diff --git a/refpolicy/Makefile b/refpolicy/Makefile
index 2c7ba7efc..2010b36d1 100644
--- a/refpolicy/Makefile
+++ b/refpolicy/Makefile
@@ -302,7 +302,7 @@ tmp/policy.xml: $(ALL_INTERFACES) tmp/generated_definitions.conf
$(XMLLINT) --noout --dtdvalid $(XMLDTD) $@ ;\
fi
-$(JAVABYTE) doctool: $(JAVASRC)
+$(JAVABYTE): $(JAVASRC)
javac $(JAVASRC)
html: tmp/policy.xml $(JAVABYTE) $(HTMLHEAD) $(HTMLFOOT)
diff --git a/refpolicy/policy/modules/admin/consoletype.if b/refpolicy/policy/modules/admin/consoletype.if
index 7cbc587a1..401465cd9 100644
--- a/refpolicy/policy/modules/admin/consoletype.if
+++ b/refpolicy/policy/modules/admin/consoletype.if
@@ -4,23 +4,26 @@
# consoletype_transition(domain)
#
define(`consoletype_transition',`
-requires_block_template(`$0'_depend)
-allow $1 consoletype_exec_t:file { getattr read execute };
-allow $1 consoletype_t:process transition;
-type_transition $1 consoletype_exec_t:process consoletype_t;
-dontaudit $1 consoletype_t:process { noatsecure siginh rlimitinh };
-allow $1 consoletype_t:fd use;
-allow consoletype_t $1:fd use;
-allow consoletype_t $1:fifo_file rw_file_perms;
-allow consoletype_t $1:process sigchld;
+ requires_block_template(`$0'_depend)
+
+ allow $1 consoletype_exec_t:file { getattr read execute };
+ allow $1 consoletype_t:process transition;
+ type_transition $1 consoletype_exec_t:process consoletype_t;
+ dontaudit $1 consoletype_t:process { noatsecure siginh rlimitinh };
+
+ allow $1 consoletype_t:fd use;
+ allow consoletype_t $1:fd use;
+ allow consoletype_t $1:fifo_file rw_file_perms;
+ allow consoletype_t $1:process sigchld;
')
define(`consoletype_transition_depend',`
-type consoletype_t, consoletype_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+ type consoletype_t, consoletype_exec_t;
+
+ class file { getattr read execute };
+ class process { transition noatsecure siginh rlimitinh sigchld };
+ class fd use;
+ class fifo_file rw_file_perms;
')
#######################################
@@ -28,11 +31,13 @@ class fifo_file rw_file_perms;
# consoletype_execute(domain)
#
define(`consoletype_execute',`
-requires_block_template(`$0'_depend)
-allow $1 consoletype_exec_t:file { getattr read execute execute_no_trans };
+ requires_block_template(`$0'_depend)
+
+ allow $1 consoletype_exec_t:file { getattr read execute execute_no_trans };
')
define(`consoletype_execute_depend',`
-type consoletype_exec_t;
-class file { getattr read execute execute_no_trans };
+ type consoletype_exec_t;
+
+ class file { getattr read execute execute_no_trans };
')
diff --git a/refpolicy/policy/modules/admin/consoletype.te b/refpolicy/policy/modules/admin/consoletype.te
index 34739c0c1..d3fd86310 100644
--- a/refpolicy/policy/modules/admin/consoletype.te
+++ b/refpolicy/policy/modules/admin/consoletype.te
@@ -51,15 +51,15 @@ libraries_use_dynamic_loader(consoletype_t)
libraries_use_shared_libraries(consoletype_t)
tunable_policy(`distro_redhat', `
-filesystem_use_tmpfs_character_devices(consoletype_t)
+ filesystem_use_tmpfs_character_devices(consoletype_t)
')
optional_policy(`authlogin.te', `
-authlogin_pam_read_runtime_data(consoletype_t)
+ authlogin_pam_read_runtime_data(consoletype_t)
')
optional_policy(`userdomain.te',`
-userdomain_use_all_unprivileged_users_file_descriptors(consoletype_t)
+ userdomain_use_all_unprivileged_users_file_descriptors(consoletype_t)
')
ifdef(`TODO',`
diff --git a/refpolicy/policy/modules/admin/dmesg.if b/refpolicy/policy/modules/admin/dmesg.if
index 7e9c23f7c..2b2b8c696 100644
--- a/refpolicy/policy/modules/admin/dmesg.if
+++ b/refpolicy/policy/modules/admin/dmesg.if
@@ -13,23 +13,26 @@
## </interface>
#
define(`dmesg_transition',`
-requires_block_template(`$0'_depend)
-allow $1 dmesg_exec_t:file { getattr read execute };
-allow $1 dmesg_t:process transition;
-type_transition $1 dmesg_exec_t:process dmesg_t;
-dontaudit $1 dmesg_t:process { noatsecure siginh rlimitinh };
-allow $1 dmesg_t:fd use;
-allow dmesg_t $1:fd use;
-allow dmesg_t $1:fifo_file rw_file_perms;
-allow dmesg_t $1:process sigchld;
+ requires_block_template(`$0'_depend)
+
+ allow $1 dmesg_exec_t:file { getattr read execute };
+ allow $1 dmesg_t:process transition;
+ type_transition $1 dmesg_exec_t:process dmesg_t;
+ dontaudit $1 dmesg_t:process { noatsecure siginh rlimitinh };
+
+ allow $1 dmesg_t:fd use;
+ allow dmesg_t $1:fd use;
+ allow dmesg_t $1:fifo_file rw_file_perms;
+ allow dmesg_t $1:process sigchld;
')
define(`dmesg_transition_depend',`
-type dmesg_t, dmesg_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+ type dmesg_t, dmesg_exec_t;
+
+ class file { getattr read execute };
+ class process { transition noatsecure siginh rlimitinh sigchld };
+ class fd use;
+ class fifo_file rw_file_perms;
')
########################################
@@ -44,13 +47,15 @@ class fifo_file rw_file_perms;
## </interface>
#
define(`dmesg_execute',`
-requires_block_template(`$0'_depend)
-allow $1 dmesg_exec_t:file { getattr read execute execute_no_trans };
+ requires_block_template(`$0'_depend)
+
+ allow $1 dmesg_exec_t:file { getattr read execute execute_no_trans };
')
define(`dmesg_execute_depend',`
-type dmesg_exec_t;
-class file { getattr read execute execute_no_trans };
+ type dmesg_exec_t;
+
+ class file { getattr read execute execute_no_trans };
')
## </module>
diff --git a/refpolicy/policy/modules/admin/dmesg.te b/refpolicy/policy/modules/admin/dmesg.te
index 4bf876be4..30b73899b 100644
--- a/refpolicy/policy/modules/admin/dmesg.te
+++ b/refpolicy/policy/modules/admin/dmesg.te
@@ -50,17 +50,17 @@ userdomain_use_admin_terminals(dmesg_t)
userdomain_ignore_use_all_unprivileged_users_file_descriptors(dmesg_t)
tunable_policy(`targeted_policy', `
-terminal_ignore_use_general_physical_terminal(dmesg_t)
-terminal_ignore_use_general_pseudoterminal(dmesg_t)
-files_ignore_read_rootfs_file(dmesg_t)
+ terminal_ignore_use_general_physical_terminal(dmesg_t)
+ terminal_ignore_use_general_pseudoterminal(dmesg_t)
+ files_ignore_read_rootfs_file(dmesg_t)
')
optional_policy(`selinux.te',`
-selinux_newrole_sigchld(dmesg_t)
+ selinux_newrole_sigchld(dmesg_t)
')
optional_policy(`udev.te', `
-udev_read_database(dmesg_t)
+ udev_read_database(dmesg_t)
')
ifdef(`TODO',`
diff --git a/refpolicy/policy/modules/admin/netutils.if b/refpolicy/policy/modules/admin/netutils.if
index aff052489..79b2e61a9 100644
--- a/refpolicy/policy/modules/admin/netutils.if
+++ b/refpolicy/policy/modules/admin/netutils.if
@@ -4,23 +4,26 @@
# netutils_transition(domain)
#
define(`netutils_transition',`
-requires_block_template(`$0'_depend)
-allow $1 netutils_exec_t:file { getattr read execute };
-allow $1 netutils_t:process transition;
-type_transition $1 netutils_exec_t:process netutils_t;
-dontaudit $1 netutils_t:process { noatsecure siginh rlimitinh };
-allow $1 netutils_t:fd use;
-allow netutils_t $1:fd use;
-allow netutils_t $1:fifo_file rw_file_perms;
-allow netutils_t $1:process sigchld;
+ requires_block_template(`$0'_depend)
+
+ allow $1 netutils_exec_t:file { getattr read execute };
+ allow $1 netutils_t:process transition;
+ type_transition $1 netutils_exec_t:process netutils_t;
+ dontaudit $1 netutils_t:process { noatsecure siginh rlimitinh };
+
+ allow $1 netutils_t:fd use;
+ allow netutils_t $1:fd use;
+ allow netutils_t $1:fifo_file rw_file_perms;
+ allow netutils_t $1:process sigchld;
')
define(`netutils_transition_depend',`
-type netutils_t, netutils_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+ type netutils_t, netutils_exec_t;
+
+ class file { getattr read execute };
+ class process { transition noatsecure siginh rlimitinh sigchld };
+ class fd use;
+ class fifo_file rw_file_perms;
')
#######################################
@@ -28,11 +31,13 @@ class fifo_file rw_file_perms;
# netutils_execute(domain)
#
define(`netutils_execute',`
-requires_block_template(`$0'_depend)
-allow $1 netutils_exec_t:file { getattr read execute execute_no_trans };
+ requires_block_template(`$0'_depend)
+
+ allow $1 netutils_exec_t:file { getattr read execute execute_no_trans };
')
define(`netutils_execute_depend',`
-type netutils_exec_t;
-class file { getattr read execute execute_no_trans };
+ type netutils_exec_t;
+
+ class file { getattr read execute execute_no_trans };
')
diff --git a/refpolicy/policy/modules/admin/rpm.if b/refpolicy/policy/modules/admin/rpm.if
index fccd0f065..ac4768850 100644
--- a/refpolicy/policy/modules/admin/rpm.if
+++ b/refpolicy/policy/modules/admin/rpm.if
@@ -13,23 +13,26 @@
## </interface>
#
define(`rpm_transition',`
-requires_block_template(`$0'_depend)
-allow $1 rpm_exec_t:file { getattr read execute };
-allow $1 rpm_t:process transition;
-type_transition $1 rpm_exec_t:process rpm_t;
-dontaudit $1 rpm_t:process { noatsecure siginh rlimitinh };
-allow $1 rpm_t:fd use;
-allow rpm_t $1:fd use;
-allow rpm_t $1:fifo_file rw_file_perms;
-allow rpm_t $1:process sigchld;
+ requires_block_template(`$0'_depend)
+
+ allow $1 rpm_exec_t:file { getattr read execute };
+ allow $1 rpm_t:process transition;
+ type_transition $1 rpm_exec_t:process rpm_t;
+ dontaudit $1 rpm_t:process { noatsecure siginh rlimitinh };
+
+ allow $1 rpm_t:fd use;
+ allow rpm_t $1:fd use;
+ allow rpm_t $1:fifo_file rw_file_perms;
+ allow rpm_t $1:process sigchld;
')
define(`rpm_transition_depend',`
-type rpm_t, rpm_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+ type rpm_t, rpm_exec_t;
+
+ class file { getattr read execute };
+ class process { transition noatsecure siginh rlimitinh sigchld };
+ class fd use;
+ class fifo_file rw_file_perms;
')
########################################
@@ -50,16 +53,18 @@ class fifo_file rw_file_perms;
## </interface>
#
define(`rpm_transition_add_role_use_terminal',`
-requires_block_template(`$0'_depend)
-rpm_transition($1)
-role $2 types rpm_t;
-role $2 types rpm_script_t;
-allow rpm_t $3:chr_file { getattr read write ioctl };
+ requires_block_template(`$0'_depend)
+
+ rpm_transition($1)
+ role $2 types rpm_t;
+ role $2 types rpm_script_t;
+ allow rpm_t $3:chr_file { getattr read write ioctl };
')
define(`rpm_transition_add_role_use_terminal_depend',`
-type rpm_t, rpm_script_t;
-class chr_file { getattr read write ioctl };
+ type rpm_t, rpm_script_t;
+
+ class chr_file { getattr read write ioctl };
')
########################################
@@ -74,13 +79,15 @@ class chr_file { getattr read write ioctl };
## </interface>
#
define(`rpm_use_file_descriptors',`
-requires_block_template(`$0'_depend)
-allow $1 rpm_t:fd use;
+ requires_block_template(`$0'_depend)
+
+ allow $1 rpm_t:fd use;
')
define(`rpm_use_file_descriptors_depend',`
-type rpm_t;
-class fd use;
+ type rpm_t;
+
+ class fd use;
')
########################################
@@ -95,13 +102,15 @@ class fd use;
## </interface>
#
define(`rpm_read_pipe',`
-requires_block_template(`$0'_depend)
-allow $1 rpm_t:fifo_file { getattr read };
+ requires_block_template(`$0'_depend)
+
+ allow $1 rpm_t:fifo_file { getattr read };
')
define(`rpm_read_pipe_depend',`
-type rpm_t;
-class fifo_file { getattr read };
+ type rpm_t;
+
+ class fifo_file { getattr read };
')
########################################
@@ -116,17 +125,19 @@ class fifo_file { getattr read };
## </interface>
#
define(`rpm_read_package_database',`
-requires_block_template(`$0'_depend)
-allow $1 rpm_var_lib_t:dir { getattr read search };
-allow $1 rpm_var_lib_t:file { read getattr };
-allow $1 rpm_var_lib_t:lnk_file { getattr read };
+ requires_block_template(`$0'_depend)
+
+ allow $1 rpm_var_lib_t:dir { getattr read search };
+ allow $1 rpm_var_lib_t:file { read getattr };
+ allow $1 rpm_var_lib_t:lnk_file { getattr read };
')
define(`rpm_read_package_database_depend',`
-type rpm_var_lib_t_t;
-class dir { search getattr read };
-class lnk_file { getattr read };
-class file { getattr read };
+ type rpm_var_lib_t_t;
+
+ class dir { search getattr read };
+ class lnk_file { getattr read };
+ class file { getattr read };
')
########################################
@@ -134,17 +145,19 @@ class file { getattr read };
# rpm_manage_package_database(domain)
#
define(`rpm_manage_package_database',`
-requires_block_template(`$0'_depend)
-allow $1 rpm_var_lib_t:dir { getattr search read write add_name remove_name };
-allow $1 rpm_var_lib_t:file { getattr create read write append unlink };
-allow $1 rpm_var_lib_t:lnk_file { getattr read write unlink };
+ requires_block_template(`$0'_depend)
+
+ allow $1 rpm_var_lib_t:dir { getattr search read write add_name remove_name };
+ allow $1 rpm_var_lib_t:file { getattr create read write append unlink };
+ allow $1 rpm_var_lib_t:lnk_file { getattr read write unlink };
')
define(`rpm_manage_package_database_depend',`
-type rpm_var_lib_t_t;
-class dir { search getattr read };
-class lnk_file { getattr read };
-class file { getattr read };
+ type rpm_var_lib_t_t;
+
+ class dir { search getattr read };
+ class lnk_file { getattr read };
+ class file { getattr read };
')
## </module>
diff --git a/refpolicy/policy/modules/admin/usermanage.if b/refpolicy/policy/modules/admin/usermanage.if
index 2bd4b707b..aa03a7207 100644
--- a/refpolicy/policy/modules/admin/usermanage.if
+++ b/refpolicy/policy/modules/admin/usermanage.if
@@ -13,23 +13,26 @@
## </interface>
#
define(`usermanage_chfn_transition',`
-requires_block_template(`$0'_depend)
-allow $1 chfn_exec_t:file { getattr read execute };
-allow $1 chfn_t:process transition;
-type_transition $1 chfn_exec_t:process chfn_t;
-dontaudit $1 chfn_t:process { noatsecure siginh rlimitinh };
-allow $1 chfn_t:fd use;
-allow chfn_t $1:fd use;
-allow chfn_t $1:fifo_file rw_file_perms;
-allow chfn_t $1:process sigchld;
+ requires_block_template(`$0'_depend)
+
+ allow $1 chfn_exec_t:file { getattr read execute };
+ allow $1 chfn_t:process transition;
+ type_transition $1 chfn_exec_t:process chfn_t;
+ dontaudit $1 chfn_t:process { noatsecure siginh rlimitinh };
+
+ allow $1 chfn_t:fd use;
+ allow chfn_t $1:fd use;
+ allow chfn_t $1:fifo_file rw_file_perms;
+ allow chfn_t $1:process sigchld;
')
define(`usermanage_chfn_transition_depend',`
-type chfn_t, chfn_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+ type chfn_t, chfn_exec_t;
+
+ class file { getattr read execute };
+ class process { transition noatsecure siginh rlimitinh sigchld };
+ class fd use;
+ class fifo_file rw_file_perms;
')
########################################
@@ -51,15 +54,17 @@ class fifo_file rw_file_perms;
## </interface>
#
define(`usermanage_chfn_transition_add_role_use_terminal',`
-requires_block_template(`$0'_depend)
-usermanage_chfn_transition($1)
-role $2 types chfn_t;
-allow chfn_t $3:chr_file { getattr read write ioctl };
+ requires_block_template(`$0'_depend)
+
+ usermanage_chfn_transition($1)
+ role $2 types chfn_t;
+ allow chfn_t $3:chr_file { getattr read write ioctl };
')
define(`usermanage_chfn_transition_add_role_use_terminal_depend',`
-type chfn_t;
-class chr_file { getattr read write ioctl };
+ type chfn_t;
+
+ class chr_file { getattr read write ioctl };
')
########################################
@@ -74,23 +79,26 @@ class chr_file { getattr read write ioctl };
## </interface>
#
define(`usermanage_groupadd_transition',`
-requires_block_template(`$0'_depend)
-allow $1 groupadd_exec_t:file { getattr read execute };
-allow $1 groupadd_t:process transition;
-type_transition $1 groupadd_exec_t:process groupadd_t;
-dontaudit $1 groupadd_t:process { noatsecure siginh rlimitinh };
-allow $1 groupadd_t:fd use;
-allow groupadd_t $1:fd use;
-allow groupadd_t $1:fifo_file rw_file_perms;
-allow groupadd_t $1:process sigchld;
+ requires_block_template(`$0'_depend)
+
+ allow $1 groupadd_exec_t:file { getattr read execute };
+ allow $1 groupadd_t:process transition;
+ type_transition $1 groupadd_exec_t:process groupadd_t;
+ dontaudit $1 groupadd_t:process { noatsecure siginh rlimitinh };
+
+ allow $1 groupadd_t:fd use;
+ allow groupadd_t $1:fd use;
+ allow groupadd_t $1:fifo_file rw_file_perms;
+ allow groupadd_t $1:process sigchld;
')
define(`usermanage_groupadd_transition_depend',`
-type groupadd_t, groupadd_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+ type groupadd_t, groupadd_exec_t;
+
+ class file { getattr read execute };
+ class process { transition noatsecure siginh rlimitinh sigchld };
+ class fd use;
+ class fifo_file rw_file_perms;
')
########################################
@@ -112,15 +120,17 @@ class fifo_file rw_file_perms;
## </interface>
#
define(`usermanage_groupadd_transition_add_role_use_terminal',`
-requires_block_template(`$0'_depend)
-usermanage_groupadd_transition($1)
-role $2 types groupadd_t;
-allow groupadd_t $3:chr_file { getattr read write ioctl };
+ requires_block_template(`$0'_depend)
+
+ usermanage_groupadd_transition($1)
+ role $2 types groupadd_t;
+ allow groupadd_t $3:chr_file { getattr read write ioctl };
')
define(`usermanage_groupadd_transition_add_role_use_terminal_depend',`
-type groupadd_t;
-class chr_file { getattr read write ioctl };
+ type groupadd_t;
+
+ class chr_file { getattr read write ioctl };
')
########################################
@@ -135,23 +145,26 @@ class chr_file { getattr read write ioctl };
## </interface>
#
define(`usermanage_passwd_transition',`
-requires_block_template(`$0'_depend)
-allow $1 passwd_exec_t:file { getattr read execute };
-allow $1 passwd_t:process transition;
-type_transition $1 passwd_exec_t:process passwd_t;
-dontaudit $1 passwd_t:process { noatsecure siginh rlimitinh };
-allow $1 passwd_t:fd use;
-allow passwd_t $1:fd use;
-allow passwd_t $1:fifo_file rw_file_perms;
-allow passwd_t $1:process sigchld;
+ requires_block_template(`$0'_depend)
+
+ allow $1 passwd_exec_t:file { getattr read execute };
+ allow $1 passwd_t:process transition;
+ type_transition $1 passwd_exec_t:process passwd_t;
+ dontaudit $1 passwd_t:process { noatsecure siginh rlimitinh };
+
+ allow $1 passwd_t:fd use;
+ allow passwd_t $1:fd use;
+ allow passwd_t $1:fifo_file rw_file_perms;
+ allow passwd_t $1:process sigchld;
')
define(`usermanage_passwd_transition_depend',`
-type passwd_t, passwd_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+ type passwd_t, passwd_exec_t;
+
+ class file { getattr read execute };
+ class process { transition noatsecure siginh rlimitinh sigchld };
+ class fd use;
+ class fifo_file rw_file_perms;
')
########################################
@@ -173,15 +186,17 @@ class fifo_file rw_file_perms;
## </interface>
#
define(`usermanage_passwd_transition_add_role_use_terminal',`
-requires_block_template(`$0'_depend)
-usermanage_passwd_transition($1)
-role $2 types passwd_t;
-allow passwd_t $3:chr_file { getattr read write ioctl };
+ requires_block_template(`$0'_depend)
+
+ usermanage_passwd_transition($1)
+ role $2 types passwd_t;
+ allow passwd_t $3:chr_file { getattr read write ioctl };
')
define(`usermanage_passwd_transition_add_role_use_terminal_depend',`
-type passwd_t;
-class chr_file { getattr read write ioctl };
+ type passwd_t;
+
+ class chr_file { getattr read write ioctl };
')
########################################
@@ -196,23 +211,26 @@ class chr_file { getattr read write ioctl };
## </interface>
#
define(`usermanage_useradd_transition',`
-requires_block_template(`$0'_depend)
-allow $1 useradd_exec_t:file { getattr read execute };
-allow $1 useradd_t:process transition;
-type_transition $1 useradd_exec_t:process useradd_t;
-dontaudit $1 useradd_t:process { noatsecure siginh rlimitinh };
-allow $1 useradd_t:fd use;
-allow useradd_t $1:fd use;
-allow useradd_t $1:fifo_file rw_file_perms;
-allow useradd_t $1:process sigchld;
+ requires_block_template(`$0'_depend)
+
+ allow $1 useradd_exec_t:file { getattr read execute };
+ allow $1 useradd_t:process transition;
+ type_transition $1 useradd_exec_t:process useradd_t;
+ dontaudit $1 useradd_t:process { noatsecure siginh rlimitinh };
+
+ allow $1 useradd_t:fd use;
+ allow useradd_t $1:fd use;
+ allow useradd_t $1:fifo_file rw_file_perms;
+ allow useradd_t $1:process sigchld;
')
define(`usermanage_useradd_transition_depend',`
-type useradd_t, useradd_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+ type useradd_t, useradd_exec_t;
+
+ class file { getattr read execute };
+ class process { transition noatsecure siginh rlimitinh sigchld };
+ class fd use;
+ class fifo_file rw_file_perms;
')
########################################
@@ -234,15 +252,17 @@ class fifo_file rw_file_perms;
## </interface>
#
define(`usermanage_useradd_transition_add_role_use_terminal',`
-requires_block_template(`$0'_depend)
-usermanage_useradd_transition($1)
-role $2 types useradd_t;
-allow useradd_t $3:chr_file { getattr read write ioctl };
+ requires_block_template(`$0'_depend)
+
+ usermanage_useradd_transition($1)
+ role $2 types useradd_t;
+ allow useradd_t $3:chr_file { getattr read write ioctl };
')
define(`usermanage_useradd_transition_add_role_use_terminal_depend',`
-type useradd_t;
-class chr_file { getattr read write ioctl };
+ type useradd_t;
+
+ class chr_file { getattr read write ioctl };
')
## </module>
diff --git a/refpolicy/policy/modules/apps/gpg.if b/refpolicy/policy/modules/apps/gpg.if
index dcb743127..3ed253ec9 100644
--- a/refpolicy/policy/modules/apps/gpg.if
+++ b/refpolicy/policy/modules/apps/gpg.if
@@ -6,333 +6,342 @@
# gpg_per_userdomain_template(userdomain_prefix)
#
define(`gpg_per_userdomain_template',`
-requires_block_template(`$0'_depend)
+ requires_block_template(`$0'_depend)
-########################################
-#
-# Declarations
-#
+ ########################################
+ #
+ # Declarations
+ #
-type $1_gpg_t;
-domain_make_domain($1_gpg_t)
-domain_make_entrypoint_file($1_gpg_t,gpg_exec_t)
-role $1_r types $1_gpg_t;
+ type $1_gpg_t;
+ domain_make_domain($1_gpg_t)
+ domain_make_entrypoint_file($1_gpg_t,gpg_exec_t)
+ role $1_r types $1_gpg_t;
-type $1_gpg_agent_t;
-domain_make_domain($1_gpg_agent_t)
-domain_make_entrypoint_file($1_gpg_agent_t,gpg_agent_exec_t)
-role $1_r types $1_gpg_agent_t;
+ type $1_gpg_agent_t;
+ domain_make_domain($1_gpg_agent_t)
+ domain_make_entrypoint_file($1_gpg_agent_t,gpg_agent_exec_t)
+ role $1_r types $1_gpg_agent_t;
-type $1_gpg_agent_tmp_t;
-files_make_temporary_file($1_gpg_agent_tmp_t)
+ type $1_gpg_agent_tmp_t;
+ files_make_temporary_file($1_gpg_agent_tmp_t)
-type $1_gpg_secret_t; #, $1_file_type;
-files_make_file($1_gpg_secret_t)
+ type $1_gpg_secret_t; #, $1_file_type;
+ files_make_file($1_gpg_secret_t)
-type $1_gpg_helper_t;
-domain_make_domain($1_gpg_helper_t)
-role $1_r types $1_gpg_helper_t;
+ type $1_gpg_helper_t;
+ domain_make_domain($1_gpg_helper_t)
+ role $1_r types $1_gpg_helper_t;
-type $1_gpg_pinentry_t;
-domain_make_domain($1_gpg_pinentry_t)
-role $1_r types $1_gpg_pinentry_t;
+ type $1_gpg_pinentry_t;
+ domain_make_domain($1_gpg_pinentry_t)
+ role $1_r types $1_gpg_pinentry_t;
-########################################
-#
-# GPG local policy
-#
+ ########################################
+ #
+ # GPG local policy
+ #
-# transition from the userdomain to the derived domain
-allow $1_t $1_gpg_t:process transition;
-allow $1_t gpg_exec_t:file { getattr read execute };
-type_transition $1_t gpg_exec_t:process $1_gpg_t;
-allow $1_t $1_gpg_t:fd use;
-allow $1_gpg_t $1_t:fd use;
-allow $1_gpg_t $1_t:fifo_file rw_file_perms;
+ # transition from the userdomain to the derived domain
+ allow $1_t $1_gpg_t:process transition;
+ allow $1_t gpg_exec_t:file { getattr read execute };
+ type_transition $1_t gpg_exec_t:process $1_gpg_t;
+ dontaudit $1_t $1_gpg_t:process { noatsecure siginh rlimitinh };
-allow $1_gpg_t self:capability { ipc_lock setuid };
-allow { $1_t $1_gpg_t } $1_gpg_t:process signal;
-# setrlimit is for ulimit -c 0
-allow $1_gpg_t self:process { setrlimit setcap };
+ allow $1_t $1_gpg_t:fd use;
+ allow $1_gpg_t $1_t:fd use;
+ allow $1_gpg_t $1_t:fifo_file rw_file_perms;
+ allow $1_gpg_t $1_t:process sigchld;
-allow $1_gpg_t self:fifo_file { getattr read write };
-allow $1_gpg_t self:tcp_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
+ allow $1_gpg_t self:capability { ipc_lock setuid };
+ allow { $1_t $1_gpg_t } $1_gpg_t:process signal;
+ # setrlimit is for ulimit -c 0
+ allow $1_gpg_t self:process { setrlimit setcap };
-allow $1_gpg_t $1_gpg_secret_t:dir { read getattr lock search ioctl add_name remove_name write };
-allow $1_gpg_t $1_gpg_secret_t:file { create ioctl read getattr lock write setattr append link unlink rename };
-allow $1_gpg_t $1_gpg_secret_t:lnk_file { create read getattr setattr link unlink rename };
+ allow $1_gpg_t self:fifo_file { getattr read write };
+ allow $1_gpg_t self:tcp_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
-corenetwork_sendrecv_tcp_on_all_interfaces($1_gpg_t)
-corenetwork_sendrecv_raw_on_all_interfaces($1_gpg_t)
-corenetwork_sendrecv_udp_on_all_interfaces($1_gpg_t)
-corenetwork_sendrecv_tcp_on_all_nodes($1_gpg_t)
-corenetwork_sendrecv_raw_on_all_nodes($1_gpg_t)
-corenetwork_sendrecv_udp_on_all_nodes($1_gpg_t)
-corenetwork_sendrecv_tcp_on_all_ports($1_gpg_t)
-corenetwork_sendrecv_udp_on_all_ports($1_gpg_t)
-corenetwork_bind_tcp_on_all_nodes($1_gpg_t)
-corenetwork_bind_udp_on_all_nodes($1_gpg_t)
+ allow $1_gpg_t $1_gpg_secret_t:dir { read getattr lock search ioctl add_name remove_name write };
+ allow $1_gpg_t $1_gpg_secret_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+ allow $1_gpg_t $1_gpg_secret_t:lnk_file { create read getattr setattr link unlink rename };
-devices_get_random_data($1_gpg_t)
-devices_get_pseudorandom_data($1_gpg_t)
+ corenetwork_sendrecv_tcp_on_all_interfaces($1_gpg_t)
+ corenetwork_sendrecv_raw_on_all_interfaces($1_gpg_t)
+ corenetwork_sendrecv_udp_on_all_interfaces($1_gpg_t)
+ corenetwork_sendrecv_tcp_on_all_nodes($1_gpg_t)
+ corenetwork_sendrecv_raw_on_all_nodes($1_gpg_t)
+ corenetwork_sendrecv_udp_on_all_nodes($1_gpg_t)
+ corenetwork_sendrecv_tcp_on_all_ports($1_gpg_t)
+ corenetwork_sendrecv_udp_on_all_ports($1_gpg_t)
+ corenetwork_bind_tcp_on_all_nodes($1_gpg_t)
+ corenetwork_bind_udp_on_all_nodes($1_gpg_t)
-filesystem_get_persistent_filesystem_attributes($1_gpg_t)
+ devices_get_random_data($1_gpg_t)
+ devices_get_pseudorandom_data($1_gpg_t)
-files_read_general_system_config($1_gpg_t)
-files_read_general_application_resources($1_gpg_t)
+ filesystem_get_persistent_filesystem_attributes($1_gpg_t)
-libraries_use_shared_libraries($1_gpg_t)
-libraries_use_dynamic_loader($1_gpg_t)
+ files_read_general_system_config($1_gpg_t)
+ files_read_general_application_resources($1_gpg_t)
-miscfiles_read_localization($1_gpg_t)
+ libraries_use_shared_libraries($1_gpg_t)
+ libraries_use_dynamic_loader($1_gpg_t)
-logging_send_system_log_message($1_gpg_t)
+ miscfiles_read_localization($1_gpg_t)
-sysnetwork_read_network_config($1_gpg_t)
+ logging_send_system_log_message($1_gpg_t)
-# Legacy
-if (allow_gpg_execstack) {
-allow $1_gpg_t self:process execmem;
-libraries_legacy_use_shared_libraries($1_gpg_t)
-libraries_legacy_use_dynamic_loader($1_gpg_t)
-miscfiles_legacy_read_localization($1_gpg_t)
-# Not quite sure why this is needed...
