selinux-refpolicy/policy/modules/system/selinuxutil.te

680 lines
17 KiB
Plaintext
Raw Normal View History

policy_module(selinuxutil, 1.22.10)
gen_require(`
bool secure_mode;
2005-10-18 18:25:33 +00:00
')
########################################
2005-04-14 20:18:17 +00:00
#
# Declarations
2005-04-14 20:18:17 +00:00
#
attribute can_write_binary_policy;
attribute can_relabelto_binary_policy;
attribute_role newrole_roles;
attribute_role run_init_roles;
role system_r types run_init_t;
attribute_role semanage_roles;
roleattribute system_r semanage_roles;
2005-11-29 21:27:15 +00:00
#
# selinux_config_t is the type applied to
# /etc/selinux/config
#
# cjp: this is out of order due to rules
# in the domain_type interface
# (fix dup decl)
type selinux_config_t;
files_type(selinux_config_t)
type checkpolicy_t, can_write_binary_policy;
type checkpolicy_exec_t;
2007-07-19 18:57:48 +00:00
application_domain(checkpolicy_t, checkpolicy_exec_t)
role system_r types checkpolicy_t;
#
# default_context_t is the type applied to
# /etc/selinux/*/contexts/*
#
type default_context_t;
2011-08-25 11:43:36 +00:00
files_type(default_context_t)
#
# file_context_t is the type applied to
# /etc/selinux/*/contexts/files
#
type file_context_t;
files_type(file_context_t)
type load_policy_t;
type load_policy_exec_t;
2009-06-26 14:40:13 +00:00
application_domain(load_policy_t, load_policy_exec_t)
2007-07-19 18:57:48 +00:00
role system_r types load_policy_t;
2005-09-26 20:26:32 +00:00
type newrole_t;
2007-07-19 18:57:48 +00:00
type newrole_exec_t;
2009-06-26 14:40:13 +00:00
application_domain(newrole_t, newrole_exec_t)
2006-02-02 21:08:12 +00:00
domain_role_change_exemption(newrole_t)
domain_obj_id_change_exemption(newrole_t)
2006-02-20 21:33:25 +00:00
domain_interactive_fd(newrole_t)
2012-02-27 15:18:00 +00:00
role newrole_roles types newrole_t;
2005-04-14 20:18:17 +00:00
#
# policy_config_t is the type of /etc/security/selinux/*
# the security server policy configuration.
#
type policy_config_t;
files_security_file(policy_config_t)
2005-04-14 20:18:17 +00:00
neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto;
#neverallow ~can_write_binary_policy policy_config_t:file { write append };
2005-04-14 20:18:17 +00:00
#
# policy_src_t is the type of the policy source
# files.
#
type policy_src_t;
files_type(policy_src_t)
2005-04-14 20:18:17 +00:00
type restorecond_t;
type restorecond_exec_t;
2009-06-26 14:40:13 +00:00
init_daemon_domain(restorecond_t, restorecond_exec_t)
domain_obj_id_change_exemption(restorecond_t)
role system_r types restorecond_t;
2016-08-06 23:14:18 +00:00
type restorecond_unit_t;
init_unit_file(restorecond_unit_t)
type restorecond_run_t;
typealias restorecond_run_t alias restorecond_var_run_t;
files_pid_file(restorecond_run_t)
type run_init_t;
type run_init_exec_t;
2009-06-26 14:40:13 +00:00
application_domain(run_init_t, run_init_exec_t)
2006-02-02 21:08:12 +00:00
domain_system_change_exemption(run_init_t)
2012-02-27 15:18:00 +00:00
role run_init_roles types run_init_t;
type semanage_t;
type semanage_exec_t;
2009-06-26 14:40:13 +00:00
application_domain(semanage_t, semanage_exec_t)
2007-08-20 15:15:03 +00:00
domain_interactive_fd(semanage_t)
role semanage_roles types semanage_t;
type semanage_store_t alias semanage_var_lib_t;
