk_file } { getattr unlink }; @@ -1231,7 +1231,7 @@ define(`files_delete_all_pids_depend',` # files_search_spool(domain) # define(`files_search_spool',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 var_t:dir search; allow $1 var_spool_t:dir search; @@ -1248,7 +1248,7 @@ define(`files_search_spool_depend',` # files_list_spool(domain) # define(`files_list_spool',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 var_t:dir search; allow $1 var_spool_t:dir r_dir_perms; @@ -1265,7 +1265,7 @@ define(`files_list_spool_depend',` # files_read_spools(domain) # define(`files_read_spools',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 var_t:dir search; allow $1 var_spool_t:dir r_dir_perms; @@ -1284,7 +1284,7 @@ define(`files_read_spools_depend',` # files_manage_spools(domain) # define(`files_manage_spools',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 var_t:dir search; allow $1 var_spool_t:dir rw_dir_perms; diff --git a/refpolicy/policy/modules/system/getty.if b/refpolicy/policy/modules/system/getty.if index 8a68f0d..b76c7b9 100644 --- a/refpolicy/policy/modules/system/getty.if +++ b/refpolicy/policy/modules/system/getty.if @@ -12,7 +12,7 @@ ## # define(`getty_domtrans',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 getty_exec_t:file { getattr read execute }; allow $1 getty_t:process transition; @@ -45,7 +45,7 @@ define(`getty_domtrans_depend',` ## # define(`getty_read_log',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 getty_log_t:file { getattr read }; ') @@ -67,7 +67,7 @@ define(`getty_read_log_depend',` ## # define(`getty_read_config',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 getty_etc_t:file { getattr read }; ') @@ -89,7 +89,7 @@ define(`getty_read_config_depend',` ## # define(`getty_modify_config',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 getty_etc_t:file { getattr read write }; ') diff --git a/refpolicy/policy/modules/system/hostname.if b/refpolicy/policy/modules/system/hostname.if index 272ae12..10237ff 100644 --- a/refpolicy/policy/modules/system/hostname.if +++ b/refpolicy/policy/modules/system/hostname.if @@ -13,7 +13,7 @@ ## # define(`hostname_domtrans',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 hostname_exec_t:file rx_file_perms; allow $1 hostname_t:process transition; @@ -54,7 +54,7 @@ define(`hostname_domtrans_depend',` ## # define(`hostname_run',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) hostname_domtrans($1) role $2 types hostname_t; @@ -83,7 +83,7 @@ define(`hostname_run_depend',` # hostname_exec(domain) # define(`hostname_exec',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) can_exec($1,hostname_exec_t) diff --git a/refpolicy/policy/modules/system/hotplug.if b/refpolicy/policy/modules/system/hotplug.if index 6f0b15f..f5e9f5b 100644 --- a/refpolicy/policy/modules/system/hotplug.if +++ b/refpolicy/policy/modules/system/hotplug.if @@ -9,7 +9,7 @@ # hotplug_domtrans(domain) # define(`hotplug_domtrans',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 hotplug_exec_t:file rx_file_perms; allow $1 hotplug_t:process transition; @@ -36,7 +36,7 @@ define(`hotplug_domtrans_depend',` # hotplug_exec(domain) # define(`hotplug_exec',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) can_exec($1,hotplug_exec_t) @@ -53,7 +53,7 @@ define(`hotplug_exec_depend',` # hotplug_use_fd(domain) # define(`hotplug_use_fd',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 hotplug_t:fd use; ') @@ -69,7 +69,7 @@ define(`hotplug_use_fd_depend',` # hotplug_dontaudit_use_fd(domain) # define(`hotplug_dontaudit_use_fd',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dontaudit $1 hotplug_t:fd use; ') @@ -85,7 +85,7 @@ define(`hotplug_dontaudit_use_fd_depend',` # hotplug_dontaudit_search_config(domain) # define(`hotplug_dontaudit_search_config',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dontaudit $1 hotplug_etc_t:dir search; ') @@ -107,7 +107,7 @@ define(`hotplug_dontaudit_search_config_depend',` ## # define(`hotplug_read_config',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) files_search_etc($1) allow $1 hotplug_etc_t:file r_file_perms; diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if index 68427f0..e1c03e3 100644 --- a/refpolicy/policy/modules/system/init.if +++ b/refpolicy/policy/modules/system/init.if @@ -6,7 +6,7 @@ # init_domain(domain,entrypointfile) # define(`init_domain',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) domain_type($1) domain_entry_file($1,$2) @@ -45,7 +45,7 @@ define(`init_domain_depend',` # init_daemon_domain(domain,entrypointfile) # define(`init_daemon_domain',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) domain_type($1) domain_entry_file($1,$2) @@ -86,7 +86,7 @@ define(`init_daemon_domain_depend',` # init_system_domain(domain,entrypointfile) # define(`init_system_domain',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) domain_type($1) domain_entry_file($1,$2) @@ -126,7 +126,7 @@ define(`init_system_domain_depend',` # init_domtrans(domain) # define(`init_domtrans',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 init_exec_t:file