-allow $1_gpg_t gpg_exec_t:file execmod;
-}
+ sysnetwork_read_network_config($1_gpg_t)
-ifdef(`TODO',`
+ # Legacy
+ if (allow_gpg_execstack) {
+ allow $1_gpg_t self:process execmem;
+ libraries_legacy_use_shared_libraries($1_gpg_t)
+ libraries_legacy_use_dynamic_loader($1_gpg_t)
+ miscfiles_legacy_read_localization($1_gpg_t)
+ # Not quite sure why this is needed...
+ allow $1_gpg_t gpg_exec_t:file execmod;
+ }
-can_ypbind($1_gpg_t)
+ ifdef(`TODO',`
-allow $1_t $1_gpg_secret_t:file getattr;
+ can_ypbind($1_gpg_t)
-access_terminal($1_gpg_t, $1)
-ifdef(`gnome-pty-helper.te', `allow $1_gpg_t $1_gph_t:fd use;')
+ allow $1_t $1_gpg_secret_t:file getattr;
-# Inherit and use descriptors
-allow $1_gpg_t { privfd $1_t }:fd use;
+ access_terminal($1_gpg_t, $1)
+ ifdef(`gnome-pty-helper.te', `allow $1_gpg_t $1_gph_t:fd use;')
-# allow ps to show gpg
-can_ps($1_t, $1_gpg_t)
+ # Inherit and use descriptors
+ allow $1_gpg_t { privfd $1_t }:fd use;
-# should not need read access...
-allow $1_gpg_t home_root_t:dir { read search };
+ # allow ps to show gpg
+ can_ps($1_t, $1_gpg_t)
-# use $1_gpg_secret_t for files it creates
-# NB we are doing the type transition for directory creation only!
-# so ~/.gnupg will be of $1_gpg_secret_t, then files created under it such as
-# secring.gpg will be of $1_gpg_secret_t too. But when you use gpg to decrypt
-# a file and write output to your home directory it will use user_home_t.
-file_type_auto_trans($1_gpg_t, $1_home_dir_t, $1_gpg_secret_t, dir)
+ # should not need read access...
+ allow $1_gpg_t home_root_t:dir { read search };
-file_type_auto_trans($1_gpg_t, $1_home_dir_t, $1_home_t, file)
-create_dir_file($1_gpg_t, $1_home_t)
+ # use $1_gpg_secret_t for files it creates
+ # NB we are doing the type transition for directory creation only!
+ # so ~/.gnupg will be of $1_gpg_secret_t, then files created under it such as
+ # secring.gpg will be of $1_gpg_secret_t too. But when you use gpg to decrypt
+ # a file and write output to your home directory it will use user_home_t.
+ file_type_auto_trans($1_gpg_t, $1_home_dir_t, $1_gpg_secret_t, dir)
-# allow the usual access to /tmp
-file_type_auto_trans($1_gpg_t, tmp_t, $1_tmp_t)
+ file_type_auto_trans($1_gpg_t, $1_home_dir_t, $1_home_t, file)
+ create_dir_file($1_gpg_t, $1_home_t)
-if (use_nfs_home_dirs) {
-create_dir_file($1_gpg_t, nfs_t)
-}
-if (use_samba_home_dirs) {
-create_dir_file($1_gpg_t, cifs_t)
-}
+ # allow the usual access to /tmp
+ file_type_auto_trans($1_gpg_t, tmp_t, $1_tmp_t)
-rw_dir_create_file($1_gpg_t, $1_file_type)
+ if (use_nfs_home_dirs) {
+ create_dir_file($1_gpg_t, nfs_t)
+ }
+ if (use_samba_home_dirs) {
+ create_dir_file($1_gpg_t, cifs_t)
+ }
-allow $1_t $1_gpg_secret_t:dir rw_dir_perms;
+ rw_dir_create_file($1_gpg_t, $1_file_type)
-dontaudit $1_gpg_t var_t:dir search;
-') dnl end TODO
+ allow $1_t $1_gpg_secret_t:dir rw_dir_perms;
-########################################
-#
-# GPG helper local policy
-#
+ dontaudit $1_gpg_t var_t:dir search;
+ ') dnl end TODO
-# for helper programs (which automatically fetch keys)
-# Note: this is only tested with the hkp interface. If you use eg the
-# mail interface you will likely need additional permissions.
+ ########################################
+ #
+ # GPG helper local policy
+ #
-# transition from the gpg domain to the helper domain
-allow $1_gpg_t $1_gpg_helper_t:process transition;
-allow $1_gpg_t gpg_helper_exec_t:file { getattr read execute };
-type_transition $1_gpg_t gpg_helper_exec_t:process $1_gpg_helper_t;
-allow $1_gpg_t $1_gpg_helper_t:fd use;
-allow $1_gpg_helper_t $1_t:fd use;
-allow $1_gpg_helper_t $1_t:fifo_file rw_file_perms;
+ # for helper programs (which automatically fetch keys)
+ # Note: this is only tested with the hkp interface. If you use eg the
+ # mail interface you will likely need additional permissions.
-allow $1_gpg_helper_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
+ # transition from the gpg domain to the helper domain
+ allow $1_gpg_t $1_gpg_helper_t:process transition;
+ allow $1_gpg_t gpg_helper_exec_t:file { getattr read execute };
+ type_transition $1_gpg_t gpg_helper_exec_t:process $1_gpg_helper_t;
+ dontaudit $1_gpg_helper_t $1_gpg_t:process { noatsecure siginh rlimitinh };
-allow $1_gpg_helper_t self:tcp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown };
-allow $1_gpg_helper_t self:udp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown };
+ allow $1_gpg_t $1_gpg_helper_t:fd use;
+ allow $1_gpg_helper_t $1_gpg_t:fd use;
+ allow $1_gpg_helper_t $1_gpg_t:fifo_file rw_file_perms;
+ allow $1_gpg_helper_t $1_gpg_t:process sigchld;
-dontaudit $1_gpg_helper_t $1_gpg_secret_t:file read;
+ allow $1_gpg_helper_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
-corenetwork_sendrecv_tcp_on_all_interfaces($1_gpg_helper_t)
-corenetwork_sendrecv_raw_on_all_interfaces($1_gpg_helper_t)
-corenetwork_sendrecv_udp_on_all_interfaces($1_gpg_helper_t)
-corenetwork_sendrecv_tcp_on_all_nodes($1_gpg_helper_t)
-corenetwork_sendrecv_udp_on_all_nodes($1_gpg_helper_t)
-corenetwork_sendrecv_raw_on_all_nodes($1_gpg_helper_t)
-corenetwork_sendrecv_tcp_on_all_ports($1_gpg_helper_t)
-corenetwork_sendrecv_udp_on_all_ports($1_gpg_helper_t)
-corenetwork_bind_tcp_on_all_nodes($1_gpg_helper_t)
-corenetwork_bind_udp_on_all_nodes($1_gpg_helper_t)
+ allow $1_gpg_helper_t self:tcp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown };
+ allow $1_gpg_helper_t self:udp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown };
-devices_get_pseudorandom_data($1_gpg_helper_t)
+ dontaudit $1_gpg_helper_t $1_gpg_secret_t:file read;
-files_read_general_system_config($1_gpg_helper_t)
-# for nscd
-files_ignore_search_system_state_data_directory($1_gpg_helper_t)
+ corenetwork_sendrecv_tcp_on_all_interfaces($1_gpg_helper_t)
+ corenetwork_sendrecv_raw_on_all_interfaces($1_gpg_helper_t)
+ corenetwork_sendrecv_udp_on_all_interfaces($1_gpg_helper_t)
+ corenetwork_sendrecv_tcp_on_all_nodes($1_gpg_helper_t)
+ corenetwork_sendrecv_udp_on_all_nodes($1_gpg_helper_t)
+ corenetwork_sendrecv_raw_on_all_nodes($1_gpg_helper_t)
+ corenetwork_sendrecv_tcp_on_all_ports($1_gpg_helper_t)
+ corenetwork_sendrecv_udp_on_all_ports($1_gpg_helper_t)
+ corenetwork_bind_tcp_on_all_nodes($1_gpg_helper_t)
+ corenetwork_bind_udp_on_all_nodes($1_gpg_helper_t)
-libraries_use_dynamic_loader($1_gpg_helper_t)
-libraries_use_shared_libraries($1_gpg_helper_t)
+ devices_get_pseudorandom_data($1_gpg_helper_t)
-sysnetwork_read_network_config($1_gpg_helper_t)
+ files_read_general_system_config($1_gpg_helper_t)
+ # for nscd
+ files_ignore_search_system_state_data_directory($1_gpg_helper_t)
-ifdef(`TODO',`
+ libraries_use_dynamic_loader($1_gpg_helper_t)
+ libraries_use_shared_libraries($1_gpg_helper_t)
-if (use_nfs_home_dirs) {
-dontaudit $1_gpg_helper_t nfs_t:file { read write };
-}
-if (use_samba_home_dirs) {
-dontaudit $1_gpg_helper_t cifs_t:file { read write };
-}
+ sysnetwork_read_network_config($1_gpg_helper_t)
-# communicate with the user
-allow $1_gpg_helper_t $1_t:fd use;
-allow $1_gpg_helper_t $1_t:fifo_file write;
+ ifdef(`TODO',`
-ifdef(`xdm.te', `
-dontaudit $1_gpg_t xdm_t:fd use;
-dontaudit $1_gpg_t xdm_t:fifo_file read;
+ if (use_nfs_home_dirs) {
+ dontaudit $1_gpg_helper_t nfs_t:file { read write };
+ }
+ if (use_samba_home_dirs) {
+ dontaudit $1_gpg_helper_t cifs_t:file { read write };
+ }
+
+ # communicate with the user
+ allow $1_gpg_helper_t $1_t:fd use;
+ allow $1_gpg_helper_t $1_t:fifo_file write;
+
+ ifdef(`xdm.te', `
+ dontaudit $1_gpg_t xdm_t:fd use;
+ dontaudit $1_gpg_t xdm_t:fifo_file read;
+ ')
+ ') dnl end TODO
+
+ ########################################
+ #
+ # GPG agent local policy
+ #
+
+ # rlimit: gpg-agent wants to prevent coredumps
+ allow $1_gpg_agent_t self:process setrlimit;
+
+ allow $1_gpg_agent_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
+ allow $1_gpg_agent_t self:fifo_file { getattr read write };
+
+ allow $1_t $1_gpg_agent_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
+ allow $1_t $1_gpg_agent_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+ allow $1_t $1_gpg_agent_tmp_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
+ files_create_private_tmp_data($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir })
+
+ domain_use_widely_inheritable_file_descriptors($1_gpg_agent_t)
+
+ libraries_use_dynamic_loader($1_gpg_agent_t)
+ libraries_use_shared_libraries($1_gpg_agent_t)
+
+ miscfiles_read_localization($1_gpg_agent_t)
+
+ ifdef(`TODO',`
+ # Transition from the user domain to the derived domain.
+ domain_auto_trans($1_t, gpg_agent_exec_t, $1_gpg_agent_t)
+
+ allow $1_gpg_agent_t xdm_t:fd use;
+
+ # Write to the user domain tty.
+ access_terminal($1_gpg_agent_t, $1)
+
+ # Allow the user shell to signal the gpg-agent program.
+ allow $1_t $1_gpg_agent_t:process { signal sigkill };
+ # allow ps to show gpg-agent
+ can_ps($1_t, $1_gpg_agent_t)
+
+ allow $1_gpg_agent_t proc_t:dir search;
+ allow $1_gpg_agent_t proc_t:lnk_file read;
+
+ allow $1_gpg_agent_t device_t:dir { getattr read };
+
+ # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
+ allow $1_gpg_agent_t { home_root_t $1_home_dir_t }:dir search;
+ create_dir_file($1_gpg_agent_t, $1_gpg_secret_t)
+ if (use_nfs_home_dirs) {
+ create_dir_file($1_gpg_agent_t, nfs_t)
+ }
+ if (use_samba_home_dirs) {
+ create_dir_file($1_gpg_agent_t, cifs_t)
+ }
+
+ # gpg connect
+ allow $1_gpg_t $1_gpg_agent_tmp_t:dir search;
+ allow $1_gpg_t $1_gpg_agent_tmp_t:sock_file write;
+ can_unix_connect($1_gpg_t, $1_gpg_agent_t)
+ ') dnl endif TODO
+
+ ##############################
+ #
+ # Pinentry local policy
+ #
+
+ # we need to allow gpg-agent to call pinentry so it can get the passphrase
+ # from the user.
+ allow $1_gpg_agent_t $1_gpg_pinentry_t:process transition;
+ allow $1_gpg_agent_t pinentry_exec_t:file { getattr read execute };
+ type_transition $1_gpg_agent_t pinentry_exec_t:process $1_gpg_pinentry_t;
+ dontaudit $1_gpg_agent_t $1_gpg_pinentry_t:process { noatsecure siginh rlimitinh };
+
+ allow $1_gpg_pinentry_t $1_gpg_agent_t:fd use;
+ allow $1_gpg_agent_t $1_gpg_pinentry_t:fd use;
+ allow $1_gpg_agent_t $1_gpg_pinentry_t:fifo_file rw_file_perms;
+ allow $1_gpg_agent_t $1_gpg_pinentry_t:process sigchld;
+
+ allow $1_gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
+ allow $1_gpg_pinentry_t self:fifo_file { getattr read write };
+
+ # read /proc/meminfo
+ kernel_read_system_state($1_gpg_pinentry_t)
+
+ files_read_general_application_resources($1_gpg_pinentry_t)
+ # read /etc/X11/qtrc
+ files_read_general_system_config($1_gpg_pinentry_t)
+
+ libraries_use_dynamic_loader($1_gpg_pinentry_t)
+ libraries_use_shared_libraries($1_gpg_pinentry_t)
+
+ miscfiles_read_fonts($1_gpg_pinentry_t)
+ miscfiles_read_localization($1_gpg_pinentry_t)
+
+ ifdef(`TODO',`
+
+ allow $1_gpg_agent_t bin_t:dir search;
+
+ ifdef(`xdm.te', `
+ allow $1_gpg_pinentry_t xdm_xserver_tmp_t:dir search;
+ allow $1_gpg_pinentry_t xdm_xserver_tmp_t:sock_file { read write };
+ can_unix_connect($1_gpg_pinentry_t, xdm_xserver_t)
+ allow $1_gpg_pinentry_t xdm_t:fd use;
+ ')
+
+ allow $1_gpg_pinentry_t { tmp_t home_root_t }:dir { getattr search };
+
+ # for .Xauthority
+ allow $1_gpg_pinentry_t $1_home_dir_t:dir { getattr search };
+ allow $1_gpg_pinentry_t $1_home_t:file { getattr read };
+ # wants to put some lock files into the user home dir, seems to work fine without
+ dontaudit $1_gpg_pinentry_t $1_home_t:dir { read write };
+ dontaudit $1_gpg_pinentry_t $1_home_t:file write;
+
+ if (use_nfs_home_dirs) {
+ allow $1_gpg_pinentry_t nfs_t:dir { getattr search };
+ allow $1_gpg_pinentry_t nfs_t:file { getattr read };
+ dontaudit $1_gpg_pinentry_t nfs_t:dir { read write };
+ dontaudit $1_gpg_pinentry_t nfs_t:file write;
+ }
+
+ if (use_samba_home_dirs) {
+ allow $1_gpg_pinentry_t cifs_t:dir { getattr search };
+ allow $1_gpg_pinentry_t cifs_t:file { getattr read };
+ dontaudit $1_gpg_pinentry_t cifs_t:dir { read write };
+ dontaudit $1_gpg_pinentry_t cifs_t:file write;
+ }
+
+ dontaudit $1_gpg_pinentry_t { sysctl_t sysctl_kernel_t }:dir { getattr search };
+ ') dnl end TODO
')
-') dnl end TODO
-
-########################################
-#
-# GPG agent local policy
-#
-
-# rlimit: gpg-agent wants to prevent coredumps
-allow $1_gpg_agent_t self:process setrlimit;
-
-allow $1_gpg_agent_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
-allow $1_gpg_agent_t self:fifo_file { getattr read write };
-
-allow $1_t $1_gpg_agent_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
-allow $1_t $1_gpg_agent_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
-allow $1_t $1_gpg_agent_tmp_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
-files_create_private_tmp_data($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir })
-
-domain_use_widely_inheritable_file_descriptors($1_gpg_agent_t)
-
-libraries_use_dynamic_loader($1_gpg_agent_t)
-libraries_use_shared_libraries($1_gpg_agent_t)
-
-miscfiles_read_localization($1_gpg_agent_t)
-
-ifdef(`TODO',`
-# Transition from the user domain to the derived domain.
-domain_auto_trans($1_t, gpg_agent_exec_t, $1_gpg_agent_t)
-
-allow $1_gpg_agent_t xdm_t:fd use;
-
-# Write to the user domain tty.
-access_terminal($1_gpg_agent_t, $1)
-
-# Allow the user shell to signal the gpg-agent program.
-allow $1_t $1_gpg_agent_t:process { signal sigkill };
-# allow ps to show gpg-agent
-can_ps($1_t, $1_gpg_agent_t)
-
-allow $1_gpg_agent_t proc_t:dir search;
-allow $1_gpg_agent_t proc_t:lnk_file read;
-
-allow $1_gpg_agent_t device_t:dir { getattr read };
-
-# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
-allow $1_gpg_agent_t { home_root_t $1_home_dir_t }:dir search;
-create_dir_file($1_gpg_agent_t, $1_gpg_secret_t)
-if (use_nfs_home_dirs) {
-create_dir_file($1_gpg_agent_t, nfs_t)
-}
-if (use_samba_home_dirs) {
-create_dir_file($1_gpg_agent_t, cifs_t)
-}
-
-# gpg connect
-allow $1_gpg_t $1_gpg_agent_tmp_t:dir search;
-allow $1_gpg_t $1_gpg_agent_tmp_t:sock_file write;
-can_unix_connect($1_gpg_t, $1_gpg_agent_t)
-') dnl endif TODO
-
-##############################
-#
-# Pinentry local policy
-#
-
-# we need to allow gpg-agent to call pinentry so it can get the passphrase
-# from the user.
-allow $1_gpg_agent_t $1_gpg_pinentry_t:process transition;
-allow $1_gpg_agent_t pinentry_exec_t:file { getattr read execute };
-type_transition $1_gpg_agent_t pinentry_exec_t:process $1_gpg_pinentry_t;
-allow $1_gpg_pinentry_t $1_gpg_agent_t:fd use;
-allow $1_gpg_agent_t $1_gpg_pinentry_t:fd use;
-allow $1_gpg_agent_t $1_gpg_pinentry_t:fifo_file rw_file_perms;
-
-allow $1_gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
-allow $1_gpg_pinentry_t self:fifo_file { getattr read write };
-
-# read /proc/meminfo
-kernel_read_system_state($1_gpg_pinentry_t)
-
-files_read_general_application_resources($1_gpg_pinentry_t)
-# read /etc/X11/qtrc
-files_read_general_system_config($1_gpg_pinentry_t)
-
-libraries_use_dynamic_loader($1_gpg_pinentry_t)
-libraries_use_shared_libraries($1_gpg_pinentry_t)
-
-miscfiles_read_fonts($1_gpg_pinentry_t)
-miscfiles_read_localization($1_gpg_pinentry_t)
-
-ifdef(`TODO',`
-
-allow $1_gpg_agent_t bin_t:dir search;
-
-ifdef(`xdm.te', `
-allow $1_gpg_pinentry_t xdm_xserver_tmp_t:dir search;
-allow $1_gpg_pinentry_t xdm_xserver_tmp_t:sock_file { read write };
-can_unix_connect($1_gpg_pinentry_t, xdm_xserver_t)
-allow $1_gpg_pinentry_t xdm_t:fd use;
-')dnl end ig xdm.te
-
-allow $1_gpg_pinentry_t { tmp_t home_root_t }:dir { getattr search };
-
-# for .Xauthority
-allow $1_gpg_pinentry_t $1_home_dir_t:dir { getattr search };
-allow $1_gpg_pinentry_t $1_home_t:file { getattr read };
-# wants to put some lock files into the user home dir, seems to work fine without
-dontaudit $1_gpg_pinentry_t $1_home_t:dir { read write };
-dontaudit $1_gpg_pinentry_t $1_home_t:file write;
-
-if (use_nfs_home_dirs) {
-allow $1_gpg_pinentry_t nfs_t:dir { getattr search };
-allow $1_gpg_pinentry_t nfs_t:file { getattr read };
-dontaudit $1_gpg_pinentry_t nfs_t:dir { read write };
-dontaudit $1_gpg_pinentry_t nfs_t:file write;
-}
-
-if (use_samba_home_dirs) {
-allow $1_gpg_pinentry_t cifs_t:dir { getattr search };
-allow $1_gpg_pinentry_t cifs_t:file { getattr read };
-dontaudit $1_gpg_pinentry_t cifs_t:dir { read write };
-dontaudit $1_gpg_pinentry_t cifs_t:file write;
-}
-
-dontaudit $1_gpg_pinentry_t { sysctl_t sysctl_kernel_t }:dir { getattr search };
-') dnl end TODO
-') dnl end gpg_per_userdomain_template
diff --git a/refpolicy/policy/modules/kernel/bootloader.te b/refpolicy/policy/modules/kernel/bootloader.te
index d50652b05..7e40d501d 100644
--- a/refpolicy/policy/modules/kernel/bootloader.te
+++ b/refpolicy/policy/modules/kernel/bootloader.te
@@ -146,35 +146,39 @@ allow bootloader_t boot_t:file relabelfrom;
')
tunable_policy(`distro_redhat', `
-# for memlock
-allow bootloader_t self:capability ipc_lock;
-# new file system defaults to file_t, granting file_t access is still bad.
-allow bootloader_t boot_runtime_t:file { read getattr unlink };
-# mkinitrd mount initrd on bootloader temp dir
-files_make_mountpoint(bootloader_tmp_t)
-# for mke2fs
-mount_transition(bootloader_t)
+ # for memlock
+ allow bootloader_t self:capability ipc_lock;
+
+ # new file system defaults to file_t, granting file_t access is still bad.
+ allow bootloader_t boot_runtime_t:file { read getattr unlink };
+
+ # mkinitrd mount initrd on bootloader temp dir
+ files_make_mountpoint(bootloader_tmp_t)
+
+ # for mke2fs
+ mount_transition(bootloader_t)
')
optional_policy(`filesystemtools.te', `
-filesystemtools_execute(bootloader_t)
+ filesystemtools_execute(bootloader_t)
')
# LVM2 / Device Mapper's /dev/mapper/control
# maybe we should change the labeling for this
optional_policy(`lvm.te', `
-devices_use_lvm_control_channel(bootloader_t)
-lvm_transition(bootloader_t)
-lvm_read_config(bootloader_t)
+ devices_use_lvm_control_channel(bootloader_t)
+
+ lvm_transition(bootloader_t)
+ lvm_read_config(bootloader_t)
')
optional_policy(`modutils.te',`
-modutils_insmod_execute(insmod_t)
-modutils_read_kernel_module_dependencies(bootloader_t)
-modutils_read_kernel_module_loading_config(bootloader_t)
-modutils_insmod_execute(bootloader_t)
-modutils_depmod_execute(bootloader_t)
-modutils_update_modules_execute(bootloader_t)
+ modutils_insmod_execute(insmod_t)
+ modutils_read_kernel_module_dependencies(bootloader_t)
+ modutils_read_kernel_module_loading_config(bootloader_t)
+ modutils_insmod_execute(bootloader_t)
+ modutils_depmod_execute(bootloader_t)
+ modutils_update_modules_execute(bootloader_t)
')
ifdef(`TODO',`
@@ -187,22 +191,23 @@ allow bootloader_t var_t:dir search;
allow bootloader_t var_t:file { getattr read };
tunable_policy(`distro_debian', `
-allow bootloader_t { usr_t lib_t fsadm_exec_t }:file relabelto;
-allow bootloader_t { usr_t lib_t fsadm_exec_t }:file create_file_perms;
-allow bootloader_t tmpfs_t:dir r_dir_perms;
-allow bootloader_t initrc_var_run_t:dir r_dir_perms;
-allow bootloader_t var_lib_t:dir search;
-allow bootloader_t dpkg_var_lib_t:dir r_dir_perms;
-allow bootloader_t dpkg_var_lib_t:file { getattr read };
-# for /usr/share/initrd-tools/scripts
-can_exec(bootloader_t, usr_t)
+ allow bootloader_t { usr_t lib_t fsadm_exec_t }:file relabelto;
+ allow bootloader_t { usr_t lib_t fsadm_exec_t }:file create_file_perms;
+ allow bootloader_t tmpfs_t:dir r_dir_perms;
+ allow bootloader_t initrc_var_run_t:dir r_dir_perms;
+ allow bootloader_t var_lib_t:dir search;
+ allow bootloader_t dpkg_var_lib_t:dir r_dir_perms;
+ allow bootloader_t dpkg_var_lib_t:file { getattr read };
+
+ # for /usr/share/initrd-tools/scripts
+ can_exec(bootloader_t, usr_t)
')
tunable_policy(`distro_redhat', `
-# new file system defaults to file_t, granting file_t access is still bad.