files_type(semanage_store_t)
type semanage_read_lock_t;
files_type(semanage_read_lock_t)
2011-08-25 11:43:36 +00:00
type semanage_tmp_t;
files_tmp_file(semanage_tmp_t)
2011-08-25 11:43:36 +00:00
type semanage_trans_lock_t;
files_type(semanage_trans_lock_t)
2007-05-11 17:10:43 +00:00
type setfiles_t alias restorecon_t, can_relabelto_binary_policy;
type setfiles_exec_t alias restorecon_exec_t;
2009-06-26 14:40:13 +00:00
init_system_domain(setfiles_t, setfiles_exec_t)
2006-02-02 21:08:12 +00:00
domain_obj_id_change_exemption(setfiles_t)
########################################
2005-04-14 20:18:17 +00:00
#
# Checkpolicy local policy
2005-04-14 20:18:17 +00:00
#
allow checkpolicy_t self:capability dac_override;
2005-04-14 20:18:17 +00:00
# able to create and modify binary policy files
2009-06-26 14:40:13 +00:00
manage_files_pattern(checkpolicy_t, policy_config_t, policy_config_t)
2005-05-09 18:50:20 +00:00
# allow test policies to be created in src directories
2009-06-26 14:40:13 +00:00
filetrans_add_pattern(checkpolicy_t, policy_src_t, policy_config_t, file)
2005-05-09 18:50:20 +00:00
# only allow read of policy source files
2009-06-26 14:40:13 +00:00
read_files_pattern(checkpolicy_t, policy_src_t, policy_src_t)
read_lnk_files_pattern(checkpolicy_t, policy_src_t, policy_src_t)
2006-12-12 20:08:08 +00:00
allow checkpolicy_t selinux_config_t:dir search_dir_perms;
2006-02-20 21:33:25 +00:00
domain_use_interactive_fds(checkpolicy_t)
2005-05-18 21:00:56 +00:00
2005-09-22 21:59:50 +00:00
files_list_usr(checkpolicy_t)
# directory search permissions for path to source and binary policy files
2005-06-13 17:35:46 +00:00
files_search_etc(checkpolicy_t)
2007-11-16 15:39:09 +00:00
fs_getattr_xattr_fs(checkpolicy_t)
term_use_console(checkpolicy_t)
init_use_fds(checkpolicy_t)
2006-02-02 21:08:12 +00:00
init_use_script_ptys(checkpolicy_t)
2008-11-05 16:10:46 +00:00
userdom_use_user_terminals(checkpolicy_t)
2006-02-20 21:33:25 +00:00
userdom_use_all_users_fds(checkpolicy_t)
2005-05-18 21:00:56 +00:00
2008-02-05 18:24:43 +00:00
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(checkpolicy_t)
')
')
########################################
#
# Load_policy local policy
#
allow load_policy_t self:capability dac_override;
# only allow read of policy config files
2011-08-25 11:43:36 +00:00
read_files_pattern(load_policy_t, { policy_src_t policy_config_t }, policy_config_t)
2017-04-29 15:25:13 +00:00
dev_read_urand(load_policy_t)
domain_use_interactive_fds(load_policy_t)
# for mcs.conf
files_read_etc_files(load_policy_t)
files_read_etc_runtime_files(load_policy_t)
fs_getattr_xattr_fs(load_policy_t)
mls_file_read_all_levels(load_policy_t)
selinux_load_policy(load_policy_t)
selinux_set_all_booleans(load_policy_t)
2005-06-10 01:01:13 +00:00
term_use_console(load_policy_t)
term_list_ptys(load_policy_t)
2006-02-20 21:33:25 +00:00
init_use_script_fds(load_policy_t)
2006-02-02 21:08:12 +00:00
init_use_script_ptys(load_policy_t)
miscfiles_read_localization(load_policy_t)
seutil_libselinux_linked(load_policy_t)
2008-11-05 16:10:46 +00:00
userdom_use_user_terminals(load_policy_t)
2006-02-20 21:33:25 +00:00
userdom_use_all_users_fds(load_policy_t)
2005-05-18 21:00:56 +00:00
2008-02-05 18:24:43 +00:00
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(load_policy_t)
')
')