rx_file_perms; allow $1 init_t:process transition; @@ -153,7 +153,7 @@ define(`init_domtrans_depend',` # init_get_process_group(domain) # define(`init_get_process_group',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 init_t:process getpgid; ') @@ -169,7 +169,7 @@ define(`init_get_process_group_depend',` # init_getattr_initctl(domain) # define(`init_getattr_initctl',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 initctl_t:fifo_file getattr; ') @@ -185,7 +185,7 @@ define(`init_getattr_initctl_depend',` # init_dontaudit_getattr_initctl(domain) # define(`init_dontaudit_getattr_initctl',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dontaudit $1 initctl_t:fifo_file getattr; ') @@ -201,7 +201,7 @@ define(`init_getattr_initctl_depend',` # init_use_initctl(domain) # define(`init_use_initctl',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dev_list_all_dev_nodes($1) allow $1 initctl_t:fifo_file rw_file_perms; @@ -218,7 +218,7 @@ define(`init_use_initctl_depend',` # init_dontaudit_use_initctl(domain) # define(`init_dontaudit_use_initctl',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dontaudit $1 initctl_t:fifo_file { read write }; ') @@ -234,7 +234,7 @@ define(`init_dontaudit_use_initctl_depend',` # init_sigchld(domain) # define(`init_sigchld',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 init_t:process sigchld; ') @@ -250,7 +250,7 @@ define(`init_sigchld_depend',` # init_use_fd(domain) # define(`init_use_fd',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 init_t:fd use; ') @@ -266,7 +266,7 @@ define(`init_use_fd_depend',` # init_dontaudit_use_fd(domain) # define(`init_dontaudit_use_fd',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dontaudit $1 init_t:fd use; ') @@ -282,7 +282,7 @@ define(`init_dontaudit_use_fd_depend',` # init_domtrans_script(domain) # define(`init_domtrans_script',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 initrc_exec_t:file rx_file_perms; allow $1 initrc_t:process transition; @@ -309,7 +309,7 @@ define(`init_domtrans_script_depend',` # init_exec_script(domain) # define(`init_exec_script',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) can_exec($1,initrc_exec_t) @@ -332,7 +332,7 @@ define(`init_exec_script_depend',` ## # define(`init_read_script_process_state',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 initrc_t:dir r_dir_perms; allow $1 initrc_t:{ file lnk_file } r_file_perms; @@ -359,7 +359,7 @@ define(`init_read_script_process_state_depend',` # init_use_script_fd(domain) # define(`init_use_script_fd',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 initrc_t:fd use; ') @@ -375,7 +375,7 @@ define(`init_use_script_fd_depend',` # init_dontaudit_use_script_fd(domain) # define(`init_dontaudit_use_script_fd',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dontaudit $1 initrc_t:fd use; ') @@ -391,7 +391,7 @@ define(`init_dontaudit_use_script_fd_depend',` # init_get_script_process_group(domain) # define(`init_get_script_process_group',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 initrc_t:process getpgid; ') @@ -407,7 +407,7 @@ define(`init_get_script_process_group_depend',` # init_use_script_pty(domain) # define(`init_use_script_pty',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) term_list_ptys($1) allow $1 initrc_devpts_t:chr_file { getattr read write ioctl }; @@ -424,7 +424,7 @@ define(`init_use_script_pty_depend',` # init_dontaudit_use_script_pty(domain) # define(`init_dontaudit_use_script_pty',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dontaudit $1 initrc_devpts_t:chr_file { read write ioctl }; ') @@ -446,7 +446,7 @@ define(`init_dontaudit_use_script_pty_depend',` ## # define(`init_rw_script_tmp_files',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) # FIXME: read tmp_t allow $1 initrc_tmp_t:file rw_file_perms; @@ -463,7 +463,7 @@ define(`init_rw_script_tmp_files_depend',` # init_read_script_pid(domain) # define(`init_read_script_pid',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) files_list_pids($1) allow $1 initrc_var_run_t:file r_file_perms; @@ -480,7 +480,7 @@ define(`init_read_script_pid_depend',` # init_dontaudit_write_script_pid(domain) # define(`init_dontaudit_write_script_pid',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dontaudit $1 initrc_var_run_t:file { write lock }; ') @@ -496,7 +496,7 @@ define(`init_dontaudit_write_script_pid_depend',` # init_rw_script_pid(domain) # define(`init_rw_script_pid',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) files_list_pids($1) allow $1 initrc_var_run_t:file rw_file_perms; @@ -513,7 +513,7 @@ define(`init_rw_script_pid_depend',` # init_dontaudit_rw_script_pid(domain) # define(`init_dontaudit_rw_script_pid',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dontaudit $1 initrc_var_run_t:file { getattr read write append }; ') diff --git a/refpolicy/policy/modules/system/iptables.if b/refpolicy/policy/modules/system/iptables.if index 53eee21..6e6d6ce 100644 --- a/refpolicy/policy/modules/system/iptables.if +++ b/refpolicy/policy/modules/system/iptables.if @@ -12,7 +12,7 @@ ## # define(`iptables_domtrans',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 iptables_exec_t:file rx_file_perms; allow $1 iptables_t:process transition; @@ -52,7 +52,7 @@ define(`iptables_domtrans_depend',` ## # define(`iptables_run',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) iptables_domtrans($1) role $2 types iptables_t; @@ -76,7 +76,7 @@ define(`iptables_run_depend',` ## # define(`iptables_exec',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) can_exec($1,iptables_exec_t) diff --git a/refpolicy/policy/modules/system/libraries.if b/refpolicy/policy/modules/system/libraries.if index 0490095..97207ff 100644 --- a/refpolicy/policy/modules/system/libraries.if +++ b/refpolicy/policy/modules/system/libraries.if @@ -12,7 +12,7 @@ ## # define(`libs_domtrans_ldconfig',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) domain_auto_trans($1,ldconfig_exec_t,ldconfig_t) @@ -48,7 +48,7 @@ define(`libs_domtrans_ldconfig_depend',` ## # define(`libs_run_ldconfig',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) libs_domtrans_ldconfig($1) role $2 types ldconfig_t; @@ -73,7 +73,7 @@ define(`libs_run_ldconfig_depend',` ## # define(`libs_use_ld_so',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) files_read_generic_etc_files_directory($1) allow $1 lib_t:dir r_dir_perms; @@ -103,7 +103,7 @@ define(`libs_use_ld_so_depend',` ## # define(`libs_legacy_use_ld_so',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) libs_use_ld_so($1) allow $1 ld_so_t:file execmod; @@ -132,7 +132,7 @@ define(`libs_legacy_use_ld_so_depend',` ## # define(`libs_exec_ld_so',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 lib_t:dir r_dir_perms; allow $1 lib_t:lnk_file r_file_perms; @@ -160,7 +160,7 @@ define(`libs_exec_ld_so_depend',` ## # define(`libs_rw_ld_so_cache',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) files_read_generic_etc_files_directory($1) allow $1 ld_so_cache_t:file rw_file_perms; @@ -184,7 +184,7 @@ define(`libs_rw_ld_so_cache_depend',` ## # define(`libs_read_lib',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 lib_t:dir r_dir_perms; allow $1 lib_t:{ file lnk_file } r_file_perms; @@ -209,7 +209,7 @@ define(`libs_read_lib_depend',` ## # define(`libs_exec_lib_files',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 lib_t:dir r_dir_perms; allow $1 lib_t:lnk_file r_file_perms; @@ -235,7 +235,7 @@ define(`libs_exec_lib_files_depend',` ## # define(`libs_use_shared_libs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) files_search_usr($1) allow $1 lib_t:dir r_dir_perms; @@ -264,7 +264,7 @@ define(`libs_use_shared_libs_depend',` ## # define(`libs_legacy_use_shared_libs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) libs_use_shared_libs($1) allow $1 { shlib_t texrel_shlib_t }:file execmod; diff --git a/refpolicy/policy/modules/system/locallogin.if b/refpolicy/policy/modules/system/locallogin.if index f7db31f..32f8bdd 100644 --- a/refpolicy/policy/modules/system/locallogin.if +++ b/refpolicy/policy/modules/system/locallogin.if @@ -12,7 +12,7 @@ ## # define(`locallogin_domtrans',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) auth_domtrans_login_program($1,local_login_t) ') @@ -36,7 +36,7 @@ define(`locallogin_domtrans_depend',` # locallogin_use_fd(domain) # define(`locallogin_use_fd',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 local_login_t:fd use; ') diff --git a/refpolicy/policy/modules/system/logging.if b/refpolicy/policy/modules/system/logging.if index 5fde11a..39e0762 100644 --- a/refpolicy/policy/modules/system/logging.if +++ b/refpolicy/policy/modules/system/logging.if @@ -6,7 +6,7 @@ # logging_log_file(domain) # define(`logging_log_file',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) files_file_type($1) typeattribute $1 logfile; @@ -21,7 +21,7 @@ define(`logging_log_file_depend',` # logging_create_log(domain,privatetype,[class(es)]) # define(`logging_create_log',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 var_log_t:dir rw_dir_perms; @@ -43,7 +43,7 @@ define(`logging_create_log_depend',` # logging_send_syslog_msg(domain) # define(`logging_send_syslog_msg',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 devlog_t:lnk_file read; allow $1 devlog_t:sock_file rw_file_perms; @@ -79,7 +79,7 @@ define(`logging_send_syslog_msg_depend',` ## # define(`logging_search_logs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) files_search_var($1) allow $1 var_log_t:dir search; @@ -96,7 +96,7 @@ define(`logging_search_logs_depend',` # logging_dontaudit_getattr_all_logs(domain) # define(`logging_dontaudit_getattr_all_logs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dontaudit $1 logfile:file getattr; ') @@ -112,7 +112,7 @@ define(`logging_dontaudit_getattr_all_logs_depend',` # logging_append_all_logs(domain) # define(`logging_append_all_logs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) files_search_var($1) allow $1 var_log_t:dir r_dir_perms; @@ -133,7 +133,7 @@ define(`logging_append_all_logs_depend',` # logging_read_all_logs(domain) # define(`logging_read_all_logs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) files_search_var($1) allow $1 var_log_t:dir r_dir_perms; @@ -154,7 +154,7 @@ define(`logging_read_all_logs_depend',` # logging_read_generic_logs(domain) # define(`logging_read_generic_logs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) files_search_var($1) allow $1 var_log_t:dir r_dir_perms; @@ -173,7 +173,7 @@ define(`logging_read_generic_logs_depend',` # logging_write_generic_logs(domain) # define(`logging_write_generic_logs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) files_search_var($1) allow $1 var_log_t:dir r_dir_perms; @@ -192,7 +192,7 @@ define(`logging_write_generic_logs_depend',` # logging_rw_generic_logs(domain) # define(`logging_rw_generic_logs',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) files_search_var($1) allow $1 var_log_t:dir r_dir_perms; diff --git a/refpolicy/policy/modules/system/lvm.if b/refpolicy/policy/modules/system/lvm.if index 007c608..c16b4bd 100644 --- a/refpolicy/policy/modules/system/lvm.if +++ b/refpolicy/policy/modules/system/lvm.if @@ -12,7 +12,7 @@ ## # define(`lvm_domtrans',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) domain_auto_trans($1, lvm_exec_t, lvm_t) @@ -48,7 +48,7 @@ define(`lvm_domtrans_depend',` ## # define(`lvm_run',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) lvm_domtrans($1) role $2 types lvm_t; @@ -72,7 +72,7 @@ define(`lvm_run_depend',` ## # define(`lvm_read_config',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 lvm_etc_t:dir r_dir_perms; allow $1 lvm_etc_t:file r_file_perms; diff --git a/refpolicy/policy/modules/system/miscfiles.if b/refpolicy/policy/modules/system/miscfiles.if index cca062f..31c9495 100644 --- a/refpolicy/policy/modules/system/miscfiles.if +++ b/refpolicy/policy/modules/system/miscfiles.if @@ -16,7 +16,7 @@ ## # define(`miscfiles_rw_man_cache',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) # FIXME: search var_t dir allow $1 catman_t:dir create_dir_perms; @@ -44,7 +44,7 @@ define(`miscfiles_rw_man_cache_depend',` ## # define(`miscfiles_read_fonts',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) # FIXME: search usr_t dir # FIXME: search lib_t dir @@ -74,7 +74,7 @@ define(`miscfiles_read_fonts_depend',` ## # define(`miscfiles_read_localization',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) # FIXME: $1 read etc_t:lnk_file here # FIXME: $1 search usr_t:dir here @@ -108,7 +108,7 @@ define(`miscfiles_read_localization_depend',` ## # define(`miscfiles_legacy_read_localization',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) miscfiles_read_localization($1) allow $1 locale_t:file execute; @@ -134,7 +134,7 @@ define(`miscfiles_read_localization_depend',` ## # define(`miscfiles_read_man_pages',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) # FIXME: search usr_t dir allow $1 man_t:dir r_dir_perms; diff --git a/refpolicy/policy/modules/system/modutils.if b/refpolicy/policy/modules/system/modutils.if index 567d30d..32d2e84 100644 --- a/refpolicy/policy/modules/system/modutils.if +++ b/refpolicy/policy/modules/system/modutils.if @@ -12,7 +12,7 @@ ## # define(`modutils_read_kernel_module_dependencies',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) bootloader_list_kernel_modules($1) allow $1 modules_dep_t:file r_file_perms; @@ -37,7 +37,7 @@ define(`modutils_read_kernel_module_dependencies_depend',` ## # define(`modutils_read_module_conf',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 modules_conf_t:file r_file_perms; ') @@ -60,7 +60,7 @@ define(`modutils_read_module_conf_depend',` ## # define(`modutils_domtrans_insmod',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) domain_auto_trans($1, insmod_exec_t, insmod_t) @@ -99,7 +99,7 @@ define(`modutils_domtrans_insmod_depend',` ## # define(`modutils_run_insmod',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) modutils_domtrans_insmod($1) role $2 types insmod_t; @@ -117,7 +117,7 @@ define(`modutils_run_insmod_depend',` # modutils_exec_insmod(domain) # define(`modutils_exec_insmod',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) can_exec($1, insmod_exec_t) ') @@ -139,7 +139,7 @@ define(`modutils_exec_insmod_depend',` ## # define(`modutils_domtrans_depmod',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) domain_auto_trans($1, depmod_exec_t, depmod_t) @@ -175,7 +175,7 @@ define(`modutils_domtrans_depmod_depend',` ## # define(`modutils_run_depmod',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) modutils_domtrans_depmod($1) role $2 types insmod_t; @@ -193,7 +193,7 @@ define(`modutils_run_depmod_depend',` # modutils_exec_depmod(domain) # define(`modutils_exec_depmod',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) can_exec($1, depmod_exec_t) ') @@ -215,7 +215,7 @@ define(`modutils_exec_depmod_depend',` ## # define(`modutils_domtrans_update_mods',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) domain_auto_trans($1, update_modules_exec_t, update_modules_t) @@ -251,7 +251,7 @@ define(`modutils_domtrans_update_mods_depend',` ## # define(`modutils_run_update_mods',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) modutils_domtrans_update_mods($1) role $2 types