-allow bootloader_t file_t:dir create_dir_perms;
-allow bootloader_t file_t:{ file blk_file chr_file } create_file_perms;
-allow bootloader_t file_t:lnk_file create_lnk_perms;
+ # new file system defaults to file_t, granting file_t access is still bad.
+ allow bootloader_t file_t:dir create_dir_perms;
+ allow bootloader_t file_t:{ file blk_file chr_file } create_file_perms;
+ allow bootloader_t file_t:lnk_file create_lnk_perms;
')
dontaudit bootloader_t selinux_config_t:dir search;
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index 359dffd6e..95c2e0f69 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -275,30 +275,35 @@ define(`devices_manage_dev_symbolic_links_depend',`
# devices_manage_device_nodes(domain)
#
define(`devices_manage_device_nodes',`
-requires_block_template(`$0'_depend)
-allow $1 device_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto };
-allow $1 device_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
-allow $1 device_t:lnk_file { create read getattr setattr link unlink rename };
-allow $1 device_t:{ chr_file blk_file } { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto };
-allow $1 device_node:{ chr_file blk_file } { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto };
-# these next rules are to satisfy assertions broken by the above lines.
-# the permissions hopefully can be cut back a lot
-storage_raw_read_fixed_disk($1)
-storage_raw_write_fixed_disk($1)
-storage_read_scsi_generic($1)
-storage_write_scsi_generic($1)
-typeattribute $1 memory_raw_read;
-typeattribute $1 memory_raw_write;
+ requires_block_template(`$0'_depend)
+
+ allow $1 device_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto };
+ allow $1 device_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
+ allow $1 device_t:lnk_file { create read getattr setattr link unlink rename };
+ allow $1 device_t:{ chr_file blk_file } { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto };
+ allow $1 device_node:{ chr_file blk_file } { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto };
+
+ # these next rules are to satisfy assertions broken by the above lines.
+ # the permissions hopefully can be cut back a lot
+ storage_raw_read_fixed_disk($1)
+ storage_raw_write_fixed_disk($1)
+ storage_read_scsi_generic($1)
+ storage_write_scsi_generic($1)
+
+ typeattribute $1 memory_raw_read;
+ typeattribute $1 memory_raw_write;
')
define(`devices_manage_device_nodes_depend',`
-attribute device_node, memory_raw_read, memory_raw_write;
-type device_t;
-class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto };
-class sock_file { create ioctl read getattr lock write setattr append link unlink rename };
-class lnk_file { create read getattr setattr link unlink rename };
-class chr_file { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto };
-class blk_file { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto };
+ attribute device_node, memory_raw_read, memory_raw_write;
+
+ type device_t;
+
+ class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto };
+ class sock_file { create ioctl read getattr lock write setattr append link unlink rename };
+ class lnk_file { create read getattr setattr link unlink rename };
+ class chr_file { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto };
+ class blk_file { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto };
')
########################################
@@ -306,14 +311,16 @@ class blk_file { create ioctl read getattr lock write setattr append link unlink
# devices_ignore_modify_generic_devices(domain)
#
define(`devices_ignore_modify_generic_devices',`
-requires_block_template(`$0'_depend)
-dontaudit $1 device_t:{ chr_file blk_file } { getattr read write ioctl };
+ requires_block_template(`$0'_depend)
+
+ dontaudit $1 device_t:{ chr_file blk_file } { getattr read write ioctl };
')
define(`devices_ignore_modify_generic_devices_depend',`
-type device_t;
-class chr_file { getattr read write ioctl };
-class blk_file { getattr read write ioctl };
+ type device_t;
+
+ class chr_file { getattr read write ioctl };
+ class blk_file { getattr read write ioctl };
')
########################################
@@ -321,15 +328,17 @@ class blk_file { getattr read write ioctl };
# devices_manage_generic_block_devices(domain)
#
define(`devices_manage_generic_block_devices',`
-requires_block_template(`$0'_depend)
-allow $1 device_t:dir { getattr search read write add_name remove_name };
-allow $1 device_t:blk_file { create ioctl read getattr lock write setattr append link unlink rename };
+ requires_block_template(`$0'_depend)
+
+ allow $1 device_t:dir rw_dir_perms;
+ allow $1 device_t:blk_file create_file_perms;
')
define(`devices_manage_generic_block_devices_depend',`
-type device_t;
-class dir r_dir_perms;
-class blk_file { create ioctl read getattr lock write setattr append link unlink rename };
+ type device_t;
+
+ class dir rw_dir_perms;
+ class blk_file create_file_perms;
')
########################################
@@ -337,15 +346,17 @@ class blk_file { create ioctl read getattr lock write setattr append link unlink
# devices_manage_generic_character_devices(domain)
#
define(`devices_manage_generic_character_devices',`
-requires_block_template(`$0'_depend)
-allow $1 device_t:dir { getattr search read write add_name remove_name };
-allow $1 device_t:chr_file { create ioctl read getattr lock write setattr append link unlink rename };
+ requires_block_template(`$0'_depend)
+
+ allow $1 device_t:dir rw_dir_perms;
+ allow $1 device_t:chr_file create_file_perms;
')
define(`devices_manage_generic_character_devices_depend',`
-type device_t;
-class dir r_dir_perms;
-class chr_file { create ioctl read getattr lock write setattr append link unlink rename };
+ type device_t;
+
+ class dir rw_dir_perms;
+ class chr_file create_file_perms;
')
########################################
@@ -353,17 +364,20 @@ class chr_file { create ioctl read getattr lock write setattr append link unlink
# devices_create_dev_entry(domain,file,objectclass(es))
#
define(`devices_create_dev_entry',`
-requires_block_template(`$0'_depend)
-allow $1 device_t:dir { getattr search read write add_name remove_name };
-type_transition $1 device_t:$3 $2;
-optional_policy(`distro_redhat',`
-filesystem_tmpfs_associate($2)
-')
+ requires_block_template(`$0'_depend)
+
+ allow $1 device_t:dir rw_dir_perms;
+ type_transition $1 device_t:$3 $2;
+
+ optional_policy(`distro_redhat',`
+ filesystem_tmpfs_associate($2)
+ ')
')
define(`devices_set_dev_entry_depend',`
-type device_t;
-class dir { getattr search read write add_name remove_name };
+ type device_t;
+
+ class dir rw_dir_perms;
')
########################################
@@ -371,15 +385,17 @@ class dir { getattr search read write add_name remove_name };
# devices_get_all_block_device_attributes(domain)
#
define(`devices_get_all_block_device_attributes',`
-requires_block_template(`$0'_depend)
-allow $1 device_t:dir r_dir_perms;
-allow $1 device_node:blk_file getattr;
+ requires_block_template(`$0'_depend)
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 device_node:blk_file getattr;
')
define(`devices_get_all_block_device_attributes_depend',`
-attribute device_node;
-class blk_file getattr;
-class dir r_dir_perms;
+ attribute device_node;
+
+ class blk_file getattr;
+ class dir r_dir_perms;
')
########################################
@@ -387,13 +403,15 @@ class dir r_dir_perms;
# devices_ignore_get_all_block_device_attributes(domain)
#
define(`devices_ignore_get_all_block_device_attributes',`
-requires_block_template(`$0'_depend)
-allow $1 device_node:blk_file getattr;
+ requires_block_template(`$0'_depend)
+
+ allow $1 device_node:blk_file getattr;
')
define(`devices_ignore_get_all_block_device_attributes_depend',`
-attribute device_node;
-class blk_file getattr;
+ attribute device_node;
+
+ class blk_file getattr;
')
########################################
@@ -401,15 +419,17 @@ class blk_file getattr;
# devices_get_all_character_device_attributes(domain)
#
define(`devices_get_all_character_device_attributes',`
-requires_block_template(`$0'_depend)
-allow $1 device_t:dir r_dir_perms;
-allow $1 device_node:chr_file getattr;
+ requires_block_template(`$0'_depend)
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 device_node:chr_file getattr;
')
define(`devices_get_all_character_device_attributes_depend',`
-attribute device_node;
-class chr_file getattr;
-class dir r_dir_perms;
+ attribute device_node;
+
+ class chr_file getattr;
+ class dir r_dir_perms;
')
########################################
@@ -417,13 +437,15 @@ class dir r_dir_perms;
# devices_ignore_get_all_character_device_attributes(domain)
#
define(`devices_ignore_get_all_character_device_attributes',`
-requires_block_template(`$0'_depend)
-dontaudit $1 device_node:chr_file getattr;
+ requires_block_template(`$0'_depend)
+
+ dontaudit $1 device_node:chr_file getattr;
')
define(`devices_ignore_get_all_character_device_attributes_depend',`
-attribute device_node;
-class chr_file getattr;
+ attribute device_node;
+
+ class chr_file getattr;
')
########################################
@@ -431,13 +453,17 @@ class chr_file getattr;
# devices_set_all_block_device_attributes(domain)
#
define(`devices_set_all_block_device_attributes',`
-requires_block_template(`$0'_depend)
-allow $1 device_node:blk_file setattr;
+ requires_block_template(`$0'_depend)
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 device_node:blk_file setattr;
')
define(`devices_set_all_block_device_attributes_depend',`
-attribute device_node;
-class blk_file setattr;
+ attribute device_node;
+
+ class dir r_dir_perms;
+ class blk_file setattr;
')
########################################
@@ -445,13 +471,17 @@ class blk_file setattr;
# devices_set_all_character_device_attributes(domain)
#
define(`devices_set_all_character_device_attributes',`
-requires_block_template(`$0'_depend)
-allow $1 device_node:chr_file setattr;
+ requires_block_template(`$0'_depend)
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 device_node:chr_file setattr;
')
define(`devices_set_all_character_device_attributes_depend',`
-attribute device_node;
-class chr_file setattr;
+ attribute device_node;
+
+ class dir r_dir_perms;
+ class chr_file setattr;
')
########################################
@@ -459,20 +489,23 @@ class chr_file setattr;
# devices_manage_all_block_devices(domain)
#
define(`devices_manage_all_block_devices',`
-requires_block_template(`$0'_depend)
-allow $1 device_t:dir { getattr search read write add_name remove_name };
-allow $1 device_node:blk_file { create ioctl read getattr lock write setattr append link unlink rename };
-# these next rules are to satisfy assertions broken by the above lines.
-storage_raw_read_fixed_disk($1)
-storage_raw_write_fixed_disk($1)
-storage_read_scsi_generic($1)
-storage_write_scsi_generic($1)
+ requires_block_template(`$0'_depend)
+
+ allow $1 device_t:dir rw_dir_perms;
+ allow $1 device_node:blk_file create_file_perms;
+
+ # these next rules are to satisfy assertions broken by the above lines.
+ storage_raw_read_fixed_disk($1)
+ storage_raw_write_fixed_disk($1)
+ storage_read_scsi_generic($1)
+ storage_write_scsi_generic($1)
')
define(`devices_manage_generic_block_devices_depend',`
-attribute device_node;
-class dir r_dir_perms;
-class blk_file { create ioctl read getattr lock write setattr append link unlink rename };
+ attribute device_node;
+
+ class dir rw_dir_perms;
+ class blk_file create_file_perms;
')
########################################
@@ -480,16 +513,19 @@ class blk_file { create ioctl read getattr lock write setattr append link unlink
# devices_manage_all_character_devices(domain)
#
define(`devices_manage_all_character_devices',`
-requires_block_template(`$0'_depend)
-allow $1 device_t:dir { getattr search read write add_name remove_name };
-allow $1 device_node:chr_file { create ioctl read getattr lock write setattr append link unlink rename };
-typeattribute $1 memory_raw_read, memory_raw_write;
+ requires_block_template(`$0'_depend)
+
+ allow $1 device_t:dir rw_dir_perms;
+ allow $1 device_node:chr_file create_file_perms;
+
+ typeattribute $1 memory_raw_read, memory_raw_write;
')
define(`devices_manage_all_character_devices_depend',`
-attribute device_node, memory_raw_read, memory_raw_write;
-class dir r_dir_perms;
-class chr_file { create ioctl read getattr lock write setattr append link unlink rename };
+ attribute device_node, memory_raw_read, memory_raw_write;
+
+ class dir rw_dir_perms;
+ class chr_file create_file_perms;
')
########################################
@@ -497,18 +533,20 @@ class chr_file { create ioctl read getattr lock write setattr append link unlink
# devices_raw_read_memory(domain)
#
define(`devices_raw_read_memory',`
-requires_block_template(`$0'_depend)
-typeattribute $1 memory_raw_read;
-allow $1 device_t:dir r_dir_perms;
-allow $1 memory_device_t:chr_file { getattr read ioctl };
-allow $1 self:capability sys_rawio;
+ requires_block_template(`$0'_depend)
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 memory_device_t:chr_file r_file_perms;
+
+ allow $1 self:capability sys_rawio;
+ typeattribute $1 memory_raw_read;
')
define(`devices_raw_read_memory_depend',`
type device_t, memory_device_t;
attribute memory_raw_read;
class dir r_dir_perms;
-class chr_file { getattr read ioctl };
+class chr_file r_file_perms;
class capability sys_rawio;
')
@@ -517,11 +555,13 @@ class capability sys_rawio;
# devices_raw_write_memory(domain)
#
define(`devices_raw_write_memory',`
-requires_block_template(`$0'_depend)
-typeattribute $1 memory_raw_write;
-allow $1 device_t:dir r_dir_perms;
-allow $1 memory_device_t:chr_file write;
-allow $1 self:capability sys_rawio;
+ requires_block_template(`$0'_depend)
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 memory_device_t:chr_file write;
+
+ allow $1 self:capability sys_rawio;
+ typeattribute $1 memory_raw_write;
')
define(`devices_raw_write_memory_depend',`
@@ -537,14 +577,16 @@ class capability sys_rawio;
# devices_legacy_raw_read_memory(domain)
#
define(`devices_legacy_raw_read_memory',`
-requires_block_template(`$0'_depend)
-devices_raw_read_memory($1)
-allow $1 memory_device_t:chr_file execute;
+ requires_block_template(`$0'_depend)
+
+ devices_raw_read_memory($1)
+ allow $1 memory_device_t:chr_file execute;
')
define(`devices_legacy_raw_read_memory_depend',`
-type device_t, memory_device_t;
-class chr_file execute;
+ type device_t, memory_device_t;
+
+ class chr_file execute;
')
########################################
@@ -552,14 +594,16 @@ class chr_file execute;
# devices_legacy_raw_write_memory(domain)
#
define(`devices_legacy_raw_write_memory',`
-requires_block_template(`$0'_depend)
-devices_raw_write_memory($1)
-allow $1 memory_device_t:chr_file execute;
+ requires_block_template(`$0'_depend)
+
+ devices_raw_write_memory($1)
+ allow $1 memory_device_t:chr_file execute;
')
define(`devices_legacy_raw_write_memory_depend',`
-type device_t, memory_device_t;
-class chr_file execute;
+ type device_t, memory_device_t;
+
+ class chr_file execute;
')
########################################
@@ -567,15 +611,17 @@ class chr_file execute;
# devices_get_random_data(domain)
#
define(`devices_get_random_data',`
-requires_block_template(`$0'_depend)
-allow $1 device_t:dir r_dir_perms;
-allow $1 random_device_t:chr_file { getattr read ioctl };
+ requires_block_template(`$0'_depend)
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 random_device_t:chr_file r_file_perms;
')
define(`devices_get_random_data_depend',`
-type device_t, random_device_t;
-class dir r_dir_perms;
-class chr_file { getattr read ioctl };
+ type device_t, random_device_t;
+
+ class dir r_dir_perms;
+ class chr_file r_file_perms;
')
########################################
@@ -583,15 +629,17 @@ class chr_file { getattr read ioctl };
# devices_get_pseudorandom_data(domain)
#
define(`devices_get_pseudorandom_data',`
-requires_block_template(`$0'_depend)
-allow $1 device_t:dir r_dir_perms;
-allow $1 urandom_device_t:chr_file { getattr read ioctl };
+ requires_block_template(`$0'_depend)
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 urandom_device_t:chr_file r_file_perms;
')
define(`devices_get_pseudorandom_data_depend',`
-type device_t, urandom_device_t;
-class dir r_dir_perms;
-class chr_file { getattr read ioctl };
+ type device_t, urandom_device_t;
+
+ class dir r_dir_perms;
+ class chr_file r_file_perms;
')
########################################
@@ -599,15 +647,17 @@ class chr_file { getattr read ioctl };
# devices_add_entropy(domain)
#
define(`devices_add_entropy',`
-requires_block_template(`$0'_depend)
-allow $1 device_t:dir r_dir_perms;
-allow $1 random_device_t:chr_file { getattr write ioctl };
+ requires_block_template(`$0'_depend)
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 random_device_t:chr_file { getattr write ioctl };
')
define(`devices_add_entropy_depend',`
-type device_t, random_device_t;
-class dir r_dir_perms;
-class chr_file { getattr write ioctl };
+ type device_t, random_device_t;
+
+ class dir r_dir_perms;
+ class chr_file { getattr write ioctl };
')
########################################
@@ -615,15 +665,17 @@ class chr_file { getattr write ioctl };
# devices_set_pseudorandom_seed(domain)
#
define(`devices_set_pseudorandom_seed',`
-requires_block_template(`$0'_depend)
-allow $1 device_t:dir r_dir_perms;
-allow $1 urandom_device_t:chr_file { getattr write ioctl };
+ requires_block_template(`$0'_depend)
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 urandom_device_t:chr_file { getattr write ioctl };
')
define(`devices_set_pseudorandom_seed_depend',`
-type device_t, urandom_device_t;
-class dir r_dir_perms;
-class chr_file { getattr write ioctl };
+ type device_t, urandom_device_t;
+
+ class dir r_dir_perms;
+ class chr_file { getattr write ioctl };
')
########################################
@@ -631,15 +683,17 @@ class chr_file { getattr write ioctl };
# devices_use_dev_null(domain)
#
define(`devices_use_dev_null',`
-requires_block_template(`$0'_depend)
-allow $1 device_t:dir r_dir_perms;
-allow $1 null_device_t:chr_file rw_file_perms;
+ requires_block_template(`$0'_depend)
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 null_device_t:chr_file rw_file_perms;
')
define(`devices_use_dev_null_depend',`
-type device_t, null_device_t;
-class device_t:dir r_dir_perms;
-class chr_file rw_file_perms;
+ type device_t, null_device_t;
+
+ class device_t:dir r_dir_perms;
+ class chr_file rw_file_perms;
')
########################################
@@ -647,15 +701,17 @@ class chr_file rw_file_perms;
# devices_use_dev_zero(domain)
#
define(`devices_use_dev_zero',`
-requires_block_template(`$0'_depend)
-allow $1 device_t:dir r_dir_perms;
-allow $1 zero_device_t:chr_file rw_file_perms;
+ requires_block_template(`$0'_depend)
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 zero_device_t:chr_file rw_file_perms;
')
define(`devices_use_dev_zero_depend',`
-type device_t, zero_device_t;
-class device_t:dir r_dir_perms;
-class chr_file r_file_perms;
+ type device_t, zero_device_t;
+
+ class device_t:dir r_dir_perms;
+ class chr_file r_file_perms;
')
########################################
@@ -663,14 +719,16 @@ class chr_file r_file_perms;
# devices_legacy_use_dev_zero(domain)
#
define(`devices_legacy_use_dev_zero',`
-requires_block_template(`$0'_depend)
-devices_use_dev_zero($1)
-allow $1 zero_device_t:chr_file execute;
+ requires_block_template(`$0'_depend)
+
+ devices_use_dev_zero($1)
+ allow $1 zero_device_t:chr_file execute;
')
define(`devices_legacy_use_dev_zero_depend',`
-type zero_device_t;
-class chr_file execute;
+ type zero_device_t;
+
+ class chr_file execute;
')
########################################
@@ -678,15 +736,16 @@ class chr_file execute;
# devices_read_realtime_clock(domain)
#
define(`devices_read_realtime_clock',`
-requires_block_template(`$0'_depend)
-allow $1 device_t:dir r_dir_perms;
-allow $1 clock_device_t:chr_file { getattr read ioctl };
+ requires_block_template(`$0'_depend)
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 clock_device_t:chr_file r_file_perms;
')
define(`devices_read_realtime_clock_depend',`
type device_t, clock_device_t;
class dir r_dir_perms;
-class chr_file { getattr read ioctl };
+class chr_file r_file_perms;
')
########################################
@@ -694,15 +753,17 @@ class chr_file { getattr read ioctl };
# devices_write_realtime_clock(domain)
#
define(`devices_write_realtime_clock',`
-requires_block_template(`$0'_depend)
-allow $1 device_t:dir r_dir_perms;
-allow $1 clock_device_t:chr_file { setattr lock write append ioctl };
+ requires_block_template(`$0'_depend)
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 clock_device_t:chr_file { setattr lock write append ioctl };
')
define(`devices_write_realtime_clock_depend',`
-type device_t, clock_device_t;
-class dir r_dir_perms;
-class chr_file { setattr lock write append ioctl };
+ type device_t, clock_device_t;
+
+ class dir r_dir_perms;
+ class chr_file { setattr lock write append ioctl };
')
########################################
@@ -710,8 +771,8 @@ class chr_file { setattr lock write append ioctl };
# devices_modify_realtime_clock(domain)
#
define(`devices_modify_realtime_clock',`
-devices_read_realtime_clock($1)
-devices_write_realtime_clock($1)
+ devices_read_realtime_clock($1)
+ devices_write_realtime_clock($1)
')
########################################
@@ -719,15 +780,16 @@ devices_write_realtime_clock($1)
# devices_record_sound_input(domain)
#
define(`devices_record_sound_input',`
-requires_block_template(`$0'_depend)
-allow $1 device_t:dir r_dir_perms;
-allow $1 sound_device_t:chr_file { getattr read ioctl };
+ requires_block_template(`$0'_depend)
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 sound_device_t:chr_file r_file_perms;
')
define(`devices_record_sound_input_depend',`
type device_t, sound_device_t;
class dir r_dir_perms;
-class chr_file { getattr read ioctl };
+class chr_file r_file_perms;
')
########################################
@@ -735,15 +797,17 @@ class chr_file { getattr read ioctl };
# devices_play_sound(domain)
#
define(`devices_play_sound',`
-requires_block_template(`$0'_depend)
-allow $1 device_t:dir r_dir_perms;
-allow $1 sound_device_t:chr_file { getattr write ioctl };
+ requires_block_template(`$0'_depend)
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 sound_device_t:chr_file { getattr write ioctl };
')
define(`devices_play_sound_depend',`
-type device_t, sound_device_t;
-class dir r_dir_perms;
-class chr_file { getattr write ioctl };
+ type device_t, sound_device_t;
+
+ class dir r_dir_perms;
+ class chr_file { getattr write ioctl };
')
########################################
@@ -751,15 +815,17 @@ class chr_file { getattr write ioctl };
# devices_read_sound_mixer_levels(domain)
#
define(`devices_read_sound_mixer_levels',`
-requires_block_template(`$0'_depend)
-allow $1 device_t:dir r_dir_perms;
-allow $1 sound_device_t:chr_file { getattr read ioctl };
+ requires_block_template(`$0'_depend)
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 sound_device_t:chr_file { getattr read ioctl };
')
define(`devices_read_sound_mixer_levels_depend',`
-type device_t, sound_device_t;
-class dir r_dir_perms;
-class chr_file { getattr read ioctl };
+ type device_t, sound_device_t;
+
+ class dir r_dir_perms;
+ class chr_file { getattr read ioctl };
')
########################################
@@ -767,15 +833,17 @@ class chr_file { getattr read ioctl };
# devices_write_sound_mixer_levels(domain)
#
define(`devices_write_sound_mixer_levels',`
-requires_block_template(`$0'_depend)
-allow $1 device_t:dir r_dir_perms;
-allow $1 sound_device_t:chr_file { getattr write ioctl };
+ requires_block_template(`$0'_depend)
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 sound_device_t:chr_file { getattr write ioctl };
')
define(`devices_write_sound_mixer_levels_depend',`
-type device_t, sound_device_t;
-class dir r_dir_perms;
-class chr_file { getattr write ioctl };
+ type device_t, sound_device_t;
+
+ class dir r_dir_perms;
+ class chr_file { getattr write ioctl };
')
########################################
@@ -783,15 +851,17 @@ class chr_file { getattr write ioctl };
# devices_direct_agp_access(domain)
#
define(`devices_direct_agp_access',`
-requires_block_template(`$0'_depend)
-allow $1 device_t:dir r_dir_perms;
-allow $1 agp_device_t:chr_file { getattr read write ioctl };
+ requires_block_template(`$0'_depend)
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 agp_device_t:chr_file rw_file_perms;
')
define(`devices_direct_agp_access_depend',`
-type device_t, agp_device_t;
-class dir r_dir_perms;
-class chr_file { getattr read write ioctl };
+ type device_t, agp_device_t;
+
+ class dir r_dir_perms;
+ class chr_file rw_file_perms;
')
########################################
@@ -799,15 +869,17 @@ class chr_file { getattr read write ioctl };
# devices_get_direct_rendering_interface_attributes(domain)
#
define(`devices_get_direct_rendering_interface_attributes',`
-requires_block_template(`$0'_depend)
-allow $1 device_t:dir r_dir_perms;
-allow $1 dri_device_t:chr_file getattr;
+ requires_block_template(`$0'_depend)
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 dri_device_t:chr_file getattr;
')
define(`devices_get_direct_rendering_interface_attributes_depend',`
-type device_t, dri_device_t;
-class dir r_dir_perms;
-class chr_file getattr;
+ type device_t, dri_device_t;
+
+ class dir r_dir_perms;
+ class chr_file getattr;
')
########################################
@@ -815,15 +887,17 @@ class chr_file getattr;
# devices_use_direct_rendering_interface(domain)
#
define(`devices_use_direct_rendering_interface',`
-requires_block_template(`$0'_depend)
-allow $1 device_t:dir r_dir_perms;
-allow $1 dri_device_t:chr_file { getattr read write ioctl };
+ requires_block_template(`$0'_depend)
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 dri_device_t:chr_file rw_file_perms;
')
define(`devices_use_direct_rendering_interface_depend',`
-type device_t, dri_device_t;
-class dir r_dir_perms;
-class chr_file { getattr read write ioctl };
+ type device_t, dri_device_t;
+
+ class dir r_dir_perms;
+ class chr_file rw_file_perms;