2006-01-06 22:51:40 +00:00
ifdef(`hide_broken_symptoms',`
# cjp: cover up stray file descriptors.
dontaudit load_policy_t selinux_config_t:file write;
2007-11-16 15:39:09 +00:00
optional_policy(`
2006-02-02 21:08:12 +00:00
unconfined_dontaudit_read_pipes(load_policy_t)
2006-01-06 22:51:40 +00:00
')
')
optional_policy(`
portage_dontaudit_use_fds(load_policy_t)
')
########################################
#
# Newrole local policy
#
allow newrole_t self:capability { dac_override fowner setgid setuid };
dontaudit newrole_t self:capability net_admin;
allow newrole_t self:process setexec;
allow newrole_t self:fd use;
2006-12-12 20:08:08 +00:00
allow newrole_t self:fifo_file rw_fifo_file_perms;
allow newrole_t self:sock_file read_sock_file_perms;
2005-06-09 18:08:26 +00:00
allow newrole_t self:shm create_shm_perms;
allow newrole_t self:sem create_sem_perms;
allow newrole_t self:msgq create_msgq_perms;
allow newrole_t self:msg { send receive };
2005-10-14 17:55:40 +00:00
allow newrole_t self:unix_dgram_socket sendto;
2005-11-10 21:37:54 +00:00
allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
2006-01-06 22:51:40 +00:00
allow newrole_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
2009-06-26 14:40:13 +00:00
read_files_pattern(newrole_t, default_context_t, default_context_t)
read_lnk_files_pattern(newrole_t, default_context_t, default_context_t)
kernel_read_system_state(newrole_t)
kernel_read_kernel_sysctls(newrole_t)
2007-11-16 15:39:09 +00:00
corecmd_list_bin(newrole_t)
dev_read_urand(newrole_t)
2007-11-16 15:39:09 +00:00
domain_use_interactive_fds(newrole_t)
# for when the user types "exec newrole" at the command line:
domain_sigchld_interactive_fds(newrole_t)
files_read_etc_files(newrole_t)
files_read_var_files(newrole_t)
files_read_var_symlinks(newrole_t)
fs_getattr_xattr_fs(newrole_t)
2005-06-27 16:30:55 +00:00
fs_search_auto_mountpoints(newrole_t)
mls_file_read_all_levels(newrole_t)
mls_file_write_all_levels(newrole_t)
2005-09-26 20:26:32 +00:00
mls_file_upgrade(newrole_t)
mls_file_downgrade(newrole_t)
mls_process_set_level(newrole_t)
mls_fd_share_all_levels(newrole_t)
2005-09-26 20:26:32 +00:00
selinux_validate_context(newrole_t)
selinux_compute_access_vector(newrole_t)
selinux_compute_create_context(newrole_t)
selinux_compute_relabel_context(newrole_t)
selinux_compute_user_contexts(newrole_t)
term_use_all_ttys(newrole_t)
term_use_all_ptys(newrole_t)
term_relabel_all_ttys(newrole_t)
term_relabel_all_ptys(newrole_t)
term_getattr_unallocated_ttys(newrole_t)
term_dontaudit_use_unallocated_ttys(newrole_t)
auth_use_nsswitch(newrole_t)
auth_run_chk_passwd(newrole_t, newrole_roles)
auth_run_upd_passwd(newrole_t, newrole_roles)
auth_rw_faillog(newrole_t)
