selinux-refpolicy/policy/modules/system/miscfiles.if

936 lines
19 KiB
Plaintext
Raw Normal View History

## <summary>Miscellaneous files.</summary>
2005-04-20 19:07:16 +00:00
2005-05-05 21:36:53 +00:00
########################################
2005-07-19 18:40:31 +00:00
## <summary>
## Make the specified type usable as a cert file.
## </summary>
## <desc>
## <p>
## Make the specified type usable for cert files.
## This will also make the type usable for files, making
## calls to files_type() redundant. Failure to use this interface
## for a temporary file may result in problems with
## cert management tools.
## </p>
## <p>
## Related interfaces:
## </p>
## <ul>
## <li>files_type()</li>
## </ul>
## <p>
## Example:
## </p>
## <p>
## type mycertfile_t;
## cert_type(mycertfile_t)
## allow mydomain_t mycertfile_t:file read_file_perms;
## files_search_etc(mydomain_t)
## </p>
## </desc>
## <param name="type">
## <summary>
## Type to be used for files.
## </summary>
## </param>
## <infoflow type="none"/>
#
interface(`miscfiles_cert_type',`
gen_require(`
attribute cert_type;
')
typeattribute $1 cert_type;
files_type($1)
')
########################################
## <summary>
## Make the specified type usable
## as a SSL/TLS private key file.
## </summary>
## <desc>
## <p>
## Make the specified type usable for SSL/TLS private key files.
## This will also make the type usable for files, making
## calls to files_type() redundant. Failure to use this interface
## for a temporary file may result in problems with
## SSL/TLS private key management tools.
## </p>
## <p>
## Related interfaces:
## </p>
## <ul>
## <li>files_type()</li>
## </ul>
## <p>
## Example:
## </p>
## <p>
## type mytlsprivkeyfile_t;
## tls_privkey_type(mytlsprivkeyfile_t)
## allow mydomain_t mytlsprivkeyfile_t:file read_file_perms;
## files_search_etc(mydomain_t)
## </p>
## </desc>
## <param name="type">
## <summary>
## Type to be used for files.
## </summary>
## </param>
## <infoflow type="none"/>
#
interface(`miscfiles_tls_privkey_type',`
gen_require(`
attribute tls_privkey_type;
')
typeattribute $1 tls_privkey_type;
files_type($1)
')
########################################
## <summary>
## Read all SSL/TLS certificates.
2005-10-05 21:17:22 +00:00
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
2005-10-05 21:17:22 +00:00
## </param>
## <rolecap/>
2005-10-05 21:17:22 +00:00
#
interface(`miscfiles_read_all_certs',`
gen_require(`
attribute cert_type;
')
allow $1 cert_type:dir list_dir_perms;
read_files_pattern($1, cert_type, cert_type)
read_lnk_files_pattern($1, cert_type, cert_type)
')
########################################
## <summary>
## Read generic SSL/TLS certificates.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`miscfiles_read_generic_certs',`
2005-10-05 21:17:22 +00:00
gen_require(`
type cert_t;
')
2006-12-12 20:08:08 +00:00
allow $1 cert_t:dir list_dir_perms;
2009-06-26 14:40:13 +00:00
read_files_pattern($1, cert_t, cert_t)
read_lnk_files_pattern($1, cert_t, cert_t)
2005-10-05 21:17:22 +00:00
')
########################################
## <summary>
## Do not audit attempts to read generic SSL/TLS certificates.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
## <rolecap/>
#
interface(`miscfiles_dontaudit_read_generic_certs',`
gen_require(`
type cert_t;
')
dontaudit $1 cert_t:dir list_dir_perms;
dontaudit $1 cert_t:file read_file_perms;
dontaudit $1 cert_t:lnk_file read_lnk_file_perms;
')
2009-03-20 13:58:15 +00:00
########################################
## <summary>
## Manage generic SSL/TLS certificates.
2009-03-20 13:58:15 +00:00
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`miscfiles_manage_generic_cert_dirs',`
2009-03-20 13:58:15 +00:00
gen_require(`
type cert_t;
')
manage_dirs_pattern($1, cert_t, cert_t)
')