')
########################################
@@ -831,13 +905,15 @@ class chr_file { getattr read write ioctl };
# devices_ignore_use_direct_rendering_interface(domain)
#
define(`devices_ignore_use_direct_rendering_interface',`
-requires_block_template(`$0'_depend)
-dontaudit $1 dri_device_t:chr_file { getattr read write ioctl };
+ requires_block_template(`$0'_depend)
+
+ dontaudit $1 dri_device_t:chr_file { getattr read write ioctl };
')
define(`devices_ignore_use_direct_rendering_interface_depend',`
-type dri_device_t;
-class chr_file { getattr read write ioctl };
+ type dri_device_t;
+
+ class chr_file { getattr read write ioctl };
')
########################################
@@ -845,15 +921,17 @@ class chr_file { getattr read write ioctl };
# devices_read_mtrr(domain)
#
define(`devices_read_mtrr',`
-requires_block_template(`$0'_depend)
-allow $1 device_t:dir r_dir_perms;
-allow $1 mtrr_device_t:chr_file { getattr read ioctl };
+ requires_block_template(`$0'_depend)
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 mtrr_device_t:chr_file r_file_perms;
')
define(`devices_read_mtrr_depend',`
-type device_t, mtrr_device_t;
-class dir r_dir_perms;
-class chr_file { getattr read ioctl };
+ type device_t, mtrr_device_t;
+
+ class dir r_dir_perms;
+ class chr_file r_file_perms;
')
########################################
@@ -861,15 +939,17 @@ class chr_file { getattr read ioctl };
# devices_write_mtrr(domain)
#
define(`devices_write_mtrr',`
-requires_block_template(`$0'_depend)
-allow $1 device_t:dir r_dir_perms;
-allow $1 mtrr_device_t:chr_file { getattr write ioctl };
+ requires_block_template(`$0'_depend)
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 mtrr_device_t:chr_file { getattr write ioctl };
')
define(`devices_write_mtrr_depend',`
-type device_t, mtrr_device_t;
-class dir r_dir_perms;
-class chr_file { getattr write ioctl };
+ type device_t, mtrr_device_t;
+
+ class dir r_dir_perms;
+ class chr_file { getattr write ioctl };
')
########################################
@@ -877,15 +957,17 @@ class chr_file { getattr write ioctl };
# devices_read_framebuffer(domain)
#
define(`devices_read_framebuffer',`
-requires_block_template(`$0'_depend)
-allow $1 device_t:dir r_dir_perms;
-allow $1 framebuf_device_t:chr_file { getattr read ioctl };
+ requires_block_template(`$0'_depend)
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 framebuf_device_t:chr_file r_file_perms;
')
define(`devices_read_framebuffer_depend',`
-type framebuf_device_t;
-class dir r_dir_perms;
-class chr_file { getattr read ioctl };
+ type framebuf_device_t;
+
+ class dir r_dir_perms;
+ class chr_file r_file_perms;
')
########################################
@@ -893,15 +975,17 @@ class chr_file { getattr read ioctl };
# devices_write_framebuffer(domain)
#
define(`devices_write_framebuffer',`
-requires_block_template(`$0'_depend)
-allow $1 device_t:dir r_dir_perms;
-allow $1 framebuf_device_t:chr_file { getattr write ioctl };
+ requires_block_template(`$0'_depend)
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 framebuf_device_t:chr_file { getattr write ioctl };
')
define(`devices_write_framebuffer_depend',`
-type device_t, framebuf_device_t;
-class dir r_dir_perms;
-class chr_file { getattr write ioctl };
+ type device_t, framebuf_device_t;
+
+ class dir r_dir_perms;
+ class chr_file { getattr write ioctl };
')
########################################
@@ -909,15 +993,17 @@ class chr_file { getattr write ioctl };
# devices_read_lvm_control_channel(domain)
#
define(`devices_read_lvm_control_channel',`
-requires_block_template(`$0'_depend)
-allow $1 device_t:dir r_dir_perms;
-allow $1 lvm_control_t:chr_file { getattr read };
+ requires_block_template(`$0'_depend)
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 lvm_control_t:chr_file r_file_perms;
')
define(`devices_read_lvm_control_channel_depend',`
-type lvm_control_t;
-class dir r_dir_perms;
-class chr_file { ioctl read getattr lock write append };
+ type device_t, lvm_control_t;
+
+ class dir r_dir_perms;
+ class chr_file r_file_perms;
')
########################################
@@ -925,15 +1011,17 @@ class chr_file { ioctl read getattr lock write append };
# devices_use_lvm_control_channel(domain)
#
define(`devices_use_lvm_control_channel',`
-requires_block_template(`$0'_depend)
-allow $1 device_t:dir r_dir_perms;
-allow $1 lvm_control_t:chr_file { ioctl read getattr lock write append };
+ requires_block_template(`$0'_depend)
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 lvm_control_t:chr_file rw_file_perms;
')
define(`devices_use_lvm_control_channel_depend',`
-type lvm_control_t;
-class dir r_dir_perms;
-class chr_file { ioctl read getattr lock write append };
+ type device_t, lvm_control_t;
+
+ class dir r_dir_perms;
+ class chr_file rw_file_perms;
')
########################################
@@ -941,15 +1029,17 @@ class chr_file { ioctl read getattr lock write append };
# devices_remove_lvm_control_channel(domain)
#
define(`devices_remove_lvm_control_channel',`
-requires_block_template(`$0'_depend)
-allow $1 device_t:dir { getattr search read write remove_name };
-allow $1 lvm_control_t:chr_file unlink;
+ requires_block_template(`$0'_depend)
+
+ allow $1 device_t:dir { getattr search read write remove_name };
+ allow $1 lvm_control_t:chr_file unlink;
')
define(`devices_remove_lvm_control_channel_depend',`
-type lvm_control_t;
-class dir { getattr search read write remove_name };
-class chr_file unlink;
+ type device_t, lvm_control_t;
+
+ class dir { getattr search read write remove_name };
+ class chr_file unlink;
')
########################################
@@ -957,15 +1047,17 @@ class chr_file unlink;
# devices_read_misc(domain)
#
define(`devices_read_misc',`
-requires_block_template(`$0'_depend)
-allow $1 device_t:dir r_dir_perms;
-allow $1 misc_device_t:chr_file { getattr read ioctl };
+ requires_block_template(`$0'_depend)
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 misc_device_t:chr_file r_file_perms;
')
define(`devices_read_misc_depend',`
-type device_t, misc_device_t;
-class dir r_dir_perms;
-class chr_file { getattr read ioctl };
+ type device_t, misc_device_t;
+
+ class dir r_dir_perms;
+ class chr_file r_file_perms;
')
########################################
@@ -973,15 +1065,17 @@ class chr_file { getattr read ioctl };
# devices_write_misc(domain)
#
define(`devices_write_misc',`
-requires_block_template(`$0'_depend)
-allow $1 device_t:dir r_dir_perms;
-allow $1 misc_device_t:chr_file { getattr write ioctl };
+ requires_block_template(`$0'_depend)
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 misc_device_t:chr_file { getattr write ioctl };
')
define(`devices_write_misc_depend',`
-type device_t, misc_device_t;
-class dir r_dir_perms;
-class chr_file { getattr write ioctl };
+ type device_t, misc_device_t;
+
+ class dir r_dir_perms;
+ class chr_file { getattr write ioctl };
')
########################################
@@ -989,15 +1083,17 @@ class chr_file { getattr write ioctl };
# devices_get_mouse_input(domain)
#
define(`devices_get_mouse_input',`
-requires_block_template(`$0'_depend)
-allow $1 device_t:dir r_dir_perms;
-allow $1 mouse_device_t:chr_file { getattr read ioctl };
+ requires_block_template(`$0'_depend)
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 mouse_device_t:chr_file r_file_perms;
')
define(`devices_get_mouse_input_depend',`
-type device_t, mouse_device_t;
-allow $1 device_t:dir r_dir_perms;
-class chr_file { getattr read ioctl };
+ type device_t, mouse_device_t;
+
+ allow $1 device_t:dir r_dir_perms;
+ class chr_file r_file_perms;
')
########################################
@@ -1005,15 +1101,17 @@ class chr_file { getattr read ioctl };
# devices_get_input_event(domain)
#
define(`devices_get_input_event',`
-requires_block_template(`$0'_depend)
-allow $1 device_t:dir r_dir_perms;
-allow $1 event_device_t:chr_file { getattr read ioctl };
+ requires_block_template(`$0'_depend)
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 event_device_t:chr_file r_file_perms;
')
define(`devices_get_input_event_depend',`
-type device_t, event_device_t;
-class dir r_dir_perms;
-class chr_file { getattr read ioctl };
+ type device_t, event_device_t;
+
+ class dir r_dir_perms;
+ class chr_file r_file_perms;
')
########################################
@@ -1021,15 +1119,17 @@ class chr_file { getattr read ioctl };
# devices_get_cpuid(domain)
#
define(`devices_get_cpuid',`
-requires_block_template(`$0'_depend)
-allow $1 device_t:dir r_dir_perms;
-allow $1 cpu_device_t:chr_file { getattr read ioctl };
+ requires_block_template(`$0'_depend)
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 cpu_device_t:chr_file r_file_perms;
')
define(`devices_get_cpuid_depend',`
-type device_t, cpu_device_t;
-class dir r_dir_perms;
-class chr_file { getattr read ioctl };
+ type device_t, cpu_device_t;
+
+ class dir r_dir_perms;
+ class chr_file r_file_perms;
')
########################################
@@ -1037,15 +1137,17 @@ class chr_file { getattr read ioctl };
# devices_load_cpu_microcode(domain)
#
define(`devices_load_cpu_microcode',`
-requires_block_template(`$0'_depend)
-allow $1 device_t:dir r_dir_perms;
-allow $1 cpu_device_t:chr_file { getattr read write ioctl };
+ requires_block_template(`$0'_depend)
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 cpu_device_t:chr_file rw_file_perms;
')
define(`devices_load_cpu_microcode_depend',`
-type device_t, cpu_device_t;
-class dir r_dir_perms;
-class chr_file { getattr read write ioctl };
+ type device_t, cpu_device_t;
+
+ class dir r_dir_perms;
+ class chr_file rw_file_perms;
')
########################################
@@ -1053,15 +1155,17 @@ class chr_file { getattr read write ioctl };
# devices_use_scanner(domain)
#
define(`devices_use_scanner',`
-requires_block_template(`$0'_depend)
-allow $1 device_t:dir r_dir_perms;
-allow $1 scanner_device_t:chr_file { getattr read write ioctl };
+ requires_block_template(`$0'_depend)
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 scanner_device_t:chr_file rw_file_perms;
')
define(`devices_use_scanner_depend',`
-type device_t, scanner_device_t;
-class dir r_dir_perms;
-class chr_file { getattr read write ioctl };
+ type device_t, scanner_device_t;
+
+ class dir r_dir_perms;
+ class chr_file rw_file_perms;
')
########################################
@@ -1069,15 +1173,17 @@ class chr_file { getattr read write ioctl };
# devices_control_system_powermanagement(domain)
#
define(`devices_control_system_powermanagement',`
-requires_block_template(`$0'_depend)
-allow $1 device_t:dir r_dir_perms;
-allow $1 power_device_t:chr_file { getattr read write ioctl };
+ requires_block_template(`$0'_depend)
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 power_device_t:chr_file rw_file_perms;
')
define(`devices_control_system_powermanagement_depend',`
-type device_t, power_device_t;
-class dir r_dir_perms;
-class chr_file { getattr read write ioctl };
+ type device_t, power_device_t;
+
+ class dir r_dir_perms;
+ class chr_file rw_file_perms;
')
## </module>
diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if
index 069fd55f7..bf7e3201f 100644
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@@ -6,12 +6,13 @@
# filesystem_make_filesystem(type)
#
define(`filesystem_make_filesystem',`
-requires_block_template(`$0'_depend)
-typeattribute $1 fs_type;
+ requires_block_template(`$0'_depend)
+
+ typeattribute $1 fs_type;
')
define(`filesystem_make_filesystem_depend',`
-attribute fs_type;
+ attribute fs_type;
')
########################################
@@ -19,13 +20,15 @@ attribute fs_type;
# filesystem_associate(type)
#
define(`filesystem_associate',`
-requires_block_template(`$0'_depend)
-allow $1 fs_t:filesystem associate;
+ requires_block_template(`$0'_depend)
+
+ allow $1 fs_t:filesystem associate;
')
define(`filesystem_associate_depend',`
-type fs_t;
-class filesystem associate;
+ type fs_t;
+
+ class filesystem associate;
')
########################################
@@ -33,19 +36,21 @@ class filesystem associate;
# filesystem_noxattr_associate(type)
#
define(`filesystem_noxattr_associate',`
-requires_block_template(`$0'_depend)
-allow $1 autofs_t:filesystem associate;
-allow $1 cifs_t:filesystem associate;
-allow $1 dosfs_t:filesystem associate;
-allow $1 iso9660_t:filesystem associate;
-allow $1 nfs_t:filesystem associate;
-allow $1 removable_t:filesystem associate;
-allow $1 usbfs_t:filesystem associate;
+ requires_block_template(`$0'_depend)
+
+ allow $1 autofs_t:filesystem associate;
+ allow $1 cifs_t:filesystem associate;
+ allow $1 dosfs_t:filesystem associate;
+ allow $1 iso9660_t:filesystem associate;
+ allow $1 nfs_t:filesystem associate;
+ allow $1 removable_t:filesystem associate;
+ allow $1 usbfs_t:filesystem associate;
')
define(`filesystem_noxattr_associate_depend',`
-type fs_t, nfs_t, cifs_t, dosfs_t, iso9660_t, autofs_t, usbfs_t, removable_t;
-class filesystem associate;
+ type fs_t, nfs_t, cifs_t, dosfs_t, iso9660_t, autofs_t, usbfs_t, removable_t;
+
+ class filesystem associate;
')
########################################
@@ -53,13 +58,15 @@ class filesystem associate;
# filesystem_mount_persistent_filesystem(domain)
#
define(`filesystem_mount_persistent_filesystem',`
-requires_block_template(`$0'_depend)
-allow $1 fs_t:filesystem mount;
+ requires_block_template(`$0'_depend)
+
+ allow $1 fs_t:filesystem mount;
')
define(`filesystem_mount_persistent_filesystem_depend',`
-type fs_t;
-class filesystem mount;
+ type fs_t;
+
+ class filesystem mount;
')
########################################
@@ -67,13 +74,15 @@ class filesystem mount;
# filesystem_remount_persistent_filesystem(domain)
#
define(`filesystem_remount_persistent_filesystem',`
-requires_block_template(`$0'_depend)
-allow $1 fs_t:filesystem remount;
+ requires_block_template(`$0'_depend)
+
+ allow $1 fs_t:filesystem remount;
')
define(`filesystem_remount_persistent_filesystem_depend',`
-type fs_t;
-class filesystem remount;
+ type fs_t;
+
+ class filesystem remount;
')
########################################
@@ -81,13 +90,15 @@ class filesystem remount;
# filesystem_unmount_persistent_filesystem(domain)
#
define(`filesystem_unmount_persistent_filesystem',`
-requires_block_template(`$0'_depend)
-allow $1 fs_t:filesystem mount;
+ requires_block_template(`$0'_depend)
+
+ allow $1 fs_t:filesystem mount;
')
define(`filesystem_unmount_persistent_filesystem_depend',`
-type fs_t;
-class filesystem unmount;
+ type fs_t;
+
+ class filesystem unmount;
')
########################################
@@ -95,13 +106,15 @@ class filesystem unmount;
# filesystem_get_persistent_filesystem_attributes(domain)
#
define(`filesystem_get_persistent_filesystem_attributes',`
-requires_block_template(`$0'_depend)
-allow $1 fs_t:filesystem getattr;
+ requires_block_template(`$0'_depend)
+
+ allow $1 fs_t:filesystem getattr;
')
define(`filesystem_get_persistent_filesystem_attributes_depend',`
-type fs_t;
-class filesystem getattr;
+ type fs_t;
+
+ class filesystem getattr;
')
########################################
@@ -109,13 +122,15 @@ class filesystem getattr;
# filesystem_ignore_get_persistent_filesystem_attributes(domain)
#
define(`filesystem_ignore_get_persistent_filesystem_attributes',`
-requires_block_template(`$0'_depend)
-dontaudit $1 fs_t:filesystem getattr;
+ requires_block_template(`$0'_depend)
+
+ dontaudit $1 fs_t:filesystem getattr;
')
define(`filesystem_ignore_get_persistent_filesystem_attributes_depend',`
-type fs_t;
-class filesystem getattr;
+ type fs_t;
+
+ class filesystem getattr;
')
########################################
@@ -123,13 +138,15 @@ class filesystem getattr;
# filesystem_relabelfrom_persistent_filesystem(domain)
#
define(`filesystem_relabelfrom_persistent_filesystem',`
-requires_block_template(`$0'_depend)
-allow $1 fs_t:filesystem relabelfrom;
+ requires_block_template(`$0'_depend)
+
+ allow $1 fs_t:filesystem relabelfrom;
')
define(`filesystem_relabelfrom_persistent_filesystem_depend',`
-type fs_t;
-class filesystem relabelfrom;
+ type fs_t;
+
+ class filesystem relabelfrom;
')
########################################
@@ -137,13 +154,14 @@ class filesystem relabelfrom;
# filesystem_mount_automount_filesystem(domain)
#
define(`filesystem_mount_automount_filesystem',`
-requires_block_template(`$0'_depend)
-allow $1 autofs_t:filesystem mount;
+ requires_block_template(`$0'_depend)
+
+ allow $1 autofs_t:filesystem mount;
')
define(`filesystem_mount_automount_filesystem_depend',`
-type autofs_t;
-class filesystem mount;
+ type autofs_t;
+ class filesystem mount;
')
########################################
@@ -151,13 +169,15 @@ class filesystem mount;
# filesystem_remount_automount_filesystem(domain)
#
define(`filesystem_remount_automount_filesystem',`
-requires_block_template(`$0'_depend)
-allow $1 autofs_t:filesystem remount;
+ requires_block_template(`$0'_depend)
+
+ allow $1 autofs_t:filesystem remount;
')
define(`filesystem_remount_automount_filesystem_depend',`
-type autofs_t;
-class filesystem remount;
+ type autofs_t;
+
+ class filesystem remount;
')
########################################
@@ -165,13 +185,15 @@ class filesystem remount;
# filesystem_unmount_automount_filesystem(domain)
#
define(`filesystem_unmount_automount_filesystem',`
-requires_block_template(`$0'_depend)
-allow $1 autofs_t:filesystem mount;
+ requires_block_template(`$0'_depend)
+
+ allow $1 autofs_t:filesystem mount;
')
define(`filesystem_unmount_automount_filesystem_depend',`
-type autofs_t;
-class filesystem unmount;
+ type autofs_t;
+
+ class filesystem unmount;
')
########################################
@@ -179,13 +201,15 @@ class filesystem unmount;
# filesystem_get_automount_filesystem_attributes(domain)
#
define(`filesystem_get_automount_filesystem_attributes',`
-requires_block_template(`$0'_depend)
-allow $1 autofs_t:filesystem getattr;
+ requires_block_template(`$0'_depend)
+
+ allow $1 autofs_t:filesystem getattr;
')
define(`filesystem_get_automount_filesystem_attributes_depend',`
-type autofs_t;
-class filesystem getattr;
+ type autofs_t;
+
+ class filesystem getattr;
')
########################################
@@ -193,15 +217,17 @@ class filesystem getattr;
# filesystem_register_binary_executable_type(domain)
#
define(`filesystem_register_binary_executable_type',`
-requires_block_template(`$0'_depend)
-allow $1 binfmt_misc_fs_t:dir { getattr search };
-allow $1 binfmt_misc_fs_t:file { getattr ioctl write };
+ requires_block_template(`$0'_depend)
+
+ allow $1 binfmt_misc_fs_t:dir { getattr search };
+ allow $1 binfmt_misc_fs_t:file { getattr ioctl write };
')
define(`filesystem_register_binary_executable_type_depend',`
-type binfmt_misc_fs_t;
-class dir { getattr search };
-class file { getattr ioctl write };
+ type binfmt_misc_fs_t;
+
+ class dir { getattr search };
+ class file { getattr ioctl write };
')
########################################
@@ -209,13 +235,15 @@ class file { getattr ioctl write };
# filesystem_mount_windows_network_filesystem(domain)
#
define(`filesystem_mount_windows_network_filesystem',`
-requires_block_template(`$0'_depend)
-allow $1 cifs_t:filesystem mount;
+ requires_block_template(`$0'_depend)
+
+ allow $1 cifs_t:filesystem mount;
')
define(`filesystem_mount_windows_network_filesystem_depend',`
-type cifs_t;
-class filesystem mount;
+ type cifs_t;
+
+ class filesystem mount;
')
########################################
@@ -223,13 +251,15 @@ class filesystem mount;
# filesystem_remount_windows_network_filesystem(domain)
#
define(`filesystem_remount_windows_network_filesystem',`
-requires_block_template(`$0'_depend)
-allow $1 cifs_t:filesystem remount;
+ requires_block_template(`$0'_depend)
+
+ allow $1 cifs_t:filesystem remount;
')
define(`filesystem_remount_windows_network_filesystem_depend',`
-type cifs_t;
-class filesystem remount;
+ type cifs_t;
+
+ class filesystem remount;
')
########################################
@@ -237,13 +267,15 @@ class filesystem remount;
# filesystem_unmount_windows_network_filesystem(domain)
#
define(`filesystem_unmount_windows_network_filesystem',`
-requires_block_template(`$0'_depend)
-allow $1 cifs_t:filesystem mount;
+ requires_block_template(`$0'_depend)
+
+ allow $1 cifs_t:filesystem mount;
')
define(`filesystem_unmount_windows_network_filesystem_depend',`
-type cifs_t;
-class filesystem unmount;
+ type cifs_t;
+
+ class filesystem unmount;
')
########################################
@@ -251,13 +283,15 @@ class filesystem unmount;
# filesystem_get_windows_network_filesystem_attributes(domain)
#
define(`filesystem_get_windows_network_filesystem_attributes',`
-requires_block_template(`$0'_depend)
-allow $1 cifs_t:filesystem getattr;
+ requires_block_template(`$0'_depend)
+
+ allow $1 cifs_t:filesystem getattr;
')
define(`filesystem_get_windows_network_filesystem_attributes_depend',`
-type cifs_t;
-class filesystem getattr;
+ type cifs_t;
+
+ class filesystem getattr;
')
########################################
@@ -265,15 +299,17 @@ class filesystem getattr;
# filesystem_execute_windows_network_files(domain)
#
define(`filesystem_execute_windows_network_files',`
-requires_block_template(`$0'_depend)
-allow $1 cifs_t:dir { getattr search read };
-allow $1 cifs_t:file { getattr read execute execute_no_trans };
+ requires_block_template(`$0'_depend)
+
+ allow $1 cifs_t:dir r_dir_perms;
+ allow $1 cifs_t:file { getattr read execute execute_no_trans };
')
define(`filesystem_execute_windows_network_files_depend',`
-type cifs_t;
-class dir { getattr search read };
-class file { getattr read execute execute_no_trans };
+ type cifs_t;
+
+ class dir r_dir_perms;
+ class file { getattr read execute execute_no_trans };
')
########################################
@@ -281,13 +317,15 @@ class file { getattr read execute execute_no_trans };
# filesystem_manage_windows_network_directories(domain)
#
define(`filesystem_manage_windows_network_directories',`
-requires_block_template(`$0'_depend)
-allow $1 cifs_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
+ requires_block_template(`$0'_depend)
+
+ allow $1 cifs_t:dir create_file_perms;
')
define(`filesystem_manage_windows_network_directories_depend',`
-type cifs_t;
-class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
+ type cifs_t;
+
+ class dir create_file_perms;
')
########################################
@@ -295,15 +333,17 @@ class dir { create read getattr lock setattr ioctl link unlink rename search add
# filesystem_manage_windows_network_files(domain)
#
define(`filesystem_manage_windows_network_files',`
-requires_block_template(`$0'_depend)
-allow $1 cifs_t:dir { getattr search read write add_name remove_name };
-allow $1 cifs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+ requires_block_template(`$0'_depend)
+
+ allow $1 cifs_t:dir rw_dir_perms;
+ allow $1 cifs_t:file create_file_perms;
')
define(`filesystem_manage_windows_network_files_depend',`
-type cifs_t;
-class dir { getattr search read write add_name remove_name };
-class file { create ioctl read getattr lock write setattr append link unlink rename };
+ type cifs_t;
+
+ class dir rw_dir_perms;
+ class file create_file_perms;
')
########################################
@@ -311,15 +351,17 @@ class file { create ioctl read getattr lock write setattr append link unlink ren
# filesystem_manage_windows_network_symbolic_links(domain)
#
define(`filesystem_manage_windows_network_symbolic_links',`
-requires_block_template(`$0'_depend)
-allow $1 cifs_t:dir { getattr search read write add_name remove_name };
-allow $1 cifs_t:lnk_file { create ioctl read getattr lock write setattr append link unlink rename };
+ requires_block_template(`$0'_depend)
+
+ allow $1 cifs_t:dir rw_dir_perms;
+ allow $1 cifs_t:lnk_file create_lnk_perms;
')
define(`filesystem_manage_windows_network_symbolic_links_depend',`
-type cifs_t;
-class dir { getattr search read write add_name remove_name };
-class lnk_file { create ioctl read getattr lock write setattr append link unlink rename };
+ type cifs_t;
+
+ class dir rw_dir_perms;
+ class lnk_file create_lnk_perms;
')
########################################
@@ -327,15 +369,17 @@ class lnk_file { create ioctl read getattr lock write setattr append link unlink
# filesystem_manage_windows_network_named_pipes(domain)
#
define(`filesystem_manage_windows_network_named_pipes',`
-requires_block_template(`$0'_depend)
-allow $1 cifs_t:dir { getattr search read write add_name remove_name };
-allow $1 cifs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
+ requires_block_template(`$0'_depend)
+
+ allow $1 cifs_t:dir rw_dir_perms;
+ allow $1 cifs_t:fifo_file create_file_perms;
')
define(`filesystem_manage_windows_network_named_pipes_depend',`
-type cifs_t;
-class dir { getattr search read write add_name remove_name };
-class fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
+ type cifs_t;
+
+ class dir rw_dir_perms;
+ class fifo_file create_file_perms;
')
########################################
@@ -343,15 +387,17 @@ class fifo_file { create ioctl read getattr lock write setattr append link unlin
# filesystem_manage_windows_network_named_sockets(domain)
#
define(`filesystem_manage_windows_network_named_sockets',`
-requires_block_template(`$0'_depend)
-allow $1 cifs_t:dir { getattr search read write add_name remove_name };
-allow $1 cifs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
+ requires_block_template(`$0'_depend)
+
+ allow $1 cifs_t:dir rw_file_perms;
+ allow $1 cifs_t:sock_file create_file_perms;
')
define(`filesystem_manage_windows_network_named_sockets_depend',`
-type cifs_t;
-class dir { getattr search read write add_name remove_name };
-class sock_file { create ioctl read getattr lock write setattr append link unlink rename };
+ type cifs_t;
+
+ class dir rw_dir_perms;
+ class sock_file create_file_perms;
')
########################################
@@ -359,13 +405,15 @@ class sock_file { create ioctl read getattr lock write setattr append link unlin
# filesystem_mount_dos_filesystem(domain)
#
define(`filesystem_mount_dos_filesystem',`
-requires_block_template(`$0'_depend)
-allow $1 dosfs_t:filesystem mount;
+ requires_block_template(`$0'_depend)
+
+ allow $1 dosfs_t:filesystem mount;
')