2005-05-04 17:01:46 +00:00
# Write to utmp.
init_rw_utmp(newrole_t)
init_use_fds(newrole_t)
2005-06-13 17:35:46 +00:00
logging_send_syslog_msg(newrole_t)
2005-05-09 18:50:20 +00:00
miscfiles_read_localization(newrole_t)
seutil_libselinux_linked(newrole_t)
# for some PAM modules and for cwd
2008-11-05 16:10:46 +00:00
userdom_dontaudit_search_user_home_content(newrole_t)
userdom_search_user_home_dirs(newrole_t)
2005-05-09 18:50:20 +00:00
2008-02-05 18:24:43 +00:00
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(newrole_t)
')
')
ifdef(`init_systemd',`
optional_policy(`
systemd_use_logind_fds(newrole_t)
systemd_dbus_chat_logind(newrole_t)
')
')
optional_policy(`
auth_use_pam_systemd(newrole_t)
')
optional_policy(`
dbus_system_bus_client(newrole_t)
optional_policy(`
consolekit_dbus_chat(newrole_t)
')
')
# if secure mode is enabled, then newrole
# can only transition to unprivileged users
if(secure_mode) {
userdom_spec_domtrans_unpriv_users(newrole_t)
} else {
userdom_spec_domtrans_all_users(newrole_t)
}
2005-06-21 17:01:45 +00:00
tunable_policy(`allow_polyinstantiation',`
files_polyinstantiate_all(newrole_t)
')
optional_policy(`
systemd_use_logind_fds(newrole_t)
')
########################################
#
# Restorecond local policy
#
allow restorecond_t self:capability { dac_override dac_read_search fowner };
2006-12-12 20:08:08 +00:00
allow restorecond_t self:fifo_file rw_fifo_file_perms;
allow restorecond_t restorecond_run_t:file manage_file_perms;
files_pid_filetrans(restorecond_t, restorecond_run_t, file)
kernel_getattr_debugfs(restorecond_t)
kernel_read_system_state(restorecond_t)
kernel_rw_pipes(restorecond_t)
kernel_use_fds(restorecond_t)
fs_dontaudit_list_nfs(restorecond_t)
fs_getattr_all_xattr_fs(restorecond_t)
fs_getattr_pstore_dirs(restorecond_t)
fs_getattr_tracefs(restorecond_t)
fs_list_inotifyfs(restorecond_t)
fs_relabelfrom_noxattr_fs(restorecond_t)
2017-04-29 15:25:13 +00:00
fs_getattr_pstorefs(restorecond_t)
selinux_validate_context(restorecond_t)
selinux_compute_access_vector(restorecond_t)
selinux_compute_create_context(restorecond_t)
selinux_compute_relabel_context(restorecond_t)
selinux_compute_user_contexts(restorecond_t)
files_relabel_non_auth_files(restorecond_t )
files_read_non_auth_files(restorecond_t)
auth_use_nsswitch(restorecond_t)
logging_send_syslog_msg(restorecond_t)
miscfiles_read_localization(restorecond_t)
seutil_libselinux_linked(restorecond_t)
2008-02-05 18:24:43 +00:00
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(restorecond_t)
')
')
optional_policy(`
locallogin_dontaudit_use_fds(restorecond_t)
')
optional_policy(`
rpm_use_script_fds(restorecond_t)
')
#################################
#
# Run_init local policy
#
allow run_init_roles system_r;
allow run_init_t self:process setexec;
allow run_init_t self:capability setuid;
allow run_init_t self:fifo_file rw_file_perms;
allow run_init_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
# often the administrator runs such programs from a directory that is owned
# by a different user or has restrictive SE permissions, do not want to audit
# the failed access to the current directory
dontaudit run_init_t self:capability { dac_override dac_read_search };
corecmd_exec_bin(run_init_t)