########################################
## <summary>
## Manage generic SSL/TLS certificates.
2009-03-20 13:58:15 +00:00
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
2009-03-20 13:58:15 +00:00
#
interface(`miscfiles_manage_generic_cert_files',`
2009-03-20 13:58:15 +00:00
gen_require(`
type cert_t;
')
manage_files_pattern($1, cert_t, cert_t)
read_lnk_files_pattern($1, cert_t, cert_t)
')
########################################
## <summary>
## Read generic SSL/TLS private
## keys.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`miscfiles_read_generic_tls_privkey',`
gen_require(`
type tls_privkey_t;
')
allow $1 tls_privkey_t:dir list_dir_perms;
read_files_pattern($1, tls_privkey_t, tls_privkey_t)
read_lnk_files_pattern($1, tls_privkey_t, tls_privkey_t)
')
########################################
## <summary>
## Manage generic SSL/TLS private
## keys.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`miscfiles_manage_generic_tls_privkey_dirs',`
gen_require(`
type tls_privkey_t;
')
manage_dirs_pattern($1, tls_privkey_t, tls_privkey_t)
')
########################################
## <summary>
## Manage generic SSL/TLS private
## keys.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`miscfiles_manage_generic_tls_privkey_files',`
gen_require(`
type tls_privkey_t;
')
manage_files_pattern($1, tls_privkey_t, tls_privkey_t)
read_lnk_files_pattern($1, tls_privkey_t, tls_privkey_t)
')
2005-10-05 21:17:22 +00:00
########################################
## <summary>
## Read fonts.
2005-07-19 18:40:31 +00:00
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
2005-07-19 18:40:31 +00:00
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-05-05 21:36:53 +00:00
#
interface(`miscfiles_read_fonts',`
2005-06-17 17:59:26 +00:00
gen_require(`
2010-03-09 15:44:55 +00:00
type fonts_t, fonts_cache_t;
2005-06-17 17:59:26 +00:00
')
2005-11-25 19:09:08 +00:00
# cjp: fonts can be in either of these dirs
2005-06-17 17:59:26 +00:00
files_search_usr($1)
libs_search_lib($1)
2006-12-12 20:08:08 +00:00
allow $1 fonts_t:dir list_dir_perms;
2009-06-26 14:40:13 +00:00
read_files_pattern($1, fonts_t, fonts_t)
refpolicy: Define and allow map permission Kernel commit 6941857e82ae ("selinux: add a map permission check for mmap") added a map permission check on mmap so that we can distinguish memory mapped access (since it has different implications for revocation). The purpose of a separate map permission check on mmap(2) is to permit policy to prohibit memory mapping of specific files for which we need to ensure that every access is revalidated, particularly useful for scenarios where we expect the file to be relabeled at runtime in order to reflect state changes (e.g. cross-domain solution, assured pipeline without data copying). The kernel commit is anticipated to be included in Linux 4.13. This refpolicy change defines map permission for refpolicy. It mirrors the definition in the kernel classmap by adding it to the common definitions for files and sockets. This will break compatibility for kernels that predate the dynamic class/perm mapping support (< 2.6.33, < RHEL 6); on such kernels, one would instead need to add map permission to the end of each file and socket access vector. This change only allows map permission as needed, e.g. only in the mmap_file_perms and exec_file_perms object permission sets (since map is always required there) and only in specific interfaces or modules where denials were observed in limited testing. It is important to note that effective use of this permission requires complete removal of unconfined, as otherwise unconfined domains will be able to map all file types and therefore bypass the intended protection. If we wanted to exclude map permission to all file types by default from unconfined, we would need to add it to the list of permissions excluded from files_unconfined_type in kernel/files.te. Policies that depend on this permission not being allowed to specific file types should also make use of neverallow rules to ensure that this is not undermined by any allow rule, and ensure that they are performing neverallow checking at policy build time (e.g. make validate) or runtime (e.g. semanage.conf expand-check=1). Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-05-24 19:40:18 +00:00