define(`filesystem_mount_dos_filesystem_depend',`
-type dosfs_t;
-class filesystem mount;
+ type dosfs_t;
+
+ class filesystem mount;
')
########################################
@@ -373,13 +421,15 @@ class filesystem mount;
# filesystem_remount_dos_filesystem(domain)
#
define(`filesystem_remount_dos_filesystem',`
-requires_block_template(`$0'_depend)
-allow $1 dosfs_t:filesystem remount;
+ requires_block_template(`$0'_depend)
+
+ allow $1 dosfs_t:filesystem remount;
')
define(`filesystem_remount_dos_filesystem_depend',`
-type dosfs_t;
-class filesystem remount;
+ type dosfs_t;
+
+ class filesystem remount;
')
########################################
@@ -387,13 +437,15 @@ class filesystem remount;
# filesystem_unmount_dos_filesystem(domain)
#
define(`filesystem_unmount_dos_filesystem',`
-requires_block_template(`$0'_depend)
-allow $1 dosfs_t:filesystem mount;
+ requires_block_template(`$0'_depend)
+
+ allow $1 dosfs_t:filesystem mount;
')
define(`filesystem_unmount_dos_filesystem_depend',`
-type dosfs_t;
-class filesystem unmount;
+ type dosfs_t;
+
+ class filesystem unmount;
')
########################################
@@ -401,13 +453,15 @@ class filesystem unmount;
# filesystem_get_dos_filesystem_attributes(domain)
#
define(`filesystem_get_dos_filesystem_attributes',`
-requires_block_template(`$0'_depend)
-allow $1 dosfs_t:filesystem getattr;
+ requires_block_template(`$0'_depend)
+
+ allow $1 dosfs_t:filesystem getattr;
')
define(`filesystem_get_dos_filesystem_attributes_depend',`
-type dosfs_t;
-class filesystem getattr;
+ type dosfs_t;
+
+ class filesystem getattr;
')
########################################
@@ -415,13 +469,15 @@ class filesystem getattr;
# filesystem_relabelfrom_dos_filesystem(domain)
#
define(`filesystem_relabelfrom_dos_filesystem',`
-requires_block_template(`$0'_depend)
-allow $1 dosfs_t:filesystem relabelfrom;
+ requires_block_template(`$0'_depend)
+
+ allow $1 dosfs_t:filesystem relabelfrom;
')
define(`filesystem_relabelfrom_dos_filesystem_depend',`
-type dosfs_t;
-class filesystem relabelfrom;
+ type dosfs_t;
+
+ class filesystem relabelfrom;
')
########################################
@@ -429,13 +485,15 @@ class filesystem relabelfrom;
# filesystem_mount_cd_filesystem(domain)
#
define(`filesystem_mount_cd_filesystem',`
-requires_block_template(`$0'_depend)
-allow $1 iso9660_t:filesystem mount;
+ requires_block_template(`$0'_depend)
+
+ allow $1 iso9660_t:filesystem mount;
')
define(`filesystem_mount_cd_filesystem_depend',`
-type iso9660_t;
-class filesystem mount;
+ type iso9660_t;
+
+ class filesystem mount;
')
########################################
@@ -443,13 +501,15 @@ class filesystem mount;
# filesystem_remount_cd_filesystem(domain)
#
define(`filesystem_remount_cd_filesystem',`
-requires_block_template(`$0'_depend)
-allow $1 iso9660_t:filesystem remount;
+ requires_block_template(`$0'_depend)
+
+ allow $1 iso9660_t:filesystem remount;
')
define(`filesystem_remount_cd_filesystem_depend',`
-type iso9660_t;
-class filesystem remount;
+ type iso9660_t;
+
+ class filesystem remount;
')
########################################
@@ -457,13 +517,15 @@ class filesystem remount;
# filesystem_unmount_cd_filesystem(domain)
#
define(`filesystem_unmount_cd_filesystem',`
-requires_block_template(`$0'_depend)
-allow $1 iso9660_t:filesystem mount;
+ requires_block_template(`$0'_depend)
+
+ allow $1 iso9660_t:filesystem mount;
')
define(`filesystem_unmount_cd_filesystem_depend',`
-type iso9660_t;
-class filesystem unmount;
+ type iso9660_t;
+
+ class filesystem unmount;
')
########################################
@@ -471,13 +533,15 @@ class filesystem unmount;
# filesystem_get_cd_filesystem_attributes(domain)
#
define(`filesystem_get_cd_filesystem_attributes',`
-requires_block_template(`$0'_depend)
-allow $1 iso9660_t:filesystem getattr;
+ requires_block_template(`$0'_depend)
+
+ allow $1 iso9660_t:filesystem getattr;
')
define(`filesystem_get_cd_filesystem_attributes_depend',`
-type iso9660_t;
-class filesystem getattr;
+ type iso9660_t;
+
+ class filesystem getattr;
')
########################################
@@ -485,13 +549,15 @@ class filesystem getattr;
# filesystem_mount_nfs_filesystem(domain)
#
define(`filesystem_mount_nfs_filesystem',`
-requires_block_template(`$0'_depend)
-allow $1 nfs_t:filesystem mount;
+ requires_block_template(`$0'_depend)
+
+ allow $1 nfs_t:filesystem mount;
')
define(`filesystem_mount_nfs_filesystem_depend',`
-type nfs_t;
-class filesystem mount;
+ type nfs_t;
+
+ class filesystem mount;
')
########################################
@@ -499,13 +565,15 @@ class filesystem mount;
# filesystem_remount_nfs_filesystem(domain)
#
define(`filesystem_remount_nfs_filesystem',`
-requires_block_template(`$0'_depend)
-allow $1 nfs_t:filesystem remount;
+ requires_block_template(`$0'_depend)
+
+ allow $1 nfs_t:filesystem remount;
')
define(`filesystem_remount_nfs_filesystem_depend',`
-type nfs_t;
-class filesystem remount;
+ type nfs_t;
+
+ class filesystem remount;
')
########################################
@@ -513,13 +581,15 @@ class filesystem remount;
# filesystem_unmount_nfs_filesystem(domain)
#
define(`filesystem_unmount_nfs_filesystem',`
-requires_block_template(`$0'_depend)
-allow $1 nfs_t:filesystem mount;
+ requires_block_template(`$0'_depend)
+
+ allow $1 nfs_t:filesystem mount;
')
define(`filesystem_unmount_nfs_filesystem_depend',`
-type nfs_t;
-class filesystem unmount;
+ type nfs_t;
+
+ class filesystem unmount;
')
########################################
@@ -527,13 +597,15 @@ class filesystem unmount;
# filesystem_get_nfs_filesystem_attributes(domain)
#
define(`filesystem_get_nfs_filesystem_attributes',`
-requires_block_template(`$0'_depend)
-allow $1 nfs_t:filesystem getattr;
+ requires_block_template(`$0'_depend)
+
+ allow $1 nfs_t:filesystem getattr;
')
define(`filesystem_get_nfs_filesystem_attributes_depend',`
-type nfs_t;
-class filesystem getattr;
+ type nfs_t;
+
+ class filesystem getattr;
')
########################################
@@ -541,15 +613,17 @@ class filesystem getattr;
# filesystem_execute_nfs_files(domain)
#
define(`filesystem_execute_nfs_files',`
-requires_block_template(`$0'_depend)
-allow $1 nfs_t:dir { getattr search read };
-allow $1 nfs_t:file { getattr read execute execute_no_trans };
+ requires_block_template(`$0'_depend)
+
+ allow $1 nfs_t:dir r_dir_perms;
+ allow $1 nfs_t:file { getattr read execute execute_no_trans };
')
define(`filesystem_execute_nfs_files_depend',`
-type nfs_t;
-class dir { getattr search read };
-class file { getattr read execute execute_no_trans };
+ type nfs_t;
+
+ class dir r_dir_perms;
+ class file { getattr read execute execute_no_trans };
')
########################################
@@ -557,13 +631,15 @@ class file { getattr read execute execute_no_trans };
# filesystem_manage_nfs_directories(domain)
#
define(`filesystem_manage_nfs_directories',`
-requires_block_template(`$0'_depend)
-allow $1 nfs_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
+ requires_block_template(`$0'_depend)
+
+ allow $1 nfs_t:dir create_dir_perms;
')
define(`filesystem_manage_nfs_directories_depend',`
-type nfs_t;
-class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
+ type nfs_t;
+
+ class dir create_dir_perms;
')
########################################
@@ -571,15 +647,17 @@ class dir { create read getattr lock setattr ioctl link unlink rename search add
# filesystem_manage_nfs_files(domain)
#
define(`filesystem_manage_nfs_files',`
-requires_block_template(`$0'_depend)
-allow $1 nfs_t:dir { getattr search read write add_name remove_name };
-allow $1 nfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+ requires_block_template(`$0'_depend)
+
+ allow $1 nfs_t:dir rw_dir_perms;
+ allow $1 nfs_t:file create_file_perms;
')
define(`filesystem_manage_nfs_files_depend',`
-type nfs_t;
-class dir { getattr search read write add_name remove_name };
-class file { create ioctl read getattr lock write setattr append link unlink rename };
+ type nfs_t;
+
+ class dir rw_dir_perms;
+ class file create_file_perms;
')
########################################
@@ -587,15 +665,17 @@ class file { create ioctl read getattr lock write setattr append link unlink ren
# filesystem_manage_nfs_symbolic_links(domain)
#
define(`filesystem_manage_nfs_symbolic_links',`
-requires_block_template(`$0'_depend)
-allow $1 nfs_t:dir { getattr search read write add_name remove_name };
-allow $1 nfs_t:lnk_file { create ioctl read getattr lock write setattr append link unlink rename };
+ requires_block_template(`$0'_depend)
+
+ allow $1 nfs_t:dir rw_dir_perms;
+ allow $1 nfs_t:lnk_file create_lnk_perms;
')
define(`filesystem_manage_nfs_symbolic_links_depend',`
-type nfs_t;
-class dir { getattr search read write add_name remove_name };
-class lnk_file { create ioctl read getattr lock write setattr append link unlink rename };
+ type nfs_t;
+
+ class dir r_dir_perms;
+ class lnk_file create_lnk_perms;
')
########################################
@@ -603,15 +683,17 @@ class lnk_file { create ioctl read getattr lock write setattr append link unlink
# filesystem_manage_nfs_named_pipes(domain)
#
define(`filesystem_manage_nfs_named_pipes',`
-requires_block_template(`$0'_depend)
-allow $1 nfs_t:dir { getattr search read write add_name remove_name };
-allow $1 nfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
+ requires_block_template(`$0'_depend)
+
+ allow $1 nfs_t:dir rw_dir_perms;
+ allow $1 nfs_t:fifo_file create_file_perms;
')
define(`filesystem_manage_nfs_named_pipes_depend',`
-type nfs_t;
-class dir { getattr search read write add_name remove_name };
-class fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
+ type nfs_t;
+
+ class dir { getattr search read write add_name remove_name };
+ class fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
')
########################################
@@ -619,15 +701,17 @@ class fifo_file { create ioctl read getattr lock write setattr append link unlin
# filesystem_manage_nfs_named_sockets(domain)
#
define(`filesystem_manage_nfs_named_sockets',`
-requires_block_template(`$0'_depend)
-allow $1 nfs_t:dir { getattr search read write add_name remove_name };
-allow $1 nfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
+ requires_block_template(`$0'_depend)
+
+ allow $1 nfs_t:dir rw_dir_perms;
+ allow $1 nfs_t:sock_file create_file_perms;
')
define(`filesystem_manage_nfs_named_sockets_depend',`
-type nfs_t;
-class dir { getattr search read write add_name remove_name };
-class sock_file { create ioctl read getattr lock write setattr append link unlink rename };
+ type nfs_t;
+
+ class dir rw_dir_perms;
+ class sock_file create_file_perms;
')
########################################
@@ -635,13 +719,15 @@ class sock_file { create ioctl read getattr lock write setattr append link unlin
# filesystem_mount_nfsd_filesystem(domain)
#
define(`filesystem_mount_nfsd_filesystem',`
-requires_block_template(`$0'_depend)
-allow $1 nfsd_fs_t:filesystem mount;
+ requires_block_template(`$0'_depend)
+
+ allow $1 nfsd_fs_t:filesystem mount;
')
define(`filesystem_mount_nfsd_filesystem_depend',`
-type nfsd_fs_t;
-class filesystem mount;
+ type nfsd_fs_t;
+
+ class filesystem mount;
')
########################################
@@ -649,13 +735,15 @@ class filesystem mount;
# filesystem_remount_nfsd_filesystem(domain)
#
define(`filesystem_remount_nfsd_filesystem',`
-requires_block_template(`$0'_depend)
-allow $1 nfsd_fs_t:filesystem remount;
+ requires_block_template(`$0'_depend)
+
+ allow $1 nfsd_fs_t:filesystem remount;
')
define(`filesystem_remount_nfsd_filesystem_depend',`
-type nfsd_fs_t;
-class filesystem remount;
+ type nfsd_fs_t;
+
+ class filesystem remount;
')
########################################
@@ -663,13 +751,15 @@ class filesystem remount;
# filesystem_unmount_nfsd_filesystem(domain)
#
define(`filesystem_unmount_nfsd_filesystem',`
-requires_block_template(`$0'_depend)
-allow $1 nfsd_fs_t:filesystem mount;
+ requires_block_template(`$0'_depend)
+
+ allow $1 nfsd_fs_t:filesystem mount;
')
define(`filesystem_unmount_nfsd_filesystem_depend',`
-type nfsd_fs_t;
-class filesystem unmount;
+ type nfsd_fs_t;
+
+ class filesystem unmount;
')
########################################
@@ -677,13 +767,15 @@ class filesystem unmount;
# filesystem_get_nfsd_filesystem_attributes(domain)
#
define(`filesystem_get_nfsd_filesystem_attributes',`
-requires_block_template(`$0'_depend)
-allow $1 nfsd_fs_t:filesystem getattr;
+ requires_block_template(`$0'_depend)
+
+ allow $1 nfsd_fs_t:filesystem getattr;
')
define(`filesystem_get_nfsd_filesystem_attributes_depend',`
-type nfsd_fs_t;
-class filesystem getattr;
+ type nfsd_fs_t;
+
+ class filesystem getattr;
')
########################################
@@ -691,13 +783,15 @@ class filesystem getattr;
# filesystem_mount_ram_filesystem(domain)
#
define(`filesystem_mount_ram_filesystem',`
-requires_block_template(`$0'_depend)
-allow $1 ramfs_t:filesystem mount;
+ requires_block_template(`$0'_depend)
+
+ allow $1 ramfs_t:filesystem mount;
')
define(`filesystem_mount_ram_filesystem_depend',`
-type ramfs_t;
-class filesystem mount;
+ type ramfs_t;
+
+ class filesystem mount;
')
########################################
@@ -705,13 +799,15 @@ class filesystem mount;
# filesystem_remount_ram_filesystem(domain)
#
define(`filesystem_remount_ram_filesystem',`
-requires_block_template(`$0'_depend)
-allow $1 ramfs_t:filesystem remount;
+ requires_block_template(`$0'_depend)
+
+ allow $1 ramfs_t:filesystem remount;
')
define(`filesystem_remount_ram_filesystem_depend',`
-type ramfs_t;
-class filesystem remount;
+ type ramfs_t;
+
+ class filesystem remount;
')
########################################
@@ -719,13 +815,15 @@ class filesystem remount;
# filesystem_unmount_ram_filesystem(domain)
#
define(`filesystem_unmount_ram_filesystem',`
-requires_block_template(`$0'_depend)
-allow $1 ramfs_t:filesystem mount;
+ requires_block_template(`$0'_depend)
+
+ allow $1 ramfs_t:filesystem mount;
')
define(`filesystem_unmount_ram_filesystem_depend',`
-type ramfs_t;
-class filesystem unmount;
+ type ramfs_t;
+
+ class filesystem unmount;
')
########################################
@@ -733,13 +831,15 @@ class filesystem unmount;
# filesystem_get_ram_filesystem_attributes(domain)
#
define(`filesystem_get_ram_filesystem_attributes',`
-requires_block_template(`$0'_depend)
-allow $1 ramfs_t:filesystem getattr;
+ requires_block_template(`$0'_depend)
+
+ allow $1 ramfs_t:filesystem getattr;
')
define(`filesystem_get_ram_filesystem_attributes_depend',`
-type ramfs_t;
-class filesystem getattr;
+ type ramfs_t;
+
+ class filesystem getattr;
')
########################################
@@ -747,13 +847,15 @@ class filesystem getattr;
# filesystem_mount_rom_filesystem(domain)
#
define(`filesystem_mount_rom_filesystem',`
-requires_block_template(`$0'_depend)
-allow $1 romfs_t:filesystem mount;
+ requires_block_template(`$0'_depend)
+
+ allow $1 romfs_t:filesystem mount;
')
define(`filesystem_mount_rom_filesystem_depend',`
-type romfs_t;
-class filesystem mount;
+ type romfs_t;
+
+ class filesystem mount;
')
########################################
@@ -761,13 +863,15 @@ class filesystem mount;
# filesystem_remount_rom_filesystem(domain)
#
define(`filesystem_remount_rom_filesystem',`
-requires_block_template(`$0'_depend)
-allow $1 romfs_t:filesystem remount;
+ requires_block_template(`$0'_depend)
+
+ allow $1 romfs_t:filesystem remount;
')
define(`filesystem_remount_rom_filesystem_depend',`
-type romfs_t;
-class filesystem remount;
+ type romfs_t;
+
+ class filesystem remount;
')
########################################
@@ -775,13 +879,15 @@ class filesystem remount;
# filesystem_unmount_rom_filesystem(domain)
#
define(`filesystem_unmount_rom_filesystem',`
-requires_block_template(`$0'_depend)
-allow $1 romfs_t:filesystem mount;
+ requires_block_template(`$0'_depend)
+
+ allow $1 romfs_t:filesystem mount;
')
define(`filesystem_unmount_rom_filesystem_depend',`
-type romfs_t;
-class filesystem unmount;
+ type romfs_t;
+
+ class filesystem unmount;
')
########################################
@@ -789,13 +895,15 @@ class filesystem unmount;
# filesystem_get_rom_filesystem_attributes(domain)
#
define(`filesystem_get_rom_filesystem_attributes',`
-requires_block_template(`$0'_depend)
-allow $1 romfs_t:filesystem getattr;
+ requires_block_template(`$0'_depend)
+
+ allow $1 romfs_t:filesystem getattr;
')
define(`filesystem_get_rom_filesystem_attributes_depend',`
-type romfs_t;
-class filesystem getattr;
+ type romfs_t;
+
+ class filesystem getattr;
')
########################################
@@ -803,13 +911,15 @@ class filesystem getattr;
# filesystem_mount_rpc_pipefs_filesystem(domain)
#
define(`filesystem_mount_rpc_pipefs_filesystem',`
-requires_block_template(`$0'_depend)
-allow $1 rpc_pipefs_t:filesystem mount;
+ requires_block_template(`$0'_depend)
+
+ allow $1 rpc_pipefs_t:filesystem mount;
')
define(`filesystem_mount_rpc_pipefs_filesystem_depend',`
-type rpc_pipefs_t;
-class filesystem mount;
+ type rpc_pipefs_t;
+
+ class filesystem mount;
')
########################################
@@ -817,13 +927,15 @@ class filesystem mount;
# filesystem_remount_rpc_pipefs_filesystem(domain)
#
define(`filesystem_remount_rpc_pipefs_filesystem',`
-requires_block_template(`$0'_depend)
-allow $1 rpc_pipefs_t:filesystem remount;
+ requires_block_template(`$0'_depend)
+
+ allow $1 rpc_pipefs_t:filesystem remount;
')
define(`filesystem_remount_rpc_pipefs_filesystem_depend',`
-type rpc_pipefs_t;
-class filesystem remount;
+ type rpc_pipefs_t;
+
+ class filesystem remount;
')
########################################
@@ -831,13 +943,15 @@ class filesystem remount;
# filesystem_unmount_rpc_pipefs_filesystem(domain)
#
define(`filesystem_unmount_rpc_pipefs_filesystem',`
-requires_block_template(`$0'_depend)
-allow $1 rpc_pipefs_t:filesystem mount;
+ requires_block_template(`$0'_depend)
+
+ allow $1 rpc_pipefs_t:filesystem mount;
')
define(`filesystem_unmount_rpc_pipefs_filesystem_depend',`
-type rpc_pipefs_t;
-class filesystem unmount;
+ type rpc_pipefs_t;
+
+ class filesystem unmount;
')
########################################
@@ -845,13 +959,15 @@ class filesystem unmount;
# filesystem_get_rpc_pipefs_filesystem_attributes(domain)
#
define(`filesystem_get_rpc_pipefs_filesystem_attributes',`
-requires_block_template(`$0'_depend)
-allow $1 rpc_pipefs_t:filesystem getattr;
+ requires_block_template(`$0'_depend)
+
+ allow $1 rpc_pipefs_t:filesystem getattr;
')
define(`filesystem_get_rpc_pipefs_filesystem_attributes_depend',`
-type rpc_pipefs_t;
-class filesystem getattr;
+ type rpc_pipefs_t;
+
+ class filesystem getattr;
')
########################################
@@ -859,13 +975,15 @@ class filesystem getattr;
# filesystem_mount_tmpfs_filesystem(domain)
#
define(`filesystem_mount_tmpfs_filesystem',`
-requires_block_template(`$0'_depend)
-allow $1 tmpfs_t:filesystem mount;
+ requires_block_template(`$0'_depend)
+
+ allow $1 tmpfs_t:filesystem mount;
')
define(`filesystem_mount_tmpfs_filesystem_depend',`
-type tmpfs_t;
-class filesystem mount;
+ type tmpfs_t;
+
+ class filesystem mount;
')
########################################
@@ -873,13 +991,15 @@ class filesystem mount;
# filesystem_remount_tmpfs_filesystem(domain)
#
define(`filesystem_remount_tmpfs_filesystem',`
-requires_block_template(`$0'_depend)
-allow $1 tmpfs_t:filesystem remount;
+ requires_block_template(`$0'_depend)
+
+ allow $1 tmpfs_t:filesystem remount;
')
define(`filesystem_remount_tmpfs_filesystem_depend',`
-type tmpfs_t;
-class filesystem remount;
+ type tmpfs_t;
+
+ class filesystem remount;
')
########################################
@@ -887,13 +1007,15 @@ class filesystem remount;
# filesystem_unmount_tmpfs_filesystem(domain)
#
define(`filesystem_unmount_tmpfs_filesystem',`
-requires_block_template(`$0'_depend)
-allow $1 tmpfs_t:filesystem mount;
+ requires_block_template(`$0'_depend)
+
+ allow $1 tmpfs_t:filesystem mount;
')
define(`filesystem_unmount_tmpfs_filesystem_depend',`
-type tmpfs_t;
-class filesystem unmount;
+ type tmpfs_t;
+
+ class filesystem unmount;
')
########################################
@@ -901,13 +1023,15 @@ class filesystem unmount;
# filesystem_get_tmpfs_filesystem_attributes(domain)
#
define(`filesystem_get_tmpfs_filesystem_attributes',`
-requires_block_template(`$0'_depend)
-allow $1 tmpfs_t:filesystem getattr;
+ requires_block_template(`$0'_depend)
+
+ allow $1 tmpfs_t:filesystem getattr;
')
define(`filesystem_get_tmpfs_filesystem_attributes_depend',`
-type tmpfs_t;
-class filesystem getattr;
+ type tmpfs_t;
+
+ class filesystem getattr;
')
########################################
@@ -922,13 +1046,15 @@ class filesystem getattr;
## </interface>
#
define(`filesystem_tmpfs_associate',`
-requires_block_template(`$0'_depend)
-allow $1 tmpfs_t:filesystem associate;
+ requires_block_template(`$0'_depend)
+
+ allow $1 tmpfs_t:filesystem associate;
')
define(`filesystem_tmpfs_associate_depend',`
-type tmpfs_t;
-class filesystem associate;
+ type tmpfs_t;
+
+ class filesystem associate;
')
########################################
@@ -936,20 +1062,23 @@ class filesystem associate;
# filesystem_create_private_tmpfs_data(domain,derivedtype,[class])
#
define(`filesystem_create_private_tmpfs_data',`
-requires_block_template(`$0'_depend)
-allow $1 tmpfs_t:dir { getattr search read write add_name };
-ifelse(`$3',`',`
-type_transition $1 tmpfs_t:file $2;
-',`
-type_transition $1 tmpfs_t:$3 $2;
-')
-allow $2 tmpfs_t:filesystem associate;
+ requires_block_template(`$0'_depend)
+
+ allow $2 tmpfs_t:filesystem associate;
+ allow $1 tmpfs_t:dir rw_dir_perms;
+
+ ifelse(`$3',`',`
+ type_transition $1 tmpfs_t:file $2;
+ ',`
+ type_transition $1 tmpfs_t:$3 $2;
+ ')
')
define(`filesystem_create_private_tmpfs_data_depend',`
-type tmpfs_t;
-class dir { getattr search read write add_name };
-class filesystem associate;
+ type tmpfs_t;
+
+ class filesystem associate;
+ class dir rw_dir_perms;
')
########################################
@@ -964,15 +1093,17 @@ class filesystem associate;
## </interface>
#
define(`filesystem_use_tmpfs_character_devices',`
-requires_block_template(`$0'_depend)
-allow $1 tmpfs_t:dir { getattr search read };
-allow $1 tmpfs_t:chr_file { getattr read write ioctl };
+ requires_block_template(`$0'_depend)
+
+ allow $1 tmpfs_t:dir r_dir_perms;
+ allow $1 tmpfs_t:chr_file rw_file_perms;
')
define(`filesystem_use_tmpfs_character_devices_depend',`
-type tmpfs_t;
-class dir { getattr search read };
-class chr_file { getattr read write ioctl };
+ type tmpfs_t;
+
+ class dir r_dir_perms;
+ class chr_file rw_file_perms;
')
########################################
@@ -987,15 +1118,17 @@ class chr_file { getattr read write ioctl };
## </interface>
#
define(`filesystem_relabel_tmpfs_character_devices',`
-requires_block_template(`$0'_depend)
-allow $1 tmpfs_t:dir { getattr search read };
-allow $1 tmpfs_t:chr_file { getattr relabelfrom relabelto };
+ requires_block_template(`$0'_depend)
+
+ allow $1 tmpfs_t:dir r_dir_perms;
+ allow $1 tmpfs_t:chr_file { getattr relabelfrom relabelto };
')
define(`filesystem_relabel_tmpfs_character_devices_depend',`
-type tmpfs_t;
-class dir { getattr search read };
-class chr_file { getattr relabelfrom relabelto };
+ type tmpfs_t;
+
+ class dir r_dir_perms;
+ class chr_file { getattr relabelfrom relabelto };
')
########################################
@@ -1010,15 +1143,17 @@ class chr_file { getattr relabelfrom relabelto };
## </interface>
#
define(`filesystem_use_tmpfs_block_devices',`
-requires_block_template(`$0'_depend)
-allow $1 tmpfs_t:dir { getattr search read };
-allow $1 tmpfs_t:blk_file { getattr read write ioctl };
+ requires_block_template(`$0'_depend)
+
+ allow $1 tmpfs_t:dir r_dir_perms;
+ allow $1 tmpfs_t:blk_file rw_file_perms;
')
define(`filesystem_use_tmpfs_block_devices_depend',`
-type tmpfs_t;
-class dir { getattr search read };
-class blk_file { getattr read write ioctl };
+ type tmpfs_t;
+
+ class dir r_dir_perms;
+ class blk_file rw_file_perms;
')
########################################
@@ -1033,15 +1168,17 @@ class blk_file { getattr read write ioctl };
## </interface>
#
define(`filesystem_relabel_tmpfs_block_devices',`
-requires_block_template(`$0'_depend)
-allow $1 tmpfs_t:dir { getattr search read };
-allow $1 tmpfs_t:blk_file { getattr relabelfrom relabelto };
+ requires_block_template(`$0'_depend)
+
+ allow $1 tmpfs_t:dir r_dir_perms;
+ allow $1 tmpfs_t:blk_file { getattr relabelfrom relabelto };
')
define(`filesystem_use_tmpfs_block_devices_depend',`
-type tmpfs_t;
-class dir { getattr search read };
-class blk_file { getattr relabelfrom relabelto };
+ type tmpfs_t;
+
+ class dir r_dir_perms;
+ class blk_file { getattr relabelfrom relabelto };
')
########################################
@@ -1057,15 +1194,17 @@ class blk_file { getattr relabelfrom relabelto };
## </interface>
#
define(`filesystem_manage_tmpfs_character_devices',`
-requires_block_template(`$0'_depend)
-allow $1 tmpfs_t:dir { getattr search read write add_name remove_name };
-allow $1 tmpfs_t:chr_file { getattr read write ioctl create unlink setattr };
+ requires_block_template(`$0'_depend)
+
+ allow $1 tmpfs_t:dir rw_dir_perms;
+ allow $1 tmpfs_t:chr_file create_file_perms;
')
-define(`filesystem_mange_tmpfs_character_devices_depend',`
-type tmpfs_t;
-class dir { getattr search read write add_name remove_name };
-class chr_file { getattr read write ioctl create unlink setattr };
+define(`filesystem_manage_tmpfs_character_devices_depend',`
+ type tmpfs_t;
+
+ class dir rw_dir_perms;
+ class chr_file create_file_perms;
')
########################################
@@ -1081,15 +1220,17 @@ class chr_file { getattr read write ioctl create unlink setattr };
## </interface>
#
define(`filesystem_manage_tmpfs_block_devices',`
-requires_block_template(`$0'_depend)
-allow $1 tmpfs_t:dir { getattr search read write add_name remove_name };
-allow $1 tmpfs_t:blk_file { getattr read write ioctl create unlink setattr };
+ requires_block_template(`$0'_depend)
+
+ allow $1 tmpfs_t:dir rw_dir_perms;
+ allow $1 tmpfs_t:blk_file create_file_perms;
')
define(`filesystem_manage_tmpfs_block_devices_depend',`
-type tmpfs_t;
-class dir { getattr search read write add_name remove_name };