corecmd_exec_shell(run_init_t)
2007-11-16 15:39:09 +00:00
dev_dontaudit_list_all_dev_nodes(run_init_t)
domain_use_interactive_fds(run_init_t)
files_read_etc_files(run_init_t)
files_dontaudit_search_all_dirs(run_init_t)
2007-11-16 15:39:09 +00:00
fs_getattr_xattr_fs(run_init_t)
mls_rangetrans_source(run_init_t)
selinux_validate_context(run_init_t)
selinux_compute_access_vector(run_init_t)
selinux_compute_create_context(run_init_t)
selinux_compute_relabel_context(run_init_t)
selinux_compute_user_contexts(run_init_t)
auth_use_nsswitch(run_init_t)
auth_run_chk_passwd(run_init_t, run_init_roles)
auth_run_upd_passwd(run_init_t, run_init_roles)
2007-11-16 15:39:09 +00:00
auth_dontaudit_read_shadow(run_init_t)
init_spec_domtrans_script(run_init_t)
# for utmp
init_rw_utmp(run_init_t)
2007-11-16 15:39:09 +00:00
logging_send_syslog_msg(run_init_t)
miscfiles_read_localization(run_init_t)
2007-11-16 15:39:09 +00:00
seutil_libselinux_linked(run_init_t)
seutil_read_default_contexts(run_init_t)
2008-11-05 16:10:46 +00:00
userdom_use_user_terminals(run_init_t)
ifndef(`direct_sysadm_daemon',`
ifdef(`distro_gentoo',`
# Gentoo integrated run_init:
init_script_file_entry_type(run_init_t)
init_exec_rc(run_init_t)
')
')
2008-02-05 18:24:43 +00:00
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(run_init_t)
')
')
optional_policy(`
daemontools_domtrans_start(run_init_t)
')
########################################
#
# semodule local policy
#
allow semanage_t self:capability { audit_write dac_override };
allow semanage_t self:unix_stream_socket create_stream_socket_perms;
allow semanage_t self:unix_dgram_socket create_socket_perms;
allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
allow semanage_t self:fifo_file rw_fifo_file_perms;
allow semanage_t policy_config_t:file rw_file_perms;
allow semanage_t policy_src_t:dir search;
filetrans_pattern(semanage_t, selinux_config_t, semanage_store_t, dir, "modules")
2006-12-12 20:08:08 +00:00
allow semanage_t semanage_tmp_t:dir manage_dir_perms;
allow semanage_t semanage_tmp_t:file manage_file_perms;
files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
kernel_read_system_state(semanage_t)
kernel_read_kernel_sysctls(semanage_t)
corecmd_exec_bin(semanage_t)
2017-04-29 15:25:13 +00:00
corecmd_exec_shell(semanage_t)
dev_read_urand(semanage_t)
2006-08-23 19:36:04 +00:00
domain_use_interactive_fds(semanage_t)
files_read_etc_files(semanage_t)
files_read_etc_runtime_files(semanage_t)
files_read_usr_files(semanage_t)
files_list_pids(semanage_t)
mls_file_write_all_levels(semanage_t)
mls_file_read_all_levels(semanage_t)
selinux_validate_context(semanage_t)
selinux_get_enforce_mode(semanage_t)
selinux_getattr_fs(semanage_t)
# for setsebool:
selinux_set_all_booleans(semanage_t)
term_use_all_terms(semanage_t)
# Running genhomedircon requires this for finding all users
auth_use_nsswitch(semanage_t)
logging_send_syslog_msg(semanage_t)
miscfiles_read_localization(semanage_t)
seutil_libselinux_linked(semanage_t)
seutil_manage_file_contexts(semanage_t)
2007-11-16 15:39:09 +00:00
seutil_manage_config(semanage_t)
seutil_run_setfiles(semanage_t, semanage_roles)
seutil_run_loadpolicy(semanage_t, semanage_roles)
seutil_manage_bin_policy(semanage_t)