allow $1 fonts_t:file map;
2009-06-26 14:40:13 +00:00
read_lnk_files_pattern($1, fonts_t, fonts_t)
2010-03-09 15:44:55 +00:00
allow $1 fonts_cache_t:dir list_dir_perms;
read_files_pattern($1, fonts_cache_t, fonts_cache_t)
allow $1 fonts_cache_t:file map;
2010-03-09 15:44:55 +00:00
read_lnk_files_pattern($1, fonts_cache_t, fonts_cache_t)
2005-05-05 21:36:53 +00:00
')
2009-11-24 14:04:48 +00:00
########################################
## <summary>
## Set the attributes on a fonts directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`miscfiles_setattr_fonts_dirs',`
gen_require(`
type fonts_t;
')
allow $1 fonts_t:dir setattr;
')
########################################
## <summary>
## Do not audit attempts to set the attributes
## on a fonts directory.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
2009-11-24 14:04:48 +00:00
## </summary>
## </param>
## <rolecap/>
#
interface(`miscfiles_dontaudit_setattr_fonts_dirs',`
gen_require(`
type fonts_t;
')
dontaudit $1 fonts_t:dir setattr;
')
2007-11-15 20:10:26 +00:00
########################################
## <summary>
## Do not audit attempts to write fonts.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
2007-11-15 20:10:26 +00:00
## </summary>
## </param>
## <rolecap/>
#
interface(`miscfiles_dontaudit_write_fonts',`
gen_require(`
type fonts_t;
')
2009-03-20 13:58:15 +00:00
dontaudit $1 fonts_t:dir { write setattr };
2007-11-15 20:10:26 +00:00
dontaudit $1 fonts_t:file write;
')
2005-11-25 19:09:08 +00:00
########################################
## <summary>
## Create, read, write, and delete fonts.
## </summary>
## <param name="domain">
## <summary>
2005-11-25 19:09:08 +00:00
## Domain allowed access.
## </summary>
2005-11-25 19:09:08 +00:00
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-11-25 19:09:08 +00:00
#
interface(`miscfiles_manage_fonts',`
gen_require(`
type fonts_t;
')
# cjp: fonts can be in either of these dirs
files_search_usr($1)
libs_search_lib($1)
2009-06-26 14:40:13 +00:00
manage_dirs_pattern($1, fonts_t, fonts_t)
manage_files_pattern($1, fonts_t, fonts_t)
manage_lnk_files_pattern($1, fonts_t, fonts_t)
2005-11-25 19:09:08 +00:00
')
2010-03-09 15:44:55 +00:00
########################################
## <summary>
## Set the attributes on a fonts cache directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`miscfiles_setattr_fonts_cache_dirs',`
gen_require(`
type fonts_cache_t;
')
allow $1 fonts_cache_t:dir setattr;
')
########################################
## <summary>
## Do not audit attempts to set the attributes
## on a fonts cache directory.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
2010-03-09 15:44:55 +00:00
## </summary>
## </param>
#
interface(`miscfiles_dontaudit_setattr_fonts_cache_dirs',`
gen_require(`
type fonts_cache_t;
')
dontaudit $1 fonts_cache_t:dir setattr;
')
########################################
## <summary>
## Create, read, write, and delete fonts cache.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`miscfiles_manage_fonts_cache',`
gen_require(`
type fonts_cache_t;
')
files_search_var($1)
manage_dirs_pattern($1, fonts_cache_t, fonts_cache_t)
manage_files_pattern($1, fonts_cache_t, fonts_cache_t)
manage_lnk_files_pattern($1, fonts_cache_t, fonts_cache_t)
')
########################################
## <summary>
## Read hardware identification data.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`miscfiles_read_hwdata',`
gen_require(`
type hwdata_t;
')
2006-12-12 20:08:08 +00:00
allow $1 hwdata_t:dir list_dir_perms;
2009-06-26 14:40:13 +00:00
read_files_pattern($1, hwdata_t, hwdata_t)
read_lnk_files_pattern($1, hwdata_t, hwdata_t)
')
########################################
## <summary>
## Allow process to setattr localization info
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`miscfiles_setattr_localization',`
gen_require(`
type locale_t;
')
files_search_usr($1)
allow $1 locale_t:dir list_dir_perms;
allow $1 locale_t:file setattr;
')