-class blk_file { getattr read write ioctl create unlink setattr };
+ type tmpfs_t;
+
+ class dir rw_dir_perms;
+ class blk_file create_file_perms;
')
########################################
@@ -1097,13 +1238,15 @@ class blk_file { getattr read write ioctl create unlink setattr };
# filesystem_mount_all_filesystems(type)
#
define(`filesystem_mount_all_filesystems',`
-requires_block_template(`$0'_depend)
-allow $1 fs_type:filesystem mount;
+ requires_block_template(`$0'_depend)
+
+ allow $1 fs_type:filesystem mount;
')
define(`filesystem_mount_all_filesystems_depend',`
-attribute fs_type;
-class filesystem mount;
+ attribute fs_type;
+
+ class filesystem mount;
')
########################################
@@ -1111,13 +1254,15 @@ class filesystem mount;
# filesystem_remount_all_filesystems(type)
#
define(`filesystem_remount_all_filesystems',`
-requires_block_template(`$0'_depend)
-allow $1 fs_type:filesystem remount;
+ requires_block_template(`$0'_depend)
+
+ allow $1 fs_type:filesystem remount;
')
define(`filesystem_remount_all_filesystems_depend',`
-attribute fs_type;
-class filesystem remount;
+ attribute fs_type;
+
+ class filesystem remount;
')
########################################
@@ -1125,13 +1270,15 @@ class filesystem remount;
# filesystem_unmount_all_filesystems(type)
#
define(`filesystem_unmount_all_filesystems',`
-requires_block_template(`$0'_depend)
-allow $1 fs_type:filesystem unmount;
+ requires_block_template(`$0'_depend)
+
+ allow $1 fs_type:filesystem unmount;
')
define(`filesystem_mount_all_filesystems_depend',`
-attribute fs_type;
-class filesystem unmount;
+ attribute fs_type;
+
+ class filesystem unmount;
')
########################################
@@ -1139,13 +1286,15 @@ class filesystem unmount;
# filesystem_get_all_filesystems_attributes(type)
#
define(`filesystem_get_all_filesystems_attributes',`
-requires_block_template(`$0'_depend)
-allow $1 fs_type:filesystem getattr;
+ requires_block_template(`$0'_depend)
+
+ allow $1 fs_type:filesystem getattr;
')
define(`filesystem_get_all_filesystems_attributes_depend',`
-attribute fs_type;
-class filesystem getattr;
+ attribute fs_type;
+
+ class filesystem getattr;
')
########################################
@@ -1153,13 +1302,15 @@ class filesystem getattr;
# filesystem_get_all_filesystems_quotas(type)
#
define(`filesystem_get_all_filesystems_quotas',`
-requires_block_template(`$0'_depend)
-allow $1 fs_type:filesystem quotaget;
+ requires_block_template(`$0'_depend)
+
+ allow $1 fs_type:filesystem quotaget;
')
define(`filesystem_get_all_filesystems_quotas_depend',`
-attribute fs_type;
-class filesystem quotaget;
+ attribute fs_type;
+
+ class filesystem quotaget;
')
########################################
@@ -1167,13 +1318,15 @@ class filesystem quotaget;
# filesystem_set_all_filesystems_quotas(type)
#
define(`filesystem_set_all_filesystems_quotas',`
-requires_block_template(`$0'_depend)
-allow $1 fs_type:filesystem quotamod;
+ requires_block_template(`$0'_depend)
+
+ allow $1 fs_type:filesystem quotamod;
')
define(`filesystem_set_all_filesystems_quotas_depend',`
-attribute fs_type;
-class filesystem quotamod;
+ attribute fs_type;
+
+ class filesystem quotamod;
')
########################################
@@ -1181,21 +1334,23 @@ class filesystem quotamod;
# filesystem_get_all_file_attributes(type)
#
define(`filesystem_get_all_file_attributes',`
-requires_block_template(`$0'_depend)
-allow $1 fs_type:dir { search getattr };
-allow $1 fs_type:file getattr;
-allow $1 fs_type:lnk_file getattr;
-allow $1 fs_type:fifo_file getattr;
-allow $1 fs_type:sock_file getattr;
+ requires_block_template(`$0'_depend)
+
+ allow $1 fs_type:dir { search getattr };
+ allow $1 fs_type:file getattr;
+ allow $1 fs_type:lnk_file getattr;
+ allow $1 fs_type:fifo_file getattr;
+ allow $1 fs_type:sock_file getattr;
')
define(`filesystem_get_all_file_attributes_depend',`
-attribute fs_type;
-class dir { search getattr };
-class file getattr;
-class lnk_file getattr;
-class fifo_file getattr;
-class sock_file getattr;
+ attribute fs_type;
+
+ class dir { search getattr };
+ class file getattr;
+ class lnk_file getattr;
+ class fifo_file getattr;
+ class sock_file getattr;
')
## </module>
diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index 476ed6eb5..a9050a2e9 100644
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -9,24 +9,27 @@
# kernel_make_userland_entrypoint(domain,entrypoint)
#
define(`kernel_make_userland_entrypoint',`
-requires_block_template(`$0'_depend)
-allow kernel_t $2:file { getattr read execute };
-allow kernel_t $1:process transition;
-allow $1 kernel_t:fd use;
-type_transition kernel_t $2:process $1;
-dontaudit kernel_t $1:process { noatsecure siginh rlimitinh };
-allow $1 kernel_t:fd use;
-allow kernel_t $1:fd use;
-allow kernel_t $1:fifo_file rw_file_perms;
-allow $1 kernel_t:process sigchld;
+ requires_block_template(`$0'_depend)
+
+ allow kernel_t $2:file { getattr read execute };
+ allow kernel_t $1:process transition;
+ allow $1 kernel_t:fd use;
+ type_transition kernel_t $2:process $1;
+ dontaudit kernel_t $1:process { noatsecure siginh rlimitinh };
+
+ allow $1 kernel_t:fd use;
+ allow kernel_t $1:fd use;
+ allow kernel_t $1:fifo_file rw_file_perms;
+ allow $1 kernel_t:process sigchld;
')
define(`kernel_make_userland_entrypoint_depend',`
-type kernel_t;
-class process { transition noatsecure siginh rlimitinh sigchld };
-class file { getattr read execute };
-class fifo_file rw_file_perms;
-class fd use;
+ type kernel_t;
+
+ class process { transition noatsecure siginh rlimitinh sigchld };
+ class file { getattr read execute };
+ class fifo_file rw_file_perms;
+ class fd use;
')
########################################
@@ -34,13 +37,15 @@ class fd use;
# kernel_share_state(domain)
#
define(`kernel_share_state',`
-requires_block_template(`$0'_depend)
-allow kernel_t $1:process share;
+ requires_block_template(`$0'_depend)
+
+ allow kernel_t $1:process share;
')
define(`kernel_share_state_depend',`
-type kernel_t;
-class process share;
+ type kernel_t;
+
+ class process share;
')
########################################
@@ -48,13 +53,15 @@ class process share;
# kernel_use_file_descriptors(domain)
#
define(`kernel_use_file_descriptors',`
-requires_block_template(`$0'_depend)
-allow $1 kernel_t:fd use;
+ requires_block_template(`$0'_depend)
+
+ allow $1 kernel_t:fd use;
')
define(`kernel_use_file_descriptors_depend',`
-type kernel_t;
-class fd use;
+ type kernel_t;
+
+ class fd use;
')
########################################
@@ -62,13 +69,15 @@ class fd use;
# kernel_ignore_use_file_descriptors(domain)
#
define(`kernel_ignore_use_file_descriptors',`
-requires_block_template(`$0'_depend)
-dontaudit $1 kernel_t:fd use;
+ requires_block_template(`$0'_depend)
+
+ dontaudit $1 kernel_t:fd use;
')
define(`kernel_ignore_use_file_descriptors_depend',`
-type kernel_t;
-class fd use;
+ type kernel_t;
+
+ class fd use;
')
########################################
@@ -76,13 +85,15 @@ class fd use;
# kernel_make_root_filesystem_mountpoint(domain)
#
define(`kernel_make_root_filesystem_mountpoint',`
-requires_block_template(`$0'_depend)
-allow kernel_t $1:dir mounton;
+ requires_block_template(`$0'_depend)
+
+ allow kernel_t $1:dir mounton;
')
define(`kernel_make_root_filesystem_mountpoint_depend',`
-type kernel_t;
-class dir mounton;
+ type kernel_t;
+
+ class dir mounton;
')
########################################
@@ -90,12 +101,13 @@ class dir mounton;
# kernel_make_process_identity_change_constraint_exception(domain)
#
define(`kernel_make_process_identity_change_constraint_exception',`
-requires_block_template(`$0'_depend)
-typeattribute $1 can_change_process_identity;
+ requires_block_template(`$0'_depend)
+
+ typeattribute $1 can_change_process_identity;
')
define(`kernel_make_process_identity_change_constraint_exception_depend',`
-attribute can_change_process_identity;
+ attribute can_change_process_identity;
')
########################################
@@ -103,12 +115,13 @@ attribute can_change_process_identity;
# kernel_make_role_change_constraint_exception(domain)
#
define(`kernel_make_role_change_constraint_exception',`
-requires_block_template(`$0'_depend)
-typeattribute $1 can_change_process_role;
+ requires_block_template(`$0'_depend)
+
+ typeattribute $1 can_change_process_role;
')
define(`kernel_make_role_change_constraint_exception_depend',`
-attribute can_change_process_role;
+ attribute can_change_process_role;
')
########################################
@@ -116,12 +129,13 @@ attribute can_change_process_role;
# kernel_make_object_identity_change_constraint_exception(domain)
#
define(`kernel_make_object_identity_change_constraint_exception',`
-requires_block_template(`$0'_depend)
-typeattribute $1 can_change_object_identity;
+ requires_block_template(`$0'_depend)
+
+ typeattribute $1 can_change_object_identity;
')
define(`kernel_make_object_identity_change_constraint_exception_depend',`
-attribute can_change_object_identity;
+ attribute can_change_object_identity;
')
########################################
@@ -129,14 +143,16 @@ attribute can_change_object_identity;
# kernel_load_module(domain)
#
define(`kernel_load_module',`
-requires_block_template(`$0'_depend)
-allow $1 self:capability sys_module;
-typeattribute $1 can_load_kernmodule;
+ requires_block_template(`$0'_depend)
+
+ allow $1 self:capability sys_module;
+ typeattribute $1 can_load_kernmodule;
')
define(`kernel_load_module_depend',`
-attribute can_load_kernmodule;
-class capability sys_module;
+ attribute can_load_kernmodule;
+
+ class capability sys_module;
')
########################################
@@ -144,15 +160,17 @@ class capability sys_module;
# kernel_get_selinux_enforcement_mode(domain)
#
define(`kernel_get_selinux_enforcement_mode',`
-requires_block_template(`$0'_depend)
-allow $1 security_t:dir { read search getattr };
-allow $1 security_t:file { getattr read };
+ requires_block_template(`$0'_depend)
+
+ allow $1 security_t:dir { read search getattr };
+ allow $1 security_t:file { getattr read };
')
define(`kernel_get_selinux_enforcement_mode_depend',`
-type security_t;
-class dir { read search getattr };
-class file { getattr read };
+ type security_t;
+
+ class dir { read search getattr };
+ class file { getattr read };
')
########################################
@@ -160,20 +178,23 @@ class file { getattr read };
# kernel_set_selinux_enforcement_mode(domain)
#
define(`kernel_set_selinux_enforcement_mode',`
-requires_block_template(`$0'_depend)
-allow $1 security_t:dir { read search getattr };
-allow $1 security_t:file { getattr read write };
-allow $1 security_t:security setenforce;
-auditallow $1 security_t:security setenforce;
-typeattribute $1 can_setenforce;
+ requires_block_template(`$0'_depend)
+
+ allow $1 security_t:dir { read search getattr };
+ allow $1 security_t:file { getattr read write };
+ allow $1 security_t:security setenforce;
+ auditallow $1 security_t:security setenforce;
+ typeattribute $1 can_setenforce;
')
define(`kernel_set_selinux_enforcement_mode_depend',`
-type security_t;
-attribute can_setenforce;
-class dir { read search getattr };
-class file { getattr read write };
-class security setenforce;
+ type security_t;
+
+ attribute can_setenforce;
+
+ class dir { read search getattr };
+ class file { getattr read write };
+ class security setenforce;
')
########################################
@@ -181,20 +202,23 @@ class security setenforce;
# kernel_load_selinux_policy(domain)
#
define(`kernel_load_selinux_policy',`
-requires_block_template(`$0'_depend)
-allow $1 security_t:dir { read search getattr };
-allow $1 security_t:file { getattr read write };
-allow $1 security_t:security load_policy;
-auditallow $1 security_t:security load_policy;
-typeattribute $1 can_load_policy;
+ requires_block_template(`$0'_depend)
+
+ allow $1 security_t:dir { read search getattr };
+ allow $1 security_t:file { getattr read write };
+ allow $1 security_t:security load_policy;
+ auditallow $1 security_t:security load_policy;
+ typeattribute $1 can_load_policy;
')
define(`kernel_load_selinux_policy_depend',`
-type security_t;
-attribute can_load_policy;
-class dir { read search getattr };
-class file { getattr read write };
-class security load_policy;
+ type security_t;
+
+ attribute can_load_policy;
+
+ class dir { read search getattr };
+ class file { getattr read write };
+ class security load_policy;
')
########################################
@@ -202,24 +226,27 @@ class security load_policy;
# kernel_set_selinux_boolean(domain,[booltype])
#
define(`kernel_set_selinux_boolean',`
-requires_block_template(`$0'_depend)
-ifelse(`$2',`',`
-allow $1 security_t:dir { getattr search read };
-allow $1 security_t:file { getattr read write };
-',`
-allow $1 $2:dir { getattr search read };
-allow $1 $2:file { getattr read write };
-')
-allow $1 security_t:dir search;
-allow $1 security_t:security setbool;
-auditallow $1 security_t:security setbool;
+ requires_block_template(`$0'_depend)
+
+ ifelse(`$2',`',`
+ allow $1 security_t:dir { getattr search read };
+ allow $1 security_t:file { getattr read write };
+ ',`
+ allow $1 $2:dir { getattr search read };
+ allow $1 $2:file { getattr read write };
+ ')
+
+ allow $1 security_t:dir search;
+ allow $1 security_t:security setbool;
+ auditallow $1 security_t:security setbool;
')
define(`kernel_set_selinux_boolean_depend',`
-type security_t;
-class dir { read search getattr };
-class file { getattr read write };
-class security setbool;
+ type security_t;
+
+ class dir { read search getattr };
+ class file { getattr read write };
+ class security setbool;
')
########################################
@@ -227,20 +254,23 @@ class security setbool;
# kernel_set_selinux_security_parameters(domain)
#
define(`kernel_set_selinux_security_parameters',`
-requires_block_template(`$0'_depend)
-allow $1 security_t:dir { read search getattr };
-allow $1 security_t:file { getattr read write };
-allow $1 security_t:security setsecparam;
-auditallow $1 security_t:security setsecparam;
-typeattribute $1 can_setsecparam;
+ requires_block_template(`$0'_depend)
+
+ allow $1 security_t:dir { read search getattr };
+ allow $1 security_t:file { getattr read write };
+ allow $1 security_t:security setsecparam;
+ auditallow $1 security_t:security setsecparam;
+ typeattribute $1 can_setsecparam;
')
define(`kernel_set_selinux_security_parameters_depend',`
-type security_t;
-attribute can_setsecparam;
-class dir { read search getattr };
-class file { getattr read write };
-class security setsecparam;
+ type security_t;
+
+ attribute can_setsecparam;
+
+ class dir { read search getattr };
+ class file { getattr read write };
+ class security setsecparam;
')
########################################
@@ -248,17 +278,19 @@ class security setsecparam;
# kernel_validate_selinux_context(domain)
#
define(`kernel_validate_selinux_context',`
-requires_block_template(`$0'_depend)
-allow $1 security_t:dir { read search getattr };
-allow $1 security_t:file { getattr read write };
-allow $1 security_t:security check_context;
+ requires_block_template(`$0'_depend)
+
+ allow $1 security_t:dir { read search getattr };
+ allow $1 security_t:file { getattr read write };
+ allow $1 security_t:security check_context;
')
define(`kernel_validate_selinux_context_depend',`
-type security_t;
-class dir { read search getattr };
-class file { getattr read write };
-class security check_context;
+ type security_t;
+
+ class dir { read search getattr };
+ class file { getattr read write };
+ class security check_context;
')
########################################
@@ -266,17 +298,19 @@ class security check_context;
# kernel_compute_selinux_access_vector(domain)
#
define(`kernel_compute_selinux_access_vector',`
-requires_block_template(`$0'_depend)
-allow $1 security_t:dir { read search getattr };
-allow $1 security_t:file { getattr read write };
-allow $1 security_t:security compute_av;
+ requires_block_template(`$0'_depend)
+
+ allow $1 security_t:dir { read search getattr };
+ allow $1 security_t:file { getattr read write };
+ allow $1 security_t:security compute_av;
')
define(`kernel_compute_selinux_access_vector_depend',`
-type security_t;
-class dir { read search getattr };
-class file { getattr read write };
-class security compute_av;
+ type security_t;
+
+ class dir { read search getattr };
+ class file { getattr read write };
+ class security compute_av;
')
########################################
@@ -284,17 +318,19 @@ class security compute_av;
# kernel_compute_selinux_create_context(domain)
#
define(`kernel_compute_selinux_create_context',`
-requires_block_template(`$0'_depend)
-allow $1 security_t:dir { read search getattr };
-allow $1 security_t:file { getattr read write };
-allow $1 security_t:security compute_create;
+ requires_block_template(`$0'_depend)
+
+ allow $1 security_t:dir { read search getattr };
+ allow $1 security_t:file { getattr read write };
+ allow $1 security_t:security compute_create;
')
define(`kernel_compute_selinux_create_context_depend',`
-type security_t;
-class dir { read search getattr };
-class file { getattr read write };
-class security compute_create;
+ type security_t;
+
+ class dir { read search getattr };
+ class file { getattr read write };
+ class security compute_create;
')
########################################
@@ -302,17 +338,19 @@ class security compute_create;
# kernel_compute_selinux_relabel_context(domain)
#
define(`kernel_compute_selinux_relabel_context',`
-requires_block_template(`$0'_depend)
-allow $1 security_t:dir { read search getattr };
-allow $1 security_t:file { getattr read write };
-allow $1 security_t:security compute_relabel;
+ requires_block_template(`$0'_depend)
+
+ allow $1 security_t:dir { read search getattr };
+ allow $1 security_t:file { getattr read write };
+ allow $1 security_t:security compute_relabel;
')
define(`kernel_compute_selinux_relabel_context_depend',`
-type security_t;
-class dir { read search getattr };
-class file { getattr read write };
-class security compute_relabel;
+ type security_t;
+
+ class dir { read search getattr };
+ class file { getattr read write };
+ class security compute_relabel;
')
########################################
@@ -320,17 +358,19 @@ class security compute_relabel;
# kernel_compute_selinux_reachable_user_contexts(domain)
#
define(`kernel_compute_selinux_reachable_user_contexts',`
-requires_block_template(`$0'_depend)
-allow $1 security_t:dir { read search getattr };
-allow $1 security_t:file { getattr read write };
-allow $1 security_t:security compute_user;
+ requires_block_template(`$0'_depend)
+
+ allow $1 security_t:dir { read search getattr };
+ allow $1 security_t:file { getattr read write };
+ allow $1 security_t:security compute_user;
')
define(`kernel_compute_selinux_reachable_user_contexts_depend',`
-type security_t;
-class dir { read search getattr };
-class file { getattr read write };
-class security compute_user;
+ type security_t;
+
+ class dir { read search getattr };
+ class file { getattr read write };
+ class security compute_user;
')
########################################
@@ -338,13 +378,15 @@ class security compute_user;
# kernel_read_ring_buffer(domain)
#
define(`kernel_read_ring_buffer',`
-requires_block_template(`$0'_depend)
-allow $1 kernel_t:system syslog_read;
+ requires_block_template(`$0'_depend)
+
+ allow $1 kernel_t:system syslog_read;
')
define(`kernel_read_ring_buffer_depend',`
-type kernel_t;
-class system syslog_read;
+ type kernel_t;
+
+ class system syslog_read;
')
########################################
@@ -352,13 +394,15 @@ class system syslog_read;
# kernel_ignore_read_ring_buffer(domain)
#
define(`kernel_ignore_read_ring_buffer',`
-requires_block_template(`$0'_depend)
-dontaudit $1 kernel_t:system syslog_read;
+ requires_block_template(`$0'_depend)
+
+ dontaudit $1 kernel_t:system syslog_read;
')
define(`kernel_ignore_read_ring_buffer_depend',`
-type kernel_t;
-class system syslog_read;
+ type kernel_t;
+
+ class system syslog_read;
')
########################################
@@ -366,13 +410,15 @@ class system syslog_read;
# kernel_change_ring_buffer_level(domain)
#
define(`kernel_change_ring_buffer_level',`
-requires_block_template(`$0'_depend)
-allow $1 kernel_t:system syslog_console;
+ requires_block_template(`$0'_depend)
+
+ allow $1 kernel_t:system syslog_console;
')
define(`kernel_change_ring_buffer_level_depend',`
-type kernel_t;
-class system syslog_console;
+ type kernel_t;
+
+ class system syslog_console;
')
########################################
@@ -380,13 +426,15 @@ class system syslog_console;
# kernel_clear_ring_buffer(domain)
#
define(`kernel_clear_ring_buffer',`
-requires_block_template(`$0'_depend)
-allow $1 kernel_t:system syslog_mod;
+ requires_block_template(`$0'_depend)
+
+ allow $1 kernel_t:system syslog_mod;
')
define(`kernel_clear_ring_buffer_depend',`
-type kernel_t;
-class system syslog_mod;
+ type kernel_t;
+
+ class system syslog_mod;
')
########################################
@@ -394,13 +442,15 @@ class system syslog_mod;
# kernel_get_sysvipc_info(domain)
#
define(`kernel_get_sysvipc_info',`
-requires_block_template(`$0'_depend)
-allow $1 kernel_t:system ipc_info;
+ requires_block_template(`$0'_depend)
+
+ allow $1 kernel_t:system ipc_info;
')
define(`kernel_get_sysvipc_info_depend',`
-type kernel_t;
-class system ipc_info;
+ type kernel_t;
+
+ class system ipc_info;
')
########################################
@@ -408,18 +458,20 @@ class system ipc_info;
# kernel_get_selinuxfs_mount_point(domain)
#
define(`kernel_get_selinuxfs_mount_point',`
-requires_block_template(`$0'_depend)
-allow $1 proc_t:dir search;
-allow $1 proc_t:{ file lnk_file } read;
-allow $1 self:dir search;
-allow $1 self:file { getattr read };
+ requires_block_template(`$0'_depend)
+
+ allow $1 proc_t:dir search;
+ allow $1 proc_t:{ file lnk_file } read;
+ allow $1 self:dir search;
+ allow $1 self:file { getattr read };
')
define(`kernel_get_selinuxfs_mount_point_depend',`
-type proc_t;
-class dir search;
-class lnk_file read;
-class file { getattr read };
+ type proc_t;
+
+ class dir search;
+ class lnk_file read;
+ class file { getattr read };
')
########################################
@@ -427,17 +479,19 @@ class file { getattr read };
# kernel_read_system_state(domain)
#
define(`kernel_read_system_state',`
-requires_block_template(`$0'_depend)
-allow $1 proc_t:dir r_dir_perms;
-allow $1 proc_t:lnk_file { getattr read };
-allow $1 proc_t:file r_file_perms;
+ requires_block_template(`$0'_depend)
+
+ allow $1 proc_t:dir r_dir_perms;
+ allow $1 proc_t:lnk_file { getattr read };
+ allow $1 proc_t:file r_file_perms;
')
define(`kernel_read_system_state_depend',`
-type proc_t;
-class dir r_dir_perms;
-class lnk_file { getattr read };
-class file r_file_perms;
+ type proc_t;
+
+ class dir r_dir_perms;
+ class lnk_file { getattr read };
+ class file r_file_perms;
')
########################################
@@ -445,13 +499,15 @@ class file r_file_perms;
# kernel_ignore_read_system_state(domain)
#
define(`kernel_ignore_read_system_state',`
-requires_block_template(`$0'_depend)
-allow $1 proc_t:file read;
+ requires_block_template(`$0'_depend)
+
+ allow $1 proc_t:file read;
')
define(`kernel_ignore_read_system_state_depend',`
-type proc_t;
-class file read;
+ type proc_t;
+
+ class file read;
')
#######################################
@@ -459,15 +515,17 @@ class file read;
# kernel_read_software_raid_state(domain)
#
define(`kernel_read_software_raid_state',`
-requires_block_template(`$0'_depend)
-allow $1 proc_t:dir { getattr search read };
-allow $1 proc_mdstat_t:file { getattr read };
+ requires_block_template(`$0'_depend)
+
+ allow $1 proc_t:dir { getattr search read };
+ allow $1 proc_mdstat_t:file { getattr read };
')
define(`kernel_read_software_raid_state_depend',`
-type proc_t, proc_mdstat_t;
-class dir { search getattr read };
-class file { getattr read };
+ type proc_t, proc_mdstat_t;
+
+ class dir { search getattr read };
+ class file { getattr read };
')
########################################
@@ -475,15 +533,17 @@ class file { getattr read };
# kernel_get_core_interface_attributes(domain)
#
define(`kernel_get_core_interface_attributes',`
-requires_block_template(`$0'_depend)
-allow $1 proc_t:dir { getattr search read };
-allow $1 proc_kcore_t:file getattr;
+ requires_block_template(`$0'_depend)
+
+ allow $1 proc_t:dir { getattr search read };
+ allow $1 proc_kcore_t:file getattr;
')
define(`kernel_get_core_interface_attributes_depend',`
-type proc_t, proc_kcore_t;
-class dir { search getattr read };
-class file getattr;
+ type proc_t, proc_kcore_t;
+
+ class dir { search getattr read };
+ class file getattr;
')
########################################
@@ -491,13 +551,15 @@ class file getattr;
# kernel_ignore_get_core_interface_attributes(domain)
#
define(`kernel_ignore_get_core_interface_attributes',`
-requires_block_template(`$0'_depend)
-dontaudit $1 proc_kcore_t:file getattr;
+ requires_block_template(`$0'_depend)
+
+ dontaudit $1 proc_kcore_t:file getattr;
')
define(`kernel_ignore_get_core_interface_attributes_depend',`
-type proc_kcore_t;
-class file getattr;
+ type proc_kcore_t;
+
+ class file getattr;
')
########################################
@@ -505,17 +567,20 @@ class file getattr;
# kernel_read_messages(domain)
#
define(`kernel_read_messages',`
-requires_block_template(`$0'_depend)
-allow $1 proc_t:dir search;
-allow $1 proc_kmsg_t:file { getattr read };
-typeattribute $1 can_receive_kernel_messages;
+ requires_block_template(`$0'_depend)
+
+ allow $1 proc_t:dir search;
+ allow $1 proc_kmsg_t:file { getattr read };
+ typeattribute $1 can_receive_kernel_messages;
')
define(`kernel_read_messages_depend',`
-attribute can_receive_kernel_messages;
-type proc_kmsg_t, proc_t;
-class dir search;
-class file { getattr read };
+ attribute can_receive_kernel_messages;
+
+ type proc_kmsg_t, proc_t;
+
+ class dir search;
+ class file { getattr read };
')
########################################
@@ -523,15 +588,17 @@ class file { getattr read };
# kernel_get_message_interface_attributes(domain)
#
define(`kernel_get_message_interface_attributes',`