seutil_use_newrole_fds(semanage_t)
seutil_manage_module_store(semanage_t)
seutil_get_semanage_trans_lock(semanage_t)
seutil_get_semanage_read_lock(semanage_t)
2006-08-18 14:01:48 +00:00
# netfilter_contexts:
seutil_manage_default_contexts(semanage_t)
semanage_t able to read from user homedirs. Make semanage_t able to read from user homedirs or /tmp. Otherwise it would fail to upgrade a .pp installed in there with below error messages. BTW, semanage_t should be able to upgrade existing pp no matter if the MLS is enabled or not. root@qemu-host:/root> semodule -u selinuxutil.pp type=1400 audit(1288862875.298:60): avc: denied { search } for pid=759 comm="semodule" name="root" dev=sda ino=81921 scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_dir_t:s0-s15:c0.c1023 tclass=dir semodule: Failed on selinuxutil.pp! root@qemu-host:/root> setenforce 0 type=1404 audit(1288862957.386:61): enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295 root@qemu-host:/root> semodule -u selinuxutil.pp type=1400 audit(1288862959.494:62): avc: denied { search } for pid=761 comm="semodule" name="root" dev=sda ino=81921 scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_dir_t:s0-s15:c0.c1023 tclass=dir type=1400 audit(1288862959.498:63): avc: denied { read } for pid=761 comm="semodule" name="selinuxutil.pp" dev=sda ino=82505 scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_t:s0 tclass=file type=1400 audit(1288862959.503:64): avc: denied { open } for pid=761 comm="semodule" name="selinuxutil.pp" dev=sda ino=82505 scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_t:s0 tclass=file type=1400 audit(1288862959.507:65): avc: denied { getattr } for pid=761 comm="semodule" path="/root/selinuxutil.pp" dev=sda ino=82505 scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_t:s0 tclass=file type=1403 audit(1288863419.918:66): policy loaded auid=4294967295 ses=4294967295 root@qemu-host:/root> Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
2010-11-04 09:25:50 +00:00
# Handle pp files created in homedir and /tmp
userdom_read_user_home_content_files(semanage_t)
userdom_read_user_tmp_files(semanage_t)
ifdef(`distro_debian',`
files_read_var_lib_files(semanage_t)
files_read_var_lib_symlinks(semanage_t)
')
2008-02-05 18:24:43 +00:00
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(semanage_t)
')
')
optional_policy(`
locallogin_use_fds(semanage_t)
')
########################################
#
# Setfiles local policy
#
allow setfiles_t self:capability { dac_override dac_read_search fowner };
2007-05-11 17:10:43 +00:00
dontaudit setfiles_t self:capability sys_tty_config;
2006-01-17 17:50:10 +00:00
allow setfiles_t self:fifo_file rw_file_perms;
allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:dir list_dir_perms;
allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:file read_file_perms;
allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock };
kernel_read_system_state(setfiles_t)
2006-02-03 17:57:16 +00:00
kernel_relabelfrom_unlabeled_dirs(setfiles_t)
kernel_relabelfrom_unlabeled_files(setfiles_t)
kernel_relabelfrom_unlabeled_symlinks(setfiles_t)
kernel_relabelfrom_unlabeled_pipes(setfiles_t)
kernel_relabelfrom_unlabeled_sockets(setfiles_t)
2007-05-11 17:10:43 +00:00
kernel_use_fds(setfiles_t)