2005-04-14 20:18:17 +00:00
########################################
2005-07-19 18:40:31 +00:00
## <summary>
## Allow process to read localization information.
2005-07-19 18:40:31 +00:00
## </summary>
## <desc>
## <p>
## Allow the specified domain to read the localization files.
## This is typically for time zone configuration files, such as
## /etc/localtime and files in /usr/share/zoneinfo.
## Typically, any domain which needs to know the GMT/UTC
## offset of the current timezone will need access
## to these files. Generally, it should be safe for any
## domain to read these files.
## </p>
## </desc>
2005-07-19 18:40:31 +00:00
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
2005-07-19 18:40:31 +00:00
## </param>
## <infoflow type="read" weight="10"/>
2005-04-14 20:18:17 +00:00
#
interface(`miscfiles_read_localization',`
2005-06-17 17:59:26 +00:00
gen_require(`
type locale_t;
')
2006-09-13 18:08:17 +00:00
files_read_etc_symlinks($1)
2005-06-17 17:59:26 +00:00
files_search_usr($1)
2006-12-12 20:08:08 +00:00
allow $1 locale_t:dir list_dir_perms;
2009-06-26 14:40:13 +00:00
read_files_pattern($1, locale_t, locale_t)
read_lnk_files_pattern($1, locale_t, locale_t)
refpolicy: Define and allow map permission Kernel commit 6941857e82ae ("selinux: add a map permission check for mmap") added a map permission check on mmap so that we can distinguish memory mapped access (since it has different implications for revocation). The purpose of a separate map permission check on mmap(2) is to permit policy to prohibit memory mapping of specific files for which we need to ensure that every access is revalidated, particularly useful for scenarios where we expect the file to be relabeled at runtime in order to reflect state changes (e.g. cross-domain solution, assured pipeline without data copying). The kernel commit is anticipated to be included in Linux 4.13. This refpolicy change defines map permission for refpolicy. It mirrors the definition in the kernel classmap by adding it to the common definitions for files and sockets. This will break compatibility for kernels that predate the dynamic class/perm mapping support (< 2.6.33, < RHEL 6); on such kernels, one would instead need to add map permission to the end of each file and socket access vector. This change only allows map permission as needed, e.g. only in the mmap_file_perms and exec_file_perms object permission sets (since map is always required there) and only in specific interfaces or modules where denials were observed in limited testing. It is important to note that effective use of this permission requires complete removal of unconfined, as otherwise unconfined domains will be able to map all file types and therefore bypass the intended protection. If we wanted to exclude map permission to all file types by default from unconfined, we would need to add it to the list of permissions excluded from files_unconfined_type in kernel/files.te. Policies that depend on this permission not being allowed to specific file types should also make use of neverallow rules to ensure that this is not undermined by any allow rule, and ensure that they are performing neverallow checking at policy build time (e.g. make validate) or runtime (e.g. semanage.conf expand-check=1). Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-05-24 19:40:18 +00:00
allow $1 locale_t:file map;
2005-04-14 20:18:17 +00:00
')
########################################
## <summary>
## Allow process to write localization info
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`miscfiles_rw_localization',`
gen_require(`
type locale_t;
')
files_search_usr($1)
allow $1 locale_t:dir list_dir_perms;
2009-06-26 14:40:13 +00:00
rw_files_pattern($1, locale_t, locale_t)
')
########################################
## <summary>
## Allow process to relabel localization info
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`miscfiles_relabel_localization',`
gen_require(`
type locale_t;
')
files_search_usr($1)
2009-06-26 14:40:13 +00:00
relabel_files_pattern($1, locale_t, locale_t)
')
2005-05-05 20:33:35 +00:00
########################################
2005-07-19 18:40:31 +00:00
## <summary>
## Allow process to read legacy time localization info
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
2005-07-19 18:40:31 +00:00
## </param>
2005-05-05 20:33:35 +00:00
#
interface(`miscfiles_legacy_read_localization',`
2005-06-17 17:59:26 +00:00
gen_require(`
type locale_t;
')
miscfiles_read_localization($1)
allow $1 locale_t:file execute;
2005-05-05 20:33:35 +00:00
')
2009-11-24 14:04:48 +00:00
########################################
## <summary>
## Search man pages.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
2009-11-24 14:04:48 +00:00
## </summary>
## </param>
#
interface(`miscfiles_search_man_pages',`
gen_require(`
type man_t, man_cache_t;
2009-11-24 14:04:48 +00:00
')
allow $1 { man_cache_t man_t }:dir search_dir_perms;
2009-11-24 14:04:48 +00:00
files_search_usr($1)
')