-requires_block_template(`$0'_depend)
-allow $1 proc_t:dir search;
-allow $1 proc_kmsg_t:file getattr;
+ requires_block_template(`$0'_depend)
+
+ allow $1 proc_t:dir search;
+ allow $1 proc_kmsg_t:file getattr;
')
define(`kernel_get_message_interface_attributes_depend',`
-type proc_kmsg_t, proc_t;
-class dir search;
-class file getattr;
+ type proc_kmsg_t, proc_t;
+
+ class dir search;
+ class file getattr;
')
########################################
@@ -539,13 +606,15 @@ class file getattr;
# kernel_ignore_get_message_interface_attributes(domain)
#
define(`kernel_ignore_get_message_interface_attributes',`
-requires_block_template(`$0'_depend)
-dontaudit $1 proc_kmsg_t:file getattr;
+ requires_block_template(`$0'_depend)
+
+ dontaudit $1 proc_kmsg_t:file getattr;
')
define(`kernel_ignore_get_message_interface_attributes_depend',`
-type proc_kmsg_t, proc_t;
-class file getattr;
+ type proc_kmsg_t, proc_t;
+
+ class file getattr;
')
########################################
@@ -553,16 +622,18 @@ class file getattr;
# kernel_read_network_state(domain)
#
define(`kernel_read_network_state',`
-requires_block_template(`$0'_depend)
-allow $1 proc_t:dir search;
-allow $1 proc_net_t:dir { getattr search read };
-allow $1 proc_net_t:file { getattr read };
+ requires_block_template(`$0'_depend)
+
+ allow $1 proc_t:dir search;
+ allow $1 proc_net_t:dir { getattr search read };
+ allow $1 proc_net_t:file { getattr read };
')
define(`kernel_read_network_state_depend',`
-type proc_t, proc_net_t;
-class dir { search getattr read };
-class file { getattr read };
+ type proc_t, proc_net_t;
+
+ class dir { search getattr read };
+ class file { getattr read };
')
########################################
@@ -570,13 +641,15 @@ class file { getattr read };
# kernel_ignore_search_sysctl_dir(domain)
#
define(`kernel_ignore_search_sysctl_dir',`
-requires_block_template(`$0'_depend)
-dontaudit $1 sysctl_t:dir search;
+ requires_block_template(`$0'_depend)
+
+ dontaudit $1 sysctl_t:dir search;
')
define(`kernel_ignore_search_sysctl_dir_depend',`
-type sysctl_t;
-class dir search;
+ type sysctl_t;
+
+ class dir search;
')
########################################
@@ -584,17 +657,19 @@ class dir search;
# kernel_read_device_sysctl(domain)
#
define(`kernel_read_device_sysctl',`
-requires_block_template(`$0'_depend)
-allow $1 proc_t:dir search;
-allow $1 sysctl_t:dir { getattr search read };
-allow $1 sysctl_dev_t:dir { getattr search read };
-allow $1 sysctl_dev_t:file { getattr read };
+ requires_block_template(`$0'_depend)
+
+ allow $1 proc_t:dir search;
+ allow $1 sysctl_t:dir { getattr search read };
+ allow $1 sysctl_dev_t:dir { getattr search read };
+ allow $1 sysctl_dev_t:file { getattr read };
')
define(`kernel_read_device_sysctl_depend',`
-type proc_t, sysctl_t, sysctl_dev_t;
-class dir { search getattr read };
-class file { getattr read };
+ type proc_t, sysctl_t, sysctl_dev_t;
+
+ class dir { search getattr read };
+ class file { getattr read };
')
########################################
@@ -602,16 +677,18 @@ class file { getattr read };
# kernel_modify_device_sysctl(domain)
#
define(`kernel_modify_device_sysctl',`
-requires_block_template(`$0'_depend)
-allow $1 proc_t:dir search;
-allow $1 sysctl_t:dir { getattr search read };
-allow $1 sysctl_dev_t:file { getattr read write };
+ requires_block_template(`$0'_depend)
+
+ allow $1 proc_t:dir search;
+ allow $1 sysctl_t:dir { getattr search read };
+ allow $1 sysctl_dev_t:file { getattr read write };
')
define(`kernel_modify_device_sysctl_depend',`
-type proc_t, sysctl_t, sysctl_dev_t;
-class dir { search getattr read };
-class file { getattr read write };
+ type proc_t, sysctl_t, sysctl_dev_t;
+
+ class dir { search getattr read };
+ class file { getattr read write };
')
########################################
@@ -619,16 +696,18 @@ class file { getattr read write };
# kernel_read_virtual_memory_sysctl(domain)
#
define(`kernel_read_virtual_memory_sysctl',`
-requires_block_template(`$0'_depend)
-allow $1 proc_t:dir search;
-allow $1 sysctl_t:dir { getattr search read };
-allow $1 sysctl_vm_t:file { getattr read };
+ requires_block_template(`$0'_depend)
+
+ allow $1 proc_t:dir search;
+ allow $1 sysctl_t:dir { getattr search read };
+ allow $1 sysctl_vm_t:file { getattr read };
')
define(`kernel_read_virtual_memory_sysctl_depend',`
-type proc_t, sysctl_t, sysctl_vm_t;
-class dir { search getattr read };
-class file { getattr read };
+ type proc_t, sysctl_t, sysctl_vm_t;
+
+ class dir { search getattr read };
+ class file { getattr read };
')
########################################
@@ -636,16 +715,18 @@ class file { getattr read };
# kernel_modify_virtual_memory_sysctl(domain)
#
define(`kernel_modify_virtual_memory_sysctl',`
-requires_block_template(`$0'_depend)
-allow $1 proc_t:dir search;
-allow $1 sysctl_t:dir { getattr search read };
-allow $1 sysctl_vm_t:file { getattr read write };
+ requires_block_template(`$0'_depend)
+
+ allow $1 proc_t:dir search;
+ allow $1 sysctl_t:dir { getattr search read };
+ allow $1 sysctl_vm_t:file { getattr read write };
')
define(`kernel_modify_virtual_memory_sysctl_depend',`
-type proc_t, sysctl_t, sysctl_vm_t;
-class dir { search getattr read };
-class file { getattr read write };
+ type proc_t, sysctl_t, sysctl_vm_t;
+
+ class dir { search getattr read };
+ class file { getattr read write };
')
########################################
@@ -653,13 +734,15 @@ class file { getattr read write };
# kernel_ignore_search_network_sysctl_dir(domain)
#
define(`kernel_ignore_search_network_sysctl_dir',`
-requires_block_template(`$0'_depend)
-dontaudit $1 sysctl_net_t:dir search;
+ requires_block_template(`$0'_depend)
+
+ dontaudit $1 sysctl_net_t:dir search;
')
define(`kernel_ignore_search_network_sysctl_dir_depend',`
-type sysctl_net_t;
-class dir search;
+ type sysctl_net_t;
+
+ class dir search;
')
########################################
@@ -667,17 +750,19 @@ class dir search;
# kernel_read_network_sysctl(domain)
#
define(`kernel_read_network_sysctl',`
-requires_block_template(`$0'_depend)
-allow $1 proc_t:dir search;
-allow $1 sysctl_t:dir { getattr search read };
-allow $1 sysctl_net_t:dir { getattr search read };
-allow $1 sysctl_net_t:file { getattr read };
+ requires_block_template(`$0'_depend)
+
+ allow $1 proc_t:dir search;
+ allow $1 sysctl_t:dir { getattr search read };
+ allow $1 sysctl_net_t:dir { getattr search read };
+ allow $1 sysctl_net_t:file { getattr read };
')
define(`kernel_read_network_sysctl_depend',`
-type proc_t, sysctl_t, sysctl_net_t;
-class dir { search getattr read };
-class file { getattr read };
+ type proc_t, sysctl_t, sysctl_net_t;
+
+ class dir { search getattr read };
+ class file { getattr read };
')
########################################
@@ -685,17 +770,19 @@ class file { getattr read };
# kernel_modify_network_sysctl(domain)
#
define(`kernel_modify_network_sysctl',`
-requires_block_template(`$0'_depend)
-allow $1 proc_t:dir search;
-allow $1 sysctl_t:dir { getattr search read };
-allow $1 sysctl_net_t:dir { getattr search read };
-allow $1 sysctl_net_t:file { getattr read write };
+ requires_block_template(`$0'_depend)
+
+ allow $1 proc_t:dir search;
+ allow $1 sysctl_t:dir { getattr search read };
+ allow $1 sysctl_net_t:dir { getattr search read };
+ allow $1 sysctl_net_t:file { getattr read write };
')
define(`kernel_modify_network_sysctl_depend',`
-type proc_t, sysctl_t, sysctl_net_t;
-class dir { search getattr read };
-class file { getattr read write };
+ type proc_t, sysctl_t, sysctl_net_t;
+
+ class dir { search getattr read };
+ class file { getattr read write };
')
########################################
@@ -703,17 +790,19 @@ class file { getattr read write };
# kernel_read_unix_sysctl(domain)
#
define(`kernel_read_unix_sysctl',`
-requires_block_template(`$0'_depend)
-allow $1 proc_t:dir search;
-allow $1 sysctl_t:dir { getattr search read };
-allow $1 sysctl_net_t:dir { getattr search read };
-allow $1 sysctl_net_unix_t:file { getattr read };
+ requires_block_template(`$0'_depend)
+
+ allow $1 proc_t:dir search;
+ allow $1 sysctl_t:dir { getattr search read };
+ allow $1 sysctl_net_t:dir { getattr search read };
+ allow $1 sysctl_net_unix_t:file { getattr read };
')
define(`kernel_read_net_sysctl_depend',`
-type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t;
-class dir { search getattr read };
-class file { getattr read };
+ type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t;
+
+ class dir { search getattr read };
+ class file { getattr read };
')
########################################
@@ -721,17 +810,19 @@ class file { getattr read };
# kernel_modify_unix_sysctl(domain)
#
define(`kernel_modify_unix_sysctl',`
-requires_block_template(`$0'_depend)
-allow $1 proc_t:dir search;
-allow $1 sysctl_t:dir { getattr search read };
-allow $1 sysctl_net_t:dir { getattr search read };
-allow $1 sysctl_net_unix_t:file { getattr read write };
+ requires_block_template(`$0'_depend)
+
+ allow $1 proc_t:dir search;
+ allow $1 sysctl_t:dir { getattr search read };
+ allow $1 sysctl_net_t:dir { getattr search read };
+ allow $1 sysctl_net_unix_t:file { getattr read write };
')
define(`kernel_modify_net_sysctl_depend',`
-type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t;
-class dir { search getattr read };
-class file { getattr read write };
+ type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t;
+
+ class dir { search getattr read };
+ class file { getattr read write };
')
########################################
@@ -739,17 +830,19 @@ class file { getattr read write };
# kernel_read_hotplug_sysctl(domain)
#
define(`kernel_read_hotplug_sysctl',`
-requires_block_template(`$0'_depend)
-allow $1 proc_t:dir search;
-allow $1 sysctl_t:dir { getattr search read };
-allow $1 sysctl_kernel_t:dir { getattr search read };
-allow $1 sysctl_hotplug_t:file { getattr read };
+ requires_block_template(`$0'_depend)
+
+ allow $1 proc_t:dir search;
+ allow $1 sysctl_t:dir { getattr search read };
+ allow $1 sysctl_kernel_t:dir { getattr search read };
+ allow $1 sysctl_hotplug_t:file { getattr read };
')
define(`kernel_read_hotplug_sysctl_depend',`
-type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t;
-class dir { search getattr read };
-class file { getattr read };
+ type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t;
+
+ class dir { search getattr read };
+ class file { getattr read };
')
########################################
@@ -757,17 +850,19 @@ class file { getattr read };
# kernel_modify_hotplug_sysctl(domain)
#
define(`kernel_modify_hotplug_sysctl',`
-requires_block_template(`$0'_depend)
-allow $1 proc_t:dir search;
-allow $1 sysctl_t:dir { getattr search read };
-allow $1 sysctl_kernel_t:dir { getattr search read };
-allow $1 sysctl_hotplug_t:file { getattr read write };
+ requires_block_template(`$0'_depend)
+
+ allow $1 proc_t:dir search;
+ allow $1 sysctl_t:dir { getattr search read };
+ allow $1 sysctl_kernel_t:dir { getattr search read };
+ allow $1 sysctl_hotplug_t:file { getattr read write };
')
define(`kernel_modify_hotplug_sysctl_depend',`
-type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t;
-class dir { search getattr read };
-class file { getattr read write };
+ type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t;
+
+ class dir { search getattr read };
+ class file { getattr read write };
')
########################################
@@ -775,17 +870,19 @@ class file { getattr read write };
# kernel_read_modprobe_sysctl(domain)
#
define(`kernel_read_modprobe_sysctl',`
-requires_block_template(`$0'_depend)
-allow $1 proc_t:dir search;
-allow $1 sysctl_t:dir { getattr search read };
-allow $1 sysctl_kernel_t:dir { getattr search read };
-allow $1 sysctl_modprobe_t:file { getattr read };
+ requires_block_template(`$0'_depend)
+
+ allow $1 proc_t:dir search;
+ allow $1 sysctl_t:dir { getattr search read };
+ allow $1 sysctl_kernel_t:dir { getattr search read };
+ allow $1 sysctl_modprobe_t:file { getattr read };
')
define(`kernel_read_modprobe_sysctl_depend',`
-type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t;
-class dir { search getattr read };
-class file { getattr read };
+ type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t;
+
+ class dir { search getattr read };
+ class file { getattr read };
')
########################################
@@ -793,17 +890,19 @@ class file { getattr read };
# kernel_modify_modprobe_sysctl(domain)
#
define(`kernel_modify_modprobe_sysctl',`
-requires_block_template(`$0'_depend)
-allow $1 proc_t:dir search;
-allow $1 sysctl_t:dir { getattr search read };
-allow $1 sysctl_kernel_t:dir { getattr search read };
-allow $1 sysctl_modprobe_t:file { getattr read write };
+ requires_block_template(`$0'_depend)
+
+ allow $1 proc_t:dir search;
+ allow $1 sysctl_t:dir { getattr search read };
+ allow $1 sysctl_kernel_t:dir { getattr search read };
+ allow $1 sysctl_modprobe_t:file { getattr read write };
')
define(`kernel_modify_modprobe_sysctl_depend',`
-type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t;
-class dir { search getattr read };
-class file { getattr read write };
+ type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t;
+
+ class dir { search getattr read };
+ class file { getattr read write };
')
########################################
@@ -811,17 +910,19 @@ class file { getattr read write };
# kernel_read_kernel_sysctl(domain)
#
define(`kernel_read_kernel_sysctl',`
-requires_block_template(`$0'_depend)
-allow $1 proc_t:dir search;
-allow $1 sysctl_t:dir { getattr search read };
-allow $1 sysctl_kernel_t:dir { getattr search read };
-allow $1 sysctl_kernel_t:file { getattr read };
+ requires_block_template(`$0'_depend)
+
+ allow $1 proc_t:dir search;
+ allow $1 sysctl_t:dir { getattr search read };
+ allow $1 sysctl_kernel_t:dir { getattr search read };
+ allow $1 sysctl_kernel_t:file { getattr read };
')
define(`kernel_read_kernel_sysctl_depend',`
-type proc_t, sysctl_t, sysctl_kernel_t;
-class dir { search getattr read };
-class file { getattr read };
+ type proc_t, sysctl_t, sysctl_kernel_t;
+
+ class dir { search getattr read };
+ class file { getattr read };
')
########################################
@@ -829,17 +930,19 @@ class file { getattr read };
# kernel_modify_kernel_sysctl(domain)
#
define(`kernel_modify_kernel_sysctl',`
-requires_block_template(`$0'_depend)
-allow $1 proc_t:dir search;
-allow $1 sysctl_t:dir { getattr search read };
-allow $1 sysctl_kernel_t:dir { getattr search read };
-allow $1 sysctl_kernel_t:file { getattr read write };
+ requires_block_template(`$0'_depend)
+
+ allow $1 proc_t:dir search;
+ allow $1 sysctl_t:dir { getattr search read };
+ allow $1 sysctl_kernel_t:dir { getattr search read };
+ allow $1 sysctl_kernel_t:file { getattr read write };
')
define(`kernel_modify_kernel_sysctl_depend',`
-type proc_t, sysctl_t, sysctl_kernel_t;
-class dir { search getattr read };
-class file { getattr read write };
+ type proc_t, sysctl_t, sysctl_kernel_t;
+
+ class dir { search getattr read };
+ class file { getattr read write };
')
########################################
@@ -847,17 +950,19 @@ class file { getattr read write };
# kernel_read_filesystem_sysctl(domain)
#
define(`kernel_read_filesystem_sysctl',`
-requires_block_template(`$0'_depend)
-allow $1 proc_t:dir search;
-allow $1 sysctl_t:dir { getattr search read };
-allow $1 sysctl_fs_t:dir { getattr search read };
-allow $1 sysctl_fs_t:file { getattr read };
+ requires_block_template(`$0'_depend)
+
+ allow $1 proc_t:dir search;
+ allow $1 sysctl_t:dir { getattr search read };
+ allow $1 sysctl_fs_t:dir { getattr search read };
+ allow $1 sysctl_fs_t:file { getattr read };
')
define(`kernel_read_filesystem_sysctl_depend',`
-type proc_t, sysctl_t, sysctl_fs_t;
-class dir { search getattr read };
-class file { getattr read };
+ type proc_t, sysctl_t, sysctl_fs_t;
+
+ class dir { search getattr read };
+ class file { getattr read };
')
########################################
@@ -865,17 +970,19 @@ class file { getattr read };
# kernel_modify_filesystem_sysctl(domain)
#
define(`kernel_modify_filesystem_sysctl',`
-requires_block_template(`$0'_depend)
-allow $1 proc_t:dir search;
-allow $1 sysctl_t:dir { getattr search read };
-allow $1 sysctl_fs_t:dir { getattr search read };
-allow $1 sysctl_fs_t:file { getattr read write };
+ requires_block_template(`$0'_depend)
+
+ allow $1 proc_t:dir search;
+ allow $1 sysctl_t:dir { getattr search read };
+ allow $1 sysctl_fs_t:dir { getattr search read };
+ allow $1 sysctl_fs_t:file { getattr read write };
')
define(`kernel_modify_filesystem_sysctl_depend',`
-type proc_t, sysctl_t, sysctl_fs_t;
-class dir { search getattr read };
-class file { getattr read write };
+ type proc_t, sysctl_t, sysctl_fs_t;
+
+ class dir { search getattr read };
+ class file { getattr read write };
')
########################################
@@ -883,16 +990,18 @@ class file { getattr read write };
# kernel_read_irq_sysctl(domain)
#
define(`kernel_read_irq_sysctl',`
-requires_block_template(`$0'_depend)
-allow $1 proc_t:dir search;
-allow $1 sysctl_irq_t:dir { getattr search read };
-allow $1 sysctl_irq_t:file { getattr read };
+ requires_block_template(`$0'_depend)
+
+ allow $1 proc_t:dir search;
+ allow $1 sysctl_irq_t:dir { getattr search read };
+ allow $1 sysctl_irq_t:file { getattr read };
')
define(`kernel_read_irq_sysctl_depend',`
-type proc_t, sysctl_irq_t;
-class dir { search getattr read };
-class file { getattr read };
+ type proc_t, sysctl_irq_t;
+
+ class dir { search getattr read };
+ class file { getattr read };
')
########################################
@@ -900,16 +1009,18 @@ class file { getattr read };
# kernel_modify_irq_sysctl(domain)
#
define(`kernel_modify_irq_sysctl',`
-requires_block_template(`$0'_depend)
-allow $1 proc_t:dir search;
-allow $1 sysctl_irq_t:dir { getattr search read };
-allow $1 sysctl_irq_t:file { getattr read write };
+ requires_block_template(`$0'_depend)
+
+ allow $1 proc_t:dir search;
+ allow $1 sysctl_irq_t:dir { getattr search read };
+ allow $1 sysctl_irq_t:file { getattr read write };
')
define(`kernel_modify_irq_sysctl_depend',`
-type proc_t, sysctl_irq_t;
-class dir { search getattr read };
-class file { getattr read write };
+ type proc_t, sysctl_irq_t;
+
+ class dir { search getattr read };
+ class file { getattr read write };
')
########################################
@@ -917,17 +1028,19 @@ class file { getattr read write };
# kernel_read_rpc_sysctl(domain)
#
define(`kernel_read_rpc_sysctl',`
-requires_block_template(`$0'_depend)
-allow $1 proc_t:dir search;
-allow $1 proc_net_t:dir search;
-allow $1 sysctl_rpc_t:dir { getattr search read };
-allow $1 sysctl_rpc_t:file { getattr read };
+ requires_block_template(`$0'_depend)
+
+ allow $1 proc_t:dir search;
+ allow $1 proc_net_t:dir search;
+ allow $1 sysctl_rpc_t:dir { getattr search read };
+ allow $1 sysctl_rpc_t:file { getattr read };
')
define(`kernel_read_rpc_sysctl_depend',`
-type proc_t, proc_net_t, sysctl_rpc_t;
-class dir { search getattr read };
-class file { getattr read };
+ type proc_t, proc_net_t, sysctl_rpc_t;
+
+ class dir { search getattr read };
+ class file { getattr read };
')
########################################
@@ -935,17 +1048,19 @@ class file { getattr read };
# kernel_modify_rpc_sysctl(domain)
#
define(`kernel_modify_rpc_sysctl',`
-requires_block_template(`$0'_depend)
-allow $1 proc_t:dir search;
-allow $1 proc_net_t:dir search;
-allow $1 sysctl_rpc_t:dir { getattr search read };
-allow $1 sysctl_rpc_t:file { getattr read write };
+ requires_block_template(`$0'_depend)
+
+ allow $1 proc_t:dir search;
+ allow $1 proc_net_t:dir search;
+ allow $1 sysctl_rpc_t:dir { getattr search read };
+ allow $1 sysctl_rpc_t:file { getattr read write };
')
define(`kernel_modify_rpc_sysctl_depend',`
-type proc_t, proc_net_t, sysctl_rpc_t;
-class dir { search getattr read };
-class file { getattr read write };
+ type proc_t, proc_net_t, sysctl_rpc_t;
+
+ class dir { search getattr read };
+ class file { getattr read write };
')
########################################
@@ -953,30 +1068,16 @@ class file { getattr read write };
# kernel_read_all_sysctl(domain)
#
define(`kernel_read_all_sysctl',`
-requires_block_template(`$0'_depend)
-kernel_read_device_sysctl($1,optional)
-kernel_read_virtual_memory_sysctl($1,optional)
-kernel_read_network_sysctl($1,optional)
-kernel_read_unix_sysctl($1,optional)
-kernel_read_hotplug_sysctl($1,optional)
-kernel_read_modprobe_sysctl($1,optional)
-kernel_read_kernel_sysctl($1,optional)
-kernel_read_filesystem_sysctl($1,optional)
-kernel_read_irq_sysctl($1,optional)
-kernel_read_rpc_sysctl($1,optional)
-')
-
-define(`kernel_read_all_sysctl_depend',`
-kernel_read_device_sysctl_depend
-kernel_read_virtual_memory_sysctl_depend
-kernel_read_network_sysctl_depend
-kernel_read_unix_sysctl_depend
-kernel_read_hotplug_sysctl_depend
-kernel_read_modprobe_sysctl_depend
-kernel_read_kernel_sysctl_depend
-kernel_read_filesystem_sysctl_depend
-kernel_read_irq_sysctl_depend
-kernel_read_rpc_sysctl_depend
+ kernel_read_device_sysctl($1)
+ kernel_read_virtual_memory_sysctl($1)
+ kernel_read_network_sysctl($1)
+ kernel_read_unix_sysctl($1)
+ kernel_read_hotplug_sysctl($1)
+ kernel_read_modprobe_sysctl($1)
+ kernel_read_kernel_sysctl($1)
+ kernel_read_filesystem_sysctl($1)
+ kernel_read_irq_sysctl($1)
+ kernel_read_rpc_sysctl($1)
')
########################################
@@ -984,16 +1085,16 @@ kernel_read_rpc_sysctl_depend
# kernel_modify_all_sysctl(domain)
#
define(`kernel_modify_all_sysctl',`
-kernel_modify_device_sysctl($1)
-kernel_modify_virtual_memory_sysctl($1)
-kernel_modify_network_sysctl($1)
-kernel_modify_unix_sysctl($1)
-kernel_modify_hotplug_sysctl($1)
-kernel_modify_modprobe_sysctl($1)
-kernel_modify_kernel_sysctl($1)
-kernel_modify_filesystem_sysctl($1)
-kernel_modify_irq_sysctl($1)
-kernel_modify_rpc_sysctl($1)
+ kernel_modify_device_sysctl($1)
+ kernel_modify_virtual_memory_sysctl($1)
+ kernel_modify_network_sysctl($1)
+ kernel_modify_unix_sysctl($1)
+ kernel_modify_hotplug_sysctl($1)
+ kernel_modify_modprobe_sysctl($1)
+ kernel_modify_kernel_sysctl($1)
+ kernel_modify_filesystem_sysctl($1)
+ kernel_modify_irq_sysctl($1)
+ kernel_modify_rpc_sysctl($1)
')
########################################
@@ -1008,13 +1109,15 @@ kernel_modify_rpc_sysctl($1)
## </interface>
#
define(`kernel_search_hardware_state_dir',`
-requires_block_template(`$0'_depend)
-allow $1 sysfs_t:dir search;
+ requires_block_template(`$0'_depend)
+
+ allow $1 sysfs_t:dir search;
')
define(`kernel_search_hardware_state_dir_depend',`
-type sysfs_t;
-class dir search;
+ type sysfs_t;
+
+ class dir search;
')
########################################
@@ -1022,16 +1125,18 @@ class dir search;
# kernel_read_hardware_state(domain)
#
define(`kernel_read_hardware_state',`
-requires_block_template(`$0'_depend)
-allow $1 sysfs_t:dir { getattr search read };
-allow $1 sysfs_t:{ file lnk_file } { getattr read };
+ requires_block_template(`$0'_depend)
+
+ allow $1 sysfs_t:dir { getattr search read };
+ allow $1 sysfs_t:{ file lnk_file } { getattr read };
')
define(`kernel_read_hardware_state_depend',`
-type sysfs_t;
-class dir { getattr search read };
-class file { getattr read };
-class lnk_file { getattr read };
+ type sysfs_t;
+
+ class dir { getattr search read };
+ class file { getattr read };
+ class lnk_file { getattr read };
')
########################################
@@ -1039,17 +1144,19 @@ class lnk_file { getattr read };
# kernel_modify_hardware_config_option(domain)
#
define(`kernel_modify_hardware_config_option',`
-requires_block_template(`$0'_depend)
-allow $1 sysfs_t:dir { getattr search read };
-allow $1 sysfs_t:lnk_file { getattr read };
-allow $1 sysfs_t:file { getattr read write };
+ requires_block_template(`$0'_depend)
+
+ allow $1 sysfs_t:dir { getattr search read };
+ allow $1 sysfs_t:lnk_file { getattr read };
+ allow $1 sysfs_t:file { getattr read write };
')
define(`kernel_modify_hardware_config_option_depend',`
-type sysfs_t;
-class dir { getattr search read };
-class file { getattr read write };
-class lnk_file { getattr read };
+ type sysfs_t;
+
+ class dir { getattr search read };
+ class file { getattr read write };
+ class lnk_file { getattr read };
')
########################################
@@ -1064,13 +1171,15 @@ class lnk_file { getattr read };
## </interface>
#
define(`kernel_kill_unlabeled_process',`
-requires_block_template(`$0'_depend)
-allow $1 unlabeled_t:process sigkill;
+ requires_block_template(`$0'_depend)
+
+ allow $1 unlabeled_t:process sigkill;
')
define(`kernel_kill_unlabeled_process_depend',`
-type unlabeled_t;
-class process sigkill;
+ type unlabeled_t;
+
+ class process sigkill;
')
########################################
@@ -1085,13 +1194,15 @@ class process sigkill;
## </interface>
#
define(`kernel_signal_unlabeled_process',`
-requires_block_template(`$0'_depend)
-allow $1 unlabeled_t:process signal;
+ requires_block_template(`$0'_depend)
+
+ allow $1 unlabeled_t:process signal;
')
define(`kernel_signal_unlabeled_process_depend',`
-type unlabeled_t;
-class process signal;
+ type unlabeled_t;
+
+ class process signal;
')
########################################
@@ -1106,13 +1217,15 @@ class process signal;
## </interface>
#
define(`kernel_signull_unlabeled_process',`
-requires_block_template(`$0'_depend)
-allow $1 unlabeled_t:process signull;
+ requires_block_template(`$0'_depend)
+
+ allow $1 unlabeled_t:process signull;
')
define(`kernel_signull_unlabeled_process_depend',`
-type unlabeled_t;
-class process signull;
+ type unlabeled_t;
+
+ class process signull;
')
########################################
@@ -1127,13 +1240,15 @@ class process signull;
## </interface>
#
define(`kernel_sigstop_unlabeled_process',`
-requires_block_template(`$0'_depend)
-allow $1 unlabeled_t:process sigstop;
+ requires_block_template(`$0'_depend)
+
+ allow $1 unlabeled_t:process sigstop;
')
define(`kernel_sigstop_unlabeled_process_depend',`
-type unlabeled_t;
-class process sigstop;
+ type unlabeled_t;
+
+ class process sigstop;
')
########################################
@@ -1148,13 +1263,15 @@ class process sigstop;