kernel_rw_pipes(setfiles_t)
kernel_rw_unix_dgram_sockets(setfiles_t)
kernel_dontaudit_list_all_proc(setfiles_t)
kernel_dontaudit_list_all_sysctls(setfiles_t)
kernel_getattr_debugfs(setfiles_t)
2006-02-03 17:57:16 +00:00
dev_read_urand(setfiles_t)
2006-02-03 17:57:16 +00:00
dev_relabel_all_dev_nodes(setfiles_t)
# to handle when /dev/console needs to be relabeled
dev_rw_generic_chr_files(setfiles_t)
2007-11-16 15:39:09 +00:00
domain_use_interactive_fds(setfiles_t)
domain_dontaudit_search_all_domains_state(setfiles_t)
files_read_etc_runtime_files(setfiles_t)
files_read_etc_files(setfiles_t)
files_list_all(setfiles_t)
files_relabel_all_files(setfiles_t)
2010-02-18 01:30:42 +00:00
files_read_usr_symlinks(setfiles_t)
files_dontaudit_read_all_symlinks(setfiles_t)
2007-11-16 15:39:09 +00:00
fs_getattr_all_xattr_fs(setfiles_t)
2017-04-29 15:25:13 +00:00
fs_getattr_nfs(setfiles_t)
fs_getattr_pstore_dirs(setfiles_t)
fs_getattr_pstorefs(setfiles_t)
fs_getattr_tracefs(setfiles_t)
fs_getattr_tracefs_files(setfiles_t)
fs_list_all(setfiles_t)
2007-05-11 17:10:43 +00:00
fs_relabelfrom_noxattr_fs(setfiles_t)
fs_search_auto_mountpoints(setfiles_t)
mls_file_read_all_levels(setfiles_t)
mls_file_write_all_levels(setfiles_t)
mls_file_upgrade(setfiles_t)
mls_file_downgrade(setfiles_t)
selinux_validate_context(setfiles_t)
selinux_compute_access_vector(setfiles_t)
selinux_compute_create_context(setfiles_t)
selinux_compute_relabel_context(setfiles_t)
selinux_compute_user_contexts(setfiles_t)
term_use_all_ttys(setfiles_t)
term_use_all_ptys(setfiles_t)
2006-02-02 21:08:12 +00:00
term_use_unallocated_ttys(setfiles_t)
2006-02-03 17:57:16 +00:00
# this is to satisfy the assertion:
auth_relabelto_shadow(setfiles_t)
init_use_fds(setfiles_t)
2006-02-20 21:33:25 +00:00
init_use_script_fds(setfiles_t)
2006-02-02 21:08:12 +00:00
init_use_script_ptys(setfiles_t)
init_exec_script_files(setfiles_t)
logging_send_audit_msgs(setfiles_t)
2005-06-13 17:35:46 +00:00
logging_send_syslog_msg(setfiles_t)
miscfiles_read_localization(setfiles_t)
seutil_libselinux_linked(setfiles_t)
seutil_read_module_store(setfiles_t)
2006-02-20 21:33:25 +00:00
userdom_use_all_users_fds(setfiles_t)
# for config files in a home directory
2008-11-05 16:10:46 +00:00
userdom_read_user_home_content_files(setfiles_t)
ifdef(`distro_debian',`
# udev tmpfs is populated with static device nodes
# and then relabeled afterwards; thus
# /dev/console has the tmpfs type
fs_rw_tmpfs_chr_files(setfiles_t)
')
2007-05-11 17:10:43 +00:00
ifdef(`distro_redhat', `
fs_rw_tmpfs_chr_files(setfiles_t)
fs_rw_tmpfs_blk_files(setfiles_t)
fs_relabel_tmpfs_blk_file(setfiles_t)
fs_relabel_tmpfs_chr_file(setfiles_t)
')
2008-02-05 18:24:43 +00:00
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(setfiles_t)
')
')
ifdef(`hide_broken_symptoms',`
2007-05-11 17:10:43 +00:00
optional_policy(`
udev_dontaudit_rw_dgram_sockets(setfiles_t)
')
# cjp: cover up stray file descriptors.
optional_policy(`
unconfined_dontaudit_read_pipes(setfiles_t)
2007-05-11 17:10:43 +00:00
unconfined_dontaudit_rw_tcp_sockets(setfiles_t)
')
')
2007-05-11 17:10:43 +00:00
optional_policy(`
apt_use_fds(setfiles_t)
')
2007-05-11 17:10:43 +00:00
optional_policy(`
hotplug_use_fds(setfiles_t)
')