2005-10-23 20:18:36 +00:00
########################################
## <summary>
## Do not audit attempts to search man pages.
## </summary>
## <param name="domain">
## <summary>
2005-10-23 20:18:36 +00:00
## Domain to not audit.
## </summary>
2005-10-23 20:18:36 +00:00
## </param>
#
interface(`miscfiles_dontaudit_search_man_pages',`
gen_require(`
type man_t, man_cache_t;
2005-10-23 20:18:36 +00:00
')
dontaudit $1 { man_cache_t man_t }:dir search_dir_perms;
2005-10-23 20:18:36 +00:00
')
2005-05-11 19:05:15 +00:00
########################################
2005-07-19 18:40:31 +00:00
## <summary>
2005-09-16 21:20:37 +00:00
## Read man pages
2005-07-19 18:40:31 +00:00
## </summary>
## <param name="domain">
## <summary>
2005-09-16 21:20:37 +00:00
## Domain allowed access.
## </summary>
2005-07-19 18:40:31 +00:00
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-05-11 19:05:15 +00:00
#
interface(`miscfiles_read_man_pages',`
2005-06-17 17:59:26 +00:00
gen_require(`
type man_t, man_cache_t;
2005-06-17 17:59:26 +00:00
')
files_search_usr($1)
allow $1 { man_cache_t man_t }:dir list_dir_perms;
read_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
read_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
2005-05-11 19:05:15 +00:00
')
2005-07-19 18:40:31 +00:00
########################################
2005-09-16 21:20:37 +00:00
## <summary>
## Delete man pages
## </summary>
## <param name="domain">
## <summary>
2005-09-16 21:20:37 +00:00
## Domain allowed access.
## </summary>
2005-09-16 21:20:37 +00:00
## </param>
# cjp: added for tmpreaper
#
interface(`miscfiles_delete_man_pages',`
gen_require(`
type man_t, man_cache_t;
2005-09-16 21:20:37 +00:00
')
files_search_usr($1)
allow $1 { man_cache_t man_t }:dir { setattr_dir_perms list_dir_perms };
delete_dirs_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
delete_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
delete_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
2005-09-16 21:20:37 +00:00
')
########################################
## <summary>
## Create, read, write, and delete man pages
## </summary>
## <param name="domain">
## <summary>
2005-09-16 21:20:37 +00:00
## Domain allowed access.
## </summary>
2005-09-16 21:20:37 +00:00
## </param>
#
interface(`miscfiles_manage_man_pages',`
gen_require(`
type man_t, man_cache_t;
2005-09-16 21:20:37 +00:00
')
files_search_usr($1)
manage_dirs_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
manage_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
read_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
')
########################################
## <summary>
## Read man cache content.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
2012-11-26 16:07:32 +00:00
interface(`miscfiles_read_man_cache',`
gen_require(`
type man_cache_t;
')
files_search_var($1)
allow $1 man_cache_t:dir list_dir_perms;
allow $1 man_cache_t:file read_file_perms;
allow $1 man_cache_t:lnk_file read_lnk_file_perms;
')
########################################
## <summary>
## Map man cache content.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`miscfiles_map_man_cache',`
gen_require(`
type man_cache_t;
')
allow $1 man_cache_t:file map;
')
########################################
## <summary>
## Create, read, write, and delete
## man cache content.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
2012-11-26 16:07:32 +00:00
interface(`miscfiles_manage_man_cache',`
gen_require(`
type man_cache_t;
')
files_search_var($1)
allow $1 man_cache_t:dir manage_dir_perms;
allow $1 man_cache_t:file manage_file_perms;
allow $1 man_cache_t:lnk_file manage_lnk_file_perms;
2005-09-16 21:20:37 +00:00
')
########################################
## <summary>
## Relabel from and to man cache.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`miscfiles_relabel_man_cache',`
gen_require(`
type man_cache_t;
')
relabel_dirs_pattern($1, man_cache_t, man_cache_t)
relabel_files_pattern($1, man_cache_t, man_cache_t)
')