update_modules_t; @@ -269,7 +269,7 @@ define(`modutils_run_update_mods_depend',` # modutils_exec_update_mods(domain) # define(`modutils_exec_update_mods',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) can_exec($1, update_modules_exec_t) ') diff --git a/refpolicy/policy/modules/system/mount.if b/refpolicy/policy/modules/system/mount.if index 69457c8..31712a2 100644 --- a/refpolicy/policy/modules/system/mount.if +++ b/refpolicy/policy/modules/system/mount.if @@ -12,7 +12,7 @@ ## # define(`mount_domtrans',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 mount_exec_t:file rx_file_perms; allow $1 mount_t:process transition; @@ -53,7 +53,7 @@ define(`mount_domtrans_depend',` ## # define(`mount_run',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) mount_domtrans($1) role $2 types mount_t; @@ -77,7 +77,7 @@ define(`mount_run_depend',` ## # define(`mount_use_fd',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 mount_t:fd use; ') @@ -100,7 +100,7 @@ define(`mount_use_fd_depend',` ## # define(`mount_send_nfs_client_request',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 mount_t:udp_socket rw_socket_perms; ') diff --git a/refpolicy/policy/modules/system/selinux.if b/refpolicy/policy/modules/system/selinux.if index 78fbf0d..433d28e 100644 --- a/refpolicy/policy/modules/system/selinux.if +++ b/refpolicy/policy/modules/system/selinux.if @@ -12,7 +12,7 @@ ## # define(`selinux_domtrans_checkpol',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 checkpolicy_exec_t:file rx_file_perms; allow $1 checkpolicy_t:process transition; @@ -54,7 +54,7 @@ define(`selinux_domtrans_checkpol_depend',` ## # define(`selinux_run_checkpol',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) selinux_domtrans_checkpol($1) role $2 types checkpolicy_t; @@ -72,7 +72,7 @@ define(`selinux_run_checkpol_depend',` # selinux_exec_checkpol(domain) # define(`selinux_exec_checkpol',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) can_exec($1,checkpolicy_exec_t) ') @@ -94,7 +94,7 @@ define(`selinux_exec_checkpol_depend',` ## # define(`selinux_domtrans_loadpol',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 load_policy_exec_t:file rx_file_perms; allow $1 load_policy_t:process transition; @@ -136,7 +136,7 @@ define(`selinux_domtrans_loadpol_depend',` ## # define(`selinux_run_loadpol',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) selinux_domtrans_loadpol($1) role $2 types load_policy_t; @@ -154,7 +154,7 @@ define(`selinux_run_loadpol_depend',` # selinux_exec_loadpol(domain) # define(`selinux_exec_loadpol',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) can_exec($1,load_policy_exec_t) ') @@ -170,7 +170,7 @@ define(`selinux_exec_loadpol_depend',` # selinux_read_loadpol(domain) # define(`selinux_read_loadpol',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 load_policy_exec_t:file r_file_perms; ') @@ -192,7 +192,7 @@ define(`selinux_read_loadpol_depend',` ## # define(`selinux_domtrans_newrole',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 newrole_exec_t:file rx_file_perms; allow $1 newrole_t:process transition; @@ -233,7 +233,7 @@ define(`selinux_domtrans_newrole_depend',` ## # define(`selinux_run_newrole',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) selinux_domtrans_newrole($1) role $2 types newrole_t; @@ -251,7 +251,7 @@ define(`selinux_run_newrole_depend',` # selinux_exec_newrole(domain) # define(`selinux_exec_newrole',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) can_exec($1,newrole_exec_t) ') @@ -274,7 +274,7 @@ define(`selinux_exec_newrole_depend',` ## # define(`selinux_dontaudit_newrole_signal',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dontaudit $1 newrole_t:process signal; ') @@ -290,7 +290,7 @@ define(`selinux_dontaudit_newrole_signal_depend',` # selinux_newrole_sigchld(domain) # define(`selinux_newrole_sigchld',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 newrole_t:process sigchld; ') @@ -306,7 +306,7 @@ define(`selinux_newrole_sigchld_depend',` # selinux_use_newrole_fd(domain) # define(`selinux_use_newrole_fd',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 newrole_t:fd use; ') @@ -328,7 +328,7 @@ define(`selinux_use_newrole_fd_depend',` ## # define(`selinux_domtrans_restorecon',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 restorecon_exec_t:file rx_file_perms; allow $1 restorecon_t:process transition; @@ -369,7 +369,7 @@ define(`selinux_domtrans_restorecon_depend',` ## # define(`selinux_run_restorecon',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) selinux_domtrans_restorecon($1) role $2 types restorecon_t; @@ -387,7 +387,7 @@ define(`selinux_run_restorecon_depend',` # selinux_exec_restorecon(domain) # define(`selinux_exec_restorecon',` -requires_block_template(`$0'_depend) +gen_require(`$0'_depend) can_exec($1,restorecon_exec_t) ') @@ -408,7 +408,7 @@ define(`selinux_exec_restorecon_depend',` ## # define(`selinux_domtrans_runinit',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 run_init_exec_t:file rx_file_perms; allow $1 run_init_t:process transition; @@ -449,7 +449,7 @@ define(`selinux_domtrans_runinit_depend',` ## # define(`selinux_run_runinit',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) selinux_domtrans_runinit($1) role $2 types run_init_t; @@ -467,7 +467,7 @@ define(`selinux_run_runinit_depend',` # selinux_use_runinit_fd(domain) # define(`selinux_use_runinit_fd',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 run_init_t:fd use; ') @@ -489,7 +489,7 @@ define(`selinux_use_runinit_fd_depend',` ## # define(`selinux_domtrans_setfiles',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 setfiles_exec_t:file rx_file_perms; allow $1 setfiles_t:process transition; @@ -530,7 +530,7 @@ define(`selinux_domtrans_setfiles_depend',` ## # define(`selinux_run_setfiles',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) selinux_domtrans_setfiles($1) role $2 types setfiles_t; @@ -548,7 +548,7 @@ define(`selinux_run_setfiles_depend',` # selinux_exec_setfiles(domain) # define(`selinux_exec_setfiles',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) can_exec($1,setfiles_exec_t) ') @@ -564,7 +564,7 @@ define(`selinux_exec_setfiles_depend',` # selinux_read_config(domain) # define(`selinux_read_config',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 selinux_config_t:dir r_dir_perms; allow $1 selinux_config_t:file r_file_perms; @@ -582,7 +582,7 @@ define(`selinux_read_config_depend',` # selinux_read_default_contexts(domain) # define(`selinux_read_default_contexts',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 selinux_config_t:dir search; allow $1 default_context_t:dir r_dir_perms; @@ -601,7 +601,7 @@ define(`selinux_read_default_contexts_depend',` # selinux_read_file_contexts(domain) # define(`selinux_read_file_contexts',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 selinux_config_t:dir search; allow $1 file_context_t:dir r_dir_perms; @@ -620,7 +620,7 @@ define(`selinux_read_file_contexts_depend',` # selinux_read_binary_pol(domain) # define(`selinux_read_binary_pol',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 policy_config_t:dir r_dir_perms; allow $1 policy_config_t:file r_file_perms; @@ -638,7 +638,7 @@ define(`selinux_read_binary_pol_depend',` # selinux_write_binary_pol(domain) # define(`selinux_write_binary_pol',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 policy_config_t:dir rw_dir_perms; allow $1 policy_config_t:file { getattr create write unlink }; @@ -665,7 +665,7 @@ define(`selinux_write_binary_pol_depend',` ## # define(`selinux_relabelto_binary_pol',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 policy_config_t:file relabelto; typeattribute $1 can_relabelto_binary_policy; @@ -684,7 +684,7 @@ define(`selinux_relabelto_binary_pol_depend',` # selinux_manage_binary_pol(domain) # define(`selinux_manage_binary_pol',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) # FIXME: search etc_t:dir allow $1 selinux_config_t:dir search; @@ -706,7 +706,7 @@ define(`selinux_manage_binary_pol_depend',` # selinux_read_src_pol(domain) # define(`selinux_read_src_pol',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) # FIXME: search etc_t:dir allow $1 selinux_config_t:dir search; @@ -726,7 +726,7 @@ define(`selinux_read_src_pol_depend',` # selinux_manage_src_pol(domain) # define(`selinux_manage_src_pol',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) # FIXME: search etc_t:dir allow $1 selinux_config_t:dir search; diff --git a/refpolicy/policy/modules/system/selinuxutil.if b/refpolicy/policy/modules/system/selinuxutil.if index 78fbf0d..433d28e 100644 --- a/refpolicy/policy/modules/system/selinuxutil.if +++ b/refpolicy/policy/modules/system/selinuxutil.if @@ -12,7 +12,7 @@ ## # define(`selinux_domtrans_checkpol',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 checkpolicy_exec_t:file rx_file_perms; allow $1 checkpolicy_t:process transition; @@ -54,7 +54,7 @@ define(`selinux_domtrans_checkpol_depend',` ## # define(`selinux_run_checkpol',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) selinux_domtrans_checkpol($1) role $2 types checkpolicy_t; @@ -72,7 +72,7 @@ define(`selinux_run_checkpol_depend',` # selinux_exec_checkpol(domain) # define(`selinux_exec_checkpol',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) can_exec($1,checkpolicy_exec_t) ') @@ -94,7 +94,7 @@ define(`selinux_exec_checkpol_depend',` ## # define(`selinux_domtrans_loadpol',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 load_policy_exec_t:file rx_file_perms; allow $1 load_policy_t:process transition; @@ -136,7 +136,7 @@ define(`selinux_domtrans_loadpol_depend',` ## # define(`selinux_run_loadpol',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) selinux_domtrans_loadpol($1) role $2 types load_policy_t; @@ -154,7 +154,7 @@ define(`selinux_run_loadpol_depend',` # selinux_exec_loadpol(domain) # define(`selinux_exec_loadpol',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) can_exec($1,load_policy_exec_t) ') @@ -170,7 +170,7 @@ define(`selinux_exec_loadpol_depend',` # selinux_read_loadpol(domain) # define(`selinux_read_loadpol',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 load_policy_exec_t:file r_file_perms; ') @@ -192,7 +192,7 @@ define(`selinux_read_loadpol_depend',` ## # define(`selinux_domtrans_newrole',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 newrole_exec_t:file rx_file_perms; allow $1 newrole_t:process transition; @@ -233,7 +233,7 @@ define(`selinux_domtrans_newrole_depend',` ## # define(`selinux_run_newrole',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) selinux_domtrans_newrole($1) role $2 types newrole_t; @@ -251,7 +251,7 @@ define(`selinux_run_newrole_depend',` # selinux_exec_newrole(domain) # define(`selinux_exec_newrole',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) can_exec($1,newrole_exec_t) ') @@ -274,7 +274,7 @@ define(`selinux_exec_newrole_depend',` ## # define(`selinux_dontaudit_newrole_signal',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dontaudit $1 newrole_t:process signal; ') @@ -290,7 +290,7 @@ define(`selinux_dontaudit_newrole_signal_depend',` # selinux_newrole_sigchld(domain) # define(`selinux_newrole_sigchld',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 newrole_t:process sigchld; ') @@ -306,7 +306,7 @@ define(`selinux_newrole_sigchld_depend',` # selinux_use_newrole_fd(domain) # define(`selinux_use_newrole_fd',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 newrole_t:fd use; ') @@ -328,7 +328,7 @@ define(`selinux_use_newrole_fd_depend',` ## # define(`selinux_domtrans_restorecon',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 restorecon_exec_t:file rx_file_perms; allow $1 restorecon_t:process transition; @@ -369,7 +369,7 @@ define(`selinux_domtrans_restorecon_depend',` ## # define(`selinux_run_restorecon',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) selinux_domtrans_restorecon($1) role $2 types restorecon_t; @@ -387,7 +387,7 @@ define(`selinux_run_restorecon_depend',` # selinux_exec_restorecon(domain) # define(`selinux_exec_restorecon',` -requires_block_template(`$0'_depend) +gen_require(`$0'_depend) can_exec($1,restorecon_exec_t) ') @@ -408,7 +408,7 @@ define(`selinux_exec_restorecon_depend',` ## # define(`selinux_domtrans_runinit',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 run_init_exec_t:file rx_file_perms; allow $1 run_init_t:process transition; @@ -449,7 +449,7 @@ define(`selinux_domtrans_runinit_depend',` ## # define(`selinux_run_runinit',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) selinux_domtrans_runinit($1) role $2 types run_init_t; @@ -467,7 +467,7 @@ define(`selinux_run_runinit_depend',` # selinux_use_runinit_fd(domain) # define(`selinux_use_runinit_fd',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 run_init_t:fd use; ') @@ -489,7 +489,7 @@ define(`selinux_use_runinit_fd_depend',` ## # define(`selinux_domtrans_setfiles',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 setfiles_exec_t:file rx_file_perms; allow $1 setfiles_t:process transition; @@ -530,7 +530,7 @@ define(`selinux_domtrans_setfiles_depend',` ## # define(`selinux_run_setfiles',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) selinux_domtrans_setfiles($1) role $2 types setfiles_t; @@ -548,7 +548,7 @@ define(`selinux_run_setfiles_depend',` # selinux_exec_setfiles(domain) # define(`selinux_exec_setfiles',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) can_exec($1,setfiles_exec_t) ') @@ -564,7 +564,7 @@ define(`selinux_exec_setfiles_depend',` # selinux_read_config(domain) # define(`selinux_read_config',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 selinux_config_t:dir r_dir_perms; allow $1 selinux_config_t:file r_file_perms; @@ -582,7 +582,7 @@ define(`selinux_read_config_depend',` # selinux_read_default_contexts(domain) # define(`selinux_read_default_contexts',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 selinux_config_t:dir search; allow $1 default_context_t:dir r_dir_perms; @@ -601,7 +601,7 @@ define(`selinux_read_default_contexts_depend',` # selinux_read_file_contexts(domain) # define(`selinux_read_file_contexts',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 selinux_config_t:dir search; allow $1 file_context_t:dir r_dir_perms; @@ -620,7 +620,7 @@ define(`selinux_read_file_contexts_depend',` # selinux_read_binary_pol(domain) # define(`selinux_read_binary_pol',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 policy_config_t:dir r_dir_perms; allow $1 policy_config_t:file r_file_perms; @@ -638,7 +638,7 @@ define(`selinux_read_binary_pol_depend',` # selinux_write_binary_pol(domain) # define(`selinux_write_binary_pol',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 policy_config_t:dir rw_dir_perms; allow $1 policy_config_t:file { getattr create write unlink }; @@ -665,7 +665,7 @@ define(`selinux_write_binary_pol_depend',` ## # define(`selinux_relabelto_binary_pol',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 policy_config_t:file relabelto; typeattribute $1 can_relabelto_binary_policy; @@ -684,7 +684,7 @@ define(`selinux_relabelto_binary_pol_depend',` # selinux_manage_binary_pol(domain) # define(`selinux_manage_binary_pol',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) # FIXME: search etc_t:dir allow $1 selinux_config_t:dir search; @@ -706,7 +706,7 @@ define(`selinux_manage_binary_pol_depend',` # selinux_read_src_pol(domain) # define(`selinux_read_src_pol',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) # FIXME: search etc_t:dir allow $1 selinux_config_t:dir search; @@ -726,7 +726,7 @@ define(`selinux_read_src_pol_depend',` # selinux_manage_src_pol(domain) # define(`selinux_manage_src_pol',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) # FIXME: search etc_t:dir allow $1 selinux_config_t:dir search; diff --git a/refpolicy/policy/modules/system/sysnetwork.if b/refpolicy/policy/modules/system/sysnetwork.if index ae3481d..e3f1109 100644 --- a/refpolicy/policy/modules/system/sysnetwork.if +++ b/refpolicy/policy/modules/system/sysnetwork.if @@ -12,7 +12,7 @@ ## # define(`sysnet_domtrans_dhcpc',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) domain_auto_trans($1, dhcpc_exec_t, dhcpc_t) @@ -42,7 +42,7 @@ define(`sysnet_domtrans_dhcpc_depend',` ## # define(`sysnet_domtrans_ifconfig',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) domain_auto_trans($1, ifconfig_exec_t, ifconfig_t) @@ -80,7 +80,7 @@ define(`sysnet_domtrans_ifconfig_depend',` ## # define(`sysnet_run_ifconfig',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) sysnet_domtrans_ifconfig($1) role $2 types ifconfig_t; @@ -104,7 +104,7 @@ define(`sysnet_run_ifconfig_depend',` ## # define(`sysnet_read_config',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) files_search_etc($1) allow $1 net_conf_t:file r_file_perms; diff --git a/refpolicy/policy/modules/system/udev.if b/refpolicy/policy/modules/system/udev.if index f0a43db..af6a47a 100644 --- a/refpolicy/policy/modules/system/udev.if +++ b/refpolicy/policy/modules/system/udev.if @@ -12,7 +12,7 @@ ## # define(`udev_domtrans',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) domain_auto_trans($1, udev_exec_t, udev_t) @@ -42,7 +42,7 @@ define(`udev_domtrans_depend',` ## # define(`udev_read_db',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 udev_tdb_t:file r_file_perms; ') @@ -64,7 +64,7 @@ define(`udev_read_db_depend',` ## # define(`udev_rw_db',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 udev_tdb_t:file rw_file_perms; ') diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index 5582b7a..2b3d1c5 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -819,7 +819,7 @@ define(`admin_domain_template',` ## # define(`userdom_spec_domtrans_all_users',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) corecmd_shell_spec_domtrans($1,userdomain) ') @@ -838,7 +838,7 @@ define(`userdom_spec_domtrans_all_users_depend',` ## # define(`userdom_shell_domtrans_sysadm',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) corecmd_domtrans_shell($1,sysadm_t) ') @@ -859,7 +859,7 @@ define(`userdom_shell_domtrans_sysadm_depend',` ## # define(`userdom_use_sysadm_terms',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dev_list_all_dev_nodes($1) term_list_ptys($1) @@ -883,7 +883,7 @@ define(`userdom_use_sysadm_terms_depend',` ## # define(`userdom_dontaudit_use_sysadm_terms',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dontaudit $1 admin_terminal:chr_file { read write }; ') @@ -905,7 +905,7 @@ define(`userdom_dontaudit_use_sysadm_terms_depend',` ## # define(`userdom_search_all_users_home',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) files_list_home($1) allow $1 { home_dir_type home_type }:dir search; @@ -928,7 +928,7 @@ define(`userdom_search_all_users_home_depend',` ## # define(`userdom_read_all_user_data',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) files_list_home($1) allow $1 home_type:dir r_dir_perms; @@ -953,7 +953,7 @@ define(`userdom_read_all_user_data_depend',` ## # define(`userdom_use_all_user_fd',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 userdomain:fd use; ') @@ -975,7 +975,7 @@ define(`userdom_use_all_user_fd_depend',` ## # define(`userdom_signal_all_users',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 userdomain:process signal; ') @@ -997,7 +997,7 @@ define(`userdom_signal_all_users_depend',` ## # define(`userdom_use_unpriv_users_fd',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) allow $1 unpriv_userdomain:fd use; ') @@ -1020,7 +1020,7 @@ define(`userdom_use_unpriv_users_fd_depend',` ## # define(`userdom_dontaudit_use_unpriv_user_fd',` - requires_block_template(`$0'_depend) + gen_require(`$0'_depend) dontaudit $1 unpriv_userdomain:fd use; ') diff --git a/refpolicy/policy/support/loadable_module.spt b/refpolicy/policy/support/loadable_module.spt index 2ceba74..be921cc 100644 --- a/refpolicy/policy/support/loadable_module.spt +++ b/refpolicy/policy/support/loadable_module.spt @@ -16,9 +16,9 @@ define(`policy_module',` ############################## # -# For use in interfaces, to optionally insert a requires block +# For use in interfaces, to optionally insert a require block # -define(`requires_block_template',` +define(`gen_require',` ifdef(`monolithic_policy',`',` require { $1 @@ -34,7 +34,7 @@ define(`requires_block_template',` # define(`module_interface',` define(`$1',` - requires_block_template(`$1'_depend) + gen_require(`$1'_depend) $2 ') ')