########################################
## <summary>
## Read public files used for file
## transfer services.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
#
interface(`miscfiles_read_public_files',`
gen_require(`
2005-10-24 21:33:46 +00:00
type public_content_t, public_content_rw_t;
')
2006-12-12 20:08:08 +00:00
allow $1 { public_content_t public_content_rw_t }:dir list_dir_perms;
2009-11-24 16:11:38 +00:00
read_files_pattern($1, { public_content_t public_content_rw_t }, { public_content_t public_content_rw_t })
read_lnk_files_pattern($1, { public_content_t public_content_rw_t }, { public_content_t public_content_rw_t })
')
########################################
## <summary>
## Create, read, write, and delete public files
## and directories used for file transfer services.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
#
interface(`miscfiles_manage_public_files',`
gen_require(`
type public_content_rw_t;
')
2009-06-26 14:40:13 +00:00
manage_dirs_pattern($1, public_content_rw_t, public_content_rw_t)
manage_files_pattern($1, public_content_rw_t, public_content_rw_t)
manage_lnk_files_pattern($1, public_content_rw_t, public_content_rw_t)
')
2005-09-16 21:20:37 +00:00
########################################
2005-07-19 18:40:31 +00:00
## <summary>
## Read TeX data
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
2005-07-19 18:40:31 +00:00
## </param>
#
interface(`miscfiles_read_tetex_data',`
gen_require(`
type tetex_data_t;
')
files_search_var($1)
files_search_var_lib($1)
# cjp: TeX data can be in either of the above dirs
2006-12-12 20:08:08 +00:00
allow $1 tetex_data_t:dir list_dir_perms;
2009-06-26 14:40:13 +00:00
read_files_pattern($1, tetex_data_t, tetex_data_t)
read_lnk_files_pattern($1, tetex_data_t, tetex_data_t)
2005-07-19 18:40:31 +00:00
')
########################################
## <summary>
## Execute TeX data programs in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
2005-07-19 18:40:31 +00:00
## </param>
#
interface(`miscfiles_exec_tetex_data',`
gen_require(`
type fonts_t;
type tetex_data_t;
2005-07-19 18:40:31 +00:00
')
files_search_var($1)
files_search_var_lib($1)
# cjp: TeX data can be in either of the above dirs
2006-12-12 20:08:08 +00:00
allow $1 tetex_data_t:dir list_dir_perms;
2009-06-26 14:40:13 +00:00
exec_files_pattern($1, tetex_data_t, tetex_data_t)
2005-07-19 18:40:31 +00:00
')
########################################
## <summary>
## Let test files be an entry point for
## a specified domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`miscfiles_domain_entry_test_files',`
gen_require(`
type test_file_t;
')
domain_entry_file($1, test_file_t)
')
########################################
## <summary>
## Read test files and directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`miscfiles_read_test_files',`
gen_require(`
type test_file_t;
')
2009-06-26 14:40:13 +00:00
read_files_pattern($1, test_file_t, test_file_t)
read_lnk_files_pattern($1, test_file_t, test_file_t)
')
########################################
## <summary>
## Execute test files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`miscfiles_exec_test_files',`
gen_require(`
type test_file_t;
')
2009-06-26 14:40:13 +00:00
exec_files_pattern($1, test_file_t, test_file_t)
read_lnk_files_pattern($1, test_file_t, test_file_t)
')
########################################
## <summary>
## Create files in etc directories
## with localization file type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`miscfiles_etc_filetrans_localization',`
gen_require(`
type locale_t;
')
files_etc_filetrans($1, locale_t, file)
')
########################################
## <summary>
## Create, read, write, and delete localization
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`miscfiles_manage_localization',`
gen_require(`
type locale_t;
')
2009-06-26 14:40:13 +00:00
manage_dirs_pattern($1, locale_t, locale_t)
manage_files_pattern($1, locale_t, locale_t)
manage_lnk_files_pattern($1, locale_t, locale_t)
')