## </interface>
#
define(`kernel_sigchld_unlabeled_process',`
-requires_block_template(`$0'_depend)
-allow $1 unlabeled_t:process sigchld;
+ requires_block_template(`$0'_depend)
+
+ allow $1 unlabeled_t:process sigchld;
')
define(`kernel_sigchld_unlabeled_process_depend',`
-type unlabeled_t;
-class process sigchld;
+ type unlabeled_t;
+
+ class process sigchld;
')
########################################
@@ -1162,13 +1279,15 @@ class process sigchld;
# kernel_ignore_get_unlabeled_block_device_attributes(domain)
#
define(`kernel_ignore_get_unlabeled_block_device_attributes',`
-requires_block_template(`$0'_depend)
-allow $1 unlabeled_t:blk_file getattr;
+ requires_block_template(`$0'_depend)
+
+ allow $1 unlabeled_t:blk_file getattr;
')
define(`kernel_ignore_get_unlabeled_block_device_attributes_depend',`
-type unlabeled_t;
-class process getattr;
+ type unlabeled_t;
+
+ class process getattr;
')
########################################
@@ -1176,19 +1295,21 @@ class process getattr;
# kernel_relabel_unlabeled_object(domain)
#
define(`kernel_relabel_unlabeled_object',`
-requires_block_template(`$0'_depend)
-allow $1 unlabeled_t:{ dir file lnk_file fifo_file sock_file chr_file blk_file } { getattr relabelfrom };
+ requires_block_template(`$0'_depend)
+
+ allow $1 unlabeled_t:{ dir file lnk_file fifo_file sock_file chr_file blk_file } { getattr relabelfrom };
')
define(`kernel_relabel_unlabeled_object_depend',`
-type unlabeled_t;
-class dir { getattr relabelfrom };
-class file { getattr relabelfrom };
-class lnk_file { getattr relabelfrom };
-class fifo_file { getattr relabelfrom };
-class sock_file { getattr relabelfrom };
-class chr_file { getattr relabelfrom };
-class blk_file { getattr relabelfrom };
+ type unlabeled_t;
+
+ class dir { getattr relabelfrom };
+ class file { getattr relabelfrom };
+ class lnk_file { getattr relabelfrom };
+ class fifo_file { getattr relabelfrom };
+ class sock_file { getattr relabelfrom };
+ class chr_file { getattr relabelfrom };
+ class blk_file { getattr relabelfrom };
')
########################################
@@ -1203,13 +1324,15 @@ class blk_file { getattr relabelfrom };
## </interface>
#
define(`kernel_search_usb_hardware_state_dir',`
-requires_block_template(`$0'_depend)
-allow $1 usbfs_t:dir search;
+ requires_block_template(`$0'_depend)
+
+ allow $1 usbfs_t:dir search;
')
define(`kernel_search_usb_hardware_state_dir_depend',`
-type usbfs_t;
-class dir search;
+ type usbfs_t;
+
+ class dir search;
')
########################################
@@ -1217,17 +1340,19 @@ class dir search;
# kernel_list_usb_hardware(domain)
#
define(`kernel_list_usb_hardware',`
-requires_block_template(`$0'_depend)
-allow $1 usbfs_t:dir { getattr search read };
-allow $1 usbfs_t:lnk_file { getattr read };
-allow $1 usbfs_t:file getattr;
+ requires_block_template(`$0'_depend)
+
+ allow $1 usbfs_t:dir { getattr search read };
+ allow $1 usbfs_t:lnk_file { getattr read };
+ allow $1 usbfs_t:file getattr;
')
define(`kernel_list_usb_hardware_depend',`
-type usbfs_t;
-class dir { getattr search read };
-class file getattr;
-class lnk_file { getattr read };
+ type usbfs_t;
+
+ class dir { getattr search read };
+ class file getattr;
+ class lnk_file { getattr read };
')
########################################
@@ -1243,16 +1368,18 @@ class lnk_file { getattr read };
## </interface>
#
define(`kernel_read_usb_hardware_state',`
-requires_block_template(`$0'_depend)
-allow $1 usbfs_t:dir { getattr search read };
-allow $1 usbfs_t:{ file lnk_file } { getattr read };
+ requires_block_template(`$0'_depend)
+
+ allow $1 usbfs_t:dir { getattr search read };
+ allow $1 usbfs_t:{ file lnk_file } { getattr read };
')
define(`kernel_read_usb_hardware_state_depend',`
-type usbfs_t;
-class dir { getattr search read };
-class file { getattr read };
-class lnk_file { getattr read };
+ type usbfs_t;
+
+ class dir { getattr search read };
+ class file { getattr read };
+ class lnk_file { getattr read };
')
########################################
@@ -1260,17 +1387,19 @@ class lnk_file { getattr read };
# kernel_modify_usb_hardware_config_option(domain)
#
define(`kernel_modify_usb_hardware_config_option',`
-requires_block_template(`$0'_depend)
-allow $1 usbfs_t:dir { getattr search read };
-allow $1 usbfs_t:lnk_file { getattr read };
-allow $1 usbfs_t:file { getattr read write };
+ requires_block_template(`$0'_depend)
+
+ allow $1 usbfs_t:dir { getattr search read };
+ allow $1 usbfs_t:lnk_file { getattr read };
+ allow $1 usbfs_t:file { getattr read write };
')
define(`kernel_modify_usb_hardware_config_option_depend',`
-type usbfs_t;
-class dir { getattr search read };
-class file { getattr read write };
-class lnk_file { getattr read };
+ type usbfs_t;
+
+ class dir { getattr search read };
+ class file { getattr read write };
+ class lnk_file { getattr read };
')
###################################################################
@@ -1287,13 +1416,15 @@ class lnk_file { getattr read };
# kernel_sigchld_from(domain)
#
define(`kernel_sigchld_from',`
-requires_block_template(`$0'_depend)
-allow kernel_t $1:process sigchld;
+ requires_block_template(`$0'_depend)
+
+ allow kernel_t $1:process sigchld;
')
define(`kernel_sigchld_from_depend',`
-type kernel_t;
-class process sigchld;
+ type kernel_t;
+
+ class process sigchld;
')
########################################
@@ -1301,13 +1432,15 @@ class process sigchld;
# kernel_unlabeled_sigchld_from(domain)
#
define(`kernel_unlabeled_sigchld_from',`
-requires_block_template(`$0'_depend)
-allow unlabeled_t $1:process sigchld;
+ requires_block_template(`$0'_depend)
+
+ allow unlabeled_t $1:process sigchld;
')
define(`kernel_unlabeled_sigchld_from_depend',`
-type unlabeled_t;
-class process sigchld;
+ type unlabeled_t;
+
+ class process sigchld;
')
########################################
@@ -1315,13 +1448,15 @@ class process sigchld;
# kernel_read_directory_from(domain)
#
define(`kernel_read_directory_from',`
-requires_block_template(`$0'_depend)
-allow kernel_t $1:dir { getattr search read };
+ requires_block_template(`$0'_depend)
+
+ allow kernel_t $1:dir { getattr search read };
')
define(`kernel_read_directory_from_depend',`
-type kernel_t;
-class dir { getattr search read };
+ type kernel_t;
+
+ class dir { getattr search read };
')
## </module>
diff --git a/refpolicy/policy/modules/kernel/storage.if b/refpolicy/policy/modules/kernel/storage.if
index 808229859..6b057d334 100644
--- a/refpolicy/policy/modules/kernel/storage.if
+++ b/refpolicy/policy/modules/kernel/storage.if
@@ -14,14 +14,16 @@
## </interface>
#
define(`storage_get_fixed_disk_attributes',`
-requires_block_template(`$0'_depend)
-devices_list_device_nodes($1)
-allow $1 fixed_disk_device_t:blk_file getattr;
+ requires_block_template(`$0'_depend)
+
+ devices_list_device_nodes($1)
+ allow $1 fixed_disk_device_t:blk_file getattr;
')
define(`storage_get_fixed_disk_attributes_depend',`
-type fixed_disk_device_t;
-class blk_file getattr;
+ type fixed_disk_device_t;
+
+ class blk_file getattr;
')
########################################
@@ -37,13 +39,15 @@ class blk_file getattr;
## </interface>
#
define(`storage_ignore_get_fixed_disk_attributes',`
-requires_block_template(`$0'_depend)
-dontaudit $1 fixed_disk_device_t:blk_file getattr;
+ requires_block_template(`$0'_depend)
+
+ dontaudit $1 fixed_disk_device_t:blk_file getattr;
')
define(`storage_ignore_get_fixed_disk_attributes_depend',`
-type fixed_disk_device_t;
-class blk_file getattr;
+ type fixed_disk_device_t;
+
+ class blk_file getattr;
')
########################################
@@ -59,14 +63,16 @@ class blk_file getattr;
## </interface>
#
define(`storage_set_fixed_disk_attributes',`
-requires_block_template(`$0'_depend)
-devices_list_device_nodes($1)
-allow $1 fixed_disk_device_t:blk_file setattr;
+ requires_block_template(`$0'_depend)
+
+ devices_list_device_nodes($1)
+ allow $1 fixed_disk_device_t:blk_file setattr;
')
define(`storage_set_fixed_disk_attributes_depend',`
-type fixed_disk_device_t;
-class blk_file setattr;
+ type fixed_disk_device_t;
+
+ class blk_file setattr;
')
########################################
@@ -84,16 +90,19 @@ class blk_file setattr;
## </interface>
#
define(`storage_raw_read_fixed_disk',`
-requires_block_template(`$0'_depend)
-typeattribute $1 fixed_disk_raw_read;
-devices_list_device_nodes($1)
-allow $1 fixed_disk_device_t:blk_file { getattr read ioctl };
+ requires_block_template(`$0'_depend)
+
+ devices_list_device_nodes($1)
+ allow $1 fixed_disk_device_t:blk_file r_file_perms;
+ typeattribute $1 fixed_disk_raw_read;
')
define(`storage_raw_read_fixed_disk_depend',`
-type fixed_disk_device_t;
-attribute fixed_disk_raw_read;
-class blk_file { getattr read ioctl };
+ attribute fixed_disk_raw_read;
+
+ type fixed_disk_device_t;
+
+ class blk_file r_file_perms;
')
########################################
@@ -111,16 +120,19 @@ class blk_file { getattr read ioctl };
## </interface>
#
define(`storage_raw_write_fixed_disk',`
-requires_block_template(`$0'_depend)
-typeattribute $1 fixed_disk_raw_write;
-devices_list_device_nodes($1)
-allow $1 fixed_disk_device_t:blk_file { getattr write ioctl };
+ requires_block_template(`$0'_depend)
+
+ devices_list_device_nodes($1)
+ allow $1 fixed_disk_device_t:blk_file { getattr write ioctl };
+ typeattribute $1 fixed_disk_raw_write;
')
define(`storage_raw_write_fixed_disk_depend',`
-type fixed_disk_device_t;
-attribute fixed_disk_raw_write;
-class blk_file { getattr write ioctl };
+ attribute fixed_disk_raw_write;
+
+ type fixed_disk_device_t;
+
+ class blk_file { getattr write ioctl };
')
########################################
@@ -135,12 +147,17 @@ class blk_file { getattr write ioctl };
## </interface>
#
define(`storage_create_fixed_disk_dev_entry',`
-requires_block_template(`$0'_depend)
-devices_create_dev_entry($1,fixed_disk_device_t,blk_file)
+ requires_block_template(`$0'_depend)
+
+ allow $1 fixed_disk_device_t:blk_file create_file_perms;
+ devices_create_dev_entry($1,fixed_disk_device_t,blk_file)
+ typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
')
define(`storage_create_fixed_disk_dev_entry_depend',`
-type fixed_disk_device_t;
+ type fixed_disk_device_t;
+
+ class blk_file create_file_perms;
')
########################################
@@ -155,17 +172,19 @@ type fixed_disk_device_t;
## </interface>
#
define(`storage_manage_fixed_disk',`
-requires_block_template(`$0'_depend)
-devices_list_device_nodes($1)
-allow $1 fixed_disk_device_t:blk_file { create ioctl read getattr lock write setattr append link unlink rename };
-typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
+ requires_block_template(`$0'_depend)
+
+ devices_list_device_nodes($1)
+ allow $1 fixed_disk_device_t:blk_file create_file_perms;
+ typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
')
define(`storage_manage_fixed_disk_depend',`
-attribute fixed_disk_raw_read;
-attribute fixed_disk_raw_write;
-type fixed_disk_device_t;
-class blk_file { create ioctl read getattr lock write setattr append link unlink rename };
+ attribute fixed_disk_raw_read, fixed_disk_raw_write;
+
+ type fixed_disk_device_t;
+
+ class blk_file create_file_perms;
')
########################################
@@ -183,16 +202,19 @@ class blk_file { create ioctl read getattr lock write setattr append link unlink
## </interface>
#
define(`storage_raw_read_lvm_volume',`
-requires_block_template(`$0'_depend)
-typeattribute $1 fixed_disk_raw_read;
-devices_list_device_nodes($1)
-allow $1 lvm_vg_t:blk_file { getattr read ioctl };
+ requires_block_template(`$0'_depend)
+
+ devices_list_device_nodes($1)
+ allow $1 lvm_vg_t:blk_file r_file_perms;
+ typeattribute $1 fixed_disk_raw_read;
')
define(`storage_raw_read_lvm_volume_depend',`
-type lvm_vg_t;
-attribute fixed_disk_raw_read;
-class blk_file { getattr read ioctl };
+ attribute fixed_disk_raw_read;
+
+ type lvm_vg_t;
+
+ class blk_file r_file_perms;
')
########################################
@@ -210,16 +232,19 @@ class blk_file { getattr read ioctl };
## </interface>
#
define(`storage_raw_write_lvm_volume',`
-requires_block_template(`$0'_depend)
-typeattribute $1 fixed_disk_raw_write;
-devices_list_device_nodes($1)
-allow $1 lvm_vg_t:blk_file { getattr write ioctl };
+ requires_block_template(`$0'_depend)
+
+ devices_list_device_nodes($1)
+ allow $1 lvm_vg_t:blk_file { getattr write ioctl };
+ typeattribute $1 fixed_disk_raw_write;
')
define(`storage_raw_write_lvm_volume_depend',`
-type lvm_vg_t;
-attribute fixed_disk_raw_write;
-class blk_file { getattr write ioctl };
+ attribute fixed_disk_raw_write;
+
+ type lvm_vg_t;
+
+ class blk_file { getattr write ioctl };
')
########################################
@@ -238,16 +263,19 @@ class blk_file { getattr write ioctl };
## </interface>
#
define(`storage_read_scsi_generic',`
-requires_block_template(`$0'_depend)
-typeattribute $1 scsi_generic_read;
-devices_list_device_nodes($1)
-allow $1 scsi_generic_device_t:blk_file { getattr read ioctl };
+ requires_block_template(`$0'_depend)
+
+ devices_list_device_nodes($1)
+ allow $1 scsi_generic_device_t:blk_file r_file_perms;
+ typeattribute $1 scsi_generic_read;
')
define(`storage_read_scsi_generic_depend',`
-type scsi_generic_device_t;
-attribute scsi_generic_read;
-class blk_file { getattr read ioctl };
+ attribute scsi_generic_read;
+
+ type scsi_generic_device_t;
+
+ class blk_file r_file_perms;
')
########################################
@@ -266,16 +294,19 @@ class blk_file { getattr read ioctl };
## </interface>
#
define(`storage_write_scsi_generic',`
-requires_block_template(`$0'_depend)
-typeattribute $1 scsi_generic_write;
-devices_list_device_nodes($1)
-allow $1 scsi_generic_device_t:blk_file { getattr write ioctl };
+ requires_block_template(`$0'_depend)
+
+ devices_list_device_nodes($1)
+ allow $1 scsi_generic_device_t:blk_file { getattr write ioctl };
+ typeattribute $1 scsi_generic_write;
')
define(`storage_write_scsi_generic_depend',`
-type scsi_generic_device_t;
-attribute scsi_generic_write;
-class blk_file { getattr write ioctl };
+ attribute scsi_generic_write;
+
+ type scsi_generic_device_t;
+
+ class blk_file { getattr write ioctl };
')
########################################
@@ -283,14 +314,16 @@ class blk_file { getattr write ioctl };
# storage_get_scsi_generic_attributes(domain)
#
define(`storage_get_scsi_generic_attributes',`
-requires_block_template(`$0'_depend)
-devices_list_device_nodes($1)
-allow $1 scsi_generic_device_t:blk_file getattr;
+ requires_block_template(`$0'_depend)
+
+ devices_list_device_nodes($1)
+ allow $1 scsi_generic_device_t:blk_file getattr;
')
define(`storage_get_scsi_generic_attributes_depend',`
-type scsi_generic_device_t;
-class blk_file getattr;
+ type scsi_generic_device_t;
+
+ class blk_file getattr;
')
########################################
@@ -298,14 +331,16 @@ class blk_file getattr;
# storage_set_scsi_generic_attributes(domain)
#
define(`storage_set_scsi_generic_attributes',`
-requires_block_template(`$0'_depend)
-devices_list_device_nodes($1)
-allow $1 scsi_generic_device_t:blk_file setattr;
+ requires_block_template(`$0'_depend)
+
+ devices_list_device_nodes($1)
+ allow $1 scsi_generic_device_t:blk_file setattr;
')
define(`storage_set_scsi_generic_attributes_depend',`
-type scsi_generic_device_t;
-class blk_file setattr;
+ type scsi_generic_device_t;
+
+ class blk_file setattr;
')
########################################
@@ -321,14 +356,16 @@ class blk_file setattr;
## </interface>
#
define(`storage_get_removable_device_attributes',`
-requires_block_template(`$0'_depend)
-devices_list_device_nodes($1)
-allow $1 removable_device_t:blk_file getattr;
+ requires_block_template(`$0'_depend)
+
+ devices_list_device_nodes($1)
+ allow $1 removable_device_t:blk_file getattr;
')
define(`storage_get_removable_device_attributes_depend',`
-type removable_device_t;
-class blk_file getattr;
+ type removable_device_t;
+
+ class blk_file getattr;
')
########################################
@@ -344,13 +381,15 @@ class blk_file getattr;
## </interface>
#
define(`storage_ignore_get_removable_device_attributes',`
-requires_block_template(`$0'_depend)
-dontaudit $1 removable_device_t:blk_file getattr;
+ requires_block_template(`$0'_depend)
+
+ dontaudit $1 removable_device_t:blk_file getattr;
')
define(`storage_ignore_get_removable_device_attributes_depend',`
-type removable_device_t;
-class blk_file getattr;
+ type removable_device_t;
+
+ class blk_file getattr;
')
########################################
@@ -358,14 +397,16 @@ class blk_file getattr;
# storage_set_removable_device_attributes(domain)
#
define(`storage_set_removable_device_attributes',`
-requires_block_template(`$0'_depend)
-devices_list_device_nodes($1)
-allow $1 removable_device_t:blk_file setattr;
+ requires_block_template(`$0'_depend)
+
+ devices_list_device_nodes($1)
+ allow $1 removable_device_t:blk_file setattr;
')
define(`storage_set_removable_device_attributes_depend',`
-type removable_device_t;
-class blk_file setattr;
+ type removable_device_t;
+
+ class blk_file setattr;
')
########################################
@@ -373,14 +414,16 @@ class blk_file setattr;
# storage_raw_read_removable_device(domain)
#
define(`storage_raw_read_removable_device',`
-requires_block_template(`$0'_depend)
-devices_list_device_nodes($1)
-allow $1 removable_device_t:blk_file { getattr read ioctl };
+ requires_block_template(`$0'_depend)
+
+ devices_list_device_nodes($1)
+ allow $1 removable_device_t:blk_file r_file_perms;
')
define(`storage_raw_read_removable_device_depend',`
-type removable_device_t;
-class blk_file { getattr read ioctl };
+ type removable_device_t;
+
+ class blk_file r_file_perms;
')
########################################
@@ -388,14 +431,16 @@ class blk_file { getattr read ioctl };
# storage_raw_write_removable_device(domain)
#
define(`storage_raw_write_removable_device',`
-requires_block_template(`$0'_depend)
-devices_list_device_nodes($1)
-allow $1 removable_device_t:blk_file { getattr write ioctl };
+ requires_block_template(`$0'_depend)
+
+ devices_list_device_nodes($1)
+ allow $1 removable_device_t:blk_file { getattr write ioctl };
')
define(`storage_raw_write_removable_device_depend',`
-type removable_device_t;
-class blk_file { getattr write ioctl };
+ type removable_device_t;
+
+ class blk_file { getattr write ioctl };
')
########################################
@@ -403,14 +448,16 @@ class blk_file { getattr write ioctl };
# storage_read_tape_device(domain)
#
define(`storage_read_tape_device',`
-requires_block_template(`$0'_depend)
-devices_list_device_nodes($1)
-allow $1 tape_device_t:blk_file { getattr read ioctl };
+ requires_block_template(`$0'_depend)
+
+ devices_list_device_nodes($1)
+ allow $1 tape_device_t:blk_file r_file_perms;
')
define(`storage_read_tape_device_depend',`
-type tape_device_t;
-class blk_file { getattr read ioctl };
+ type tape_device_t;
+
+ class blk_file r_file_perms;
')
########################################
@@ -418,14 +465,16 @@ class blk_file { getattr read ioctl };
# storage_write_tape_device(domain)
#
define(`storage_write_tape_device',`
-requires_block_template(`$0'_depend)
-devices_list_device_nodes($1)
-allow $1 tape_device_t:blk_file { getattr write ioctl };
+ requires_block_template(`$0'_depend)
+
+ devices_list_device_nodes($1)
+ allow $1 tape_device_t:blk_file { getattr write ioctl };
')
define(`storage_write_tape_device_depend',`
-type tape_device_t;
-class blk_file { getattr write ioctl };
+ type tape_device_t;
+
+ class blk_file { getattr write ioctl };
')
########################################
@@ -433,14 +482,16 @@ class blk_file { getattr write ioctl };
# storage_get_tape_device_attributes(domain)
#
define(`storage_get_tape_device_attributes',`
-requires_block_template(`$0'_depend)
-devices_list_device_nodes($1)
-allow $1 tape_device_t:blk_file getattr;
+ requires_block_template(`$0'_depend)
+
+ devices_list_device_nodes($1)
+ allow $1 tape_device_t:blk_file getattr;
')
define(`storage_get_tape_device_attributes_depend',`
-type tape_device_t;
-class blk_file getattr;
+ type tape_device_t;
+
+ class blk_file getattr;
')
########################################
@@ -448,14 +499,15 @@ class blk_file getattr;
# storage_set_tape_device_attributes(domain)
#
define(`storage_set_tape_device_attributes',`
-requires_block_template(`$0'_depend)
-devices_list_device_nodes($1)
-allow $1 tape_device_t:blk_file setattr;
+ requires_block_template(`$0'_depend)
+
+ devices_list_device_nodes($1)
+ allow $1 tape_device_t:blk_file setattr;
')
define(`storage_set_tape_device_attributes_depend',`
-type tape_device_t;
-class blk_file setattr;
+ type tape_device_t;
+ class blk_file setattr;
')
## </module>
diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if
index 4f59fa783..535416b94 100644
--- a/refpolicy/policy/modules/kernel/terminal.if
+++ b/refpolicy/policy/modules/kernel/terminal.if
@@ -6,15 +6,18 @@
# terminal_make_pseudoterminal(type)
#
define(`terminal_make_pseudoterminal',`
-requires_block_template(`$0'_depend)
-allow $1 devpts_t:filesystem associate;
-typeattribute $1 ptynode;
+ requires_block_template(`$0'_depend)
+
+ allow $1 devpts_t:filesystem associate;
+ typeattribute $1 ptynode;
')
define(`terminal_make_pseudoterminal_depend',`
-attribute ptynode;
-type devpts_t;
-class filesystem associate;
+ attribute ptynode;
+
+ type devpts_t;
+
+ class filesystem associate;
')
########################################
@@ -22,13 +25,14 @@ class filesystem associate;
# terminal_make_user_pseudoterminal(domain,type)
#
define(`terminal_make_user_pseudoterminal',`
-requires_block_template(`$0'_depend)
-terminal_make_pseudoterminal($1)
-type_change $1 server_ptynode:chr_file $2;
+ requires_block_template(`$0'_depend)
+
+ terminal_make_pseudoterminal($1)
+ type_change $1 server_ptynode:chr_file $2;
')
define(`terminal_make_user_pseudoterminal_depend',`
-attribute server_ptynode;
+ attribute server_ptynode;
')
########################################
@@ -36,13 +40,14 @@ attribute server_ptynode;
# terminal_make_service_pseudoterminal(type)
#
define(`terminal_make_service_pseudoterminal',`
-requires_block_template(`$0'_depend)
-terminal_make_pseudoterminal($1)
-typeattribute $1 server_ptynode;
+ requires_block_template(`$0'_depend)
+
+ terminal_make_pseudoterminal($1)
+ typeattribute $1 server_ptynode;
')
define(`terminal_make_service_pseudoterminal_depend',`
-attribute server_ptynode;
+ attribute server_ptynode;
')
########################################
@@ -50,22 +55,26 @@ attribute server_ptynode;
# terminal_make_physical_terminal(domain,type)
#
define(`terminal_make_physical_terminal',`
-requires_block_template(`$0'_depend)
-typeattribute $2 ttynode;
-type_change $1 tty_device_t:chr_file $2;
-# Debian login is from shadow utils and does not allow resetting the perms.
-# have to fix this!
-tunable_policy(`distro_debian',`
-type_change $1 ttyfile:chr_file $2;
-')
-tunable_policy(`distro_redhat',`
-filesystem_tmpfs_associate($2)
-')
+ requires_block_template(`$0'_depend)
+
+ typeattribute $2 ttynode;
+ type_change $1 tty_device_t:chr_file $2;
+
+ # Debian login is from shadow utils and does not allow resetting the perms.
+ # have to fix this!
+ tunable_policy(`distro_debian',`
+ type_change $1 ttyfile:chr_file $2;
+ ')
+
+ tunable_policy(`distro_redhat',`
+ filesystem_tmpfs_associate($2)
+ ')
')
define(`terminal_make_physical_terminal_depend',`
-attribute ttynode;
-type tty_device_t;
+ attribute ttynode;
+
+ type tty_device_t;
')
########################################
@@ -73,20 +82,22 @@ type tty_device_t;
# terminal_create_private_pseudoterminal(domain,ptytype)
#
define(`terminal_create_private_pseudoterminal',`
-requires_block_template(`$0'_depend)
-devices_list_device_nodes($1)
-allow $1 ptmx_t:chr_file { getattr read write };
-allow $1 devpts_t:dir { getattr search read };
-allow $1 devpts_t:filesystem getattr;
-dontaudit $1 bsdpty_device_t:chr_file { getattr read write };
-type_transition $1 devpts_t:chr_file $2;
+ requires_block_template(`$0'_depend)
+
+ devices_list_device_nodes($1)
+ allow $1 ptmx_t:chr_file { getattr read write };
+ allow $1 devpts_t:dir r_dir_perms;
+ allow $1 devpts_t:filesystem getattr;
+ dontaudit $1 bsdpty_device_t:chr_file { getattr read write };
+ type_transition $1 devpts_t:chr_file $2;
')
define(`terminal_create_pseudoterminal_depend',`
-type ptmx_t, devpts_t;
-class filesystem getattr;
-class dir { getattr search read };
-class chr_file { getattr read write };
+ type ptmx_t, devpts_t;
+
+ class filesystem getattr;
+ class dir r_dir_perms;
+ class chr_file { getattr read write };
')
########################################
@@ -94,17 +105,20 @@ class chr_file { getattr read write };
# terminal_use_all_terminals(domain)
#
define(`terminal_use_all_terminals',`
-requires_block_template(`$0'_depend)
-devices_list_device_nodes($1)
-allow $1 devpts_t:dir r_dir_perms;
-allow $1 { console_device_t tty_device_t ttynode ptynode }:chr_file rw_file_perms;
+ requires_block_template(`$0'_depend)
+
+ devices_list_device_nodes($1)
+ allow $1 devpts_t:dir r_dir_perms;
+ allow $1 { console_device_t tty_device_t ttynode ptynode }:chr_file rw_file_perms;
')
define(`terminal_use_all_terminals_depend',`
-attribute ttynode, ptynode;
-type console_device_t, devpts_t, tty_device_t;
-class dir r_dir_perms;
-class chr_file rw_file_perms;
+ attribute ttynode, ptynode;
+
+ type console_device_t, devpts_t, tty_device_t;
+
+ class dir r_dir_perms;
+ class chr_file rw_file_perms;
')
########################################
@@ -142,14 +156,16 @@ define(`terminal_use_console_depend',`
## </interface>
#
define(`terminal_use_console',`
-requires_block_template(`$0'_depend)
-devices_list_device_nodes($1)
-allow $1 console_device_t:chr_file rw_file_perms;
+ requires_block_template(`$0'_depend)
+
+ devices_list_device_nodes($1)
+ allow $1 console_device_t:chr_file rw_file_perms;
')
define(`terminal_use_console_depend',`
-type console_device_t;
-class chr_file rw_file_perms;
+ type console_device_t;
+
+ class chr_file rw_file_perms;
')
########################################
@@ -164,13 +180,15 @@ class chr_file rw_file_perms;
## </interface>
#
define(`terminal_ignore_use_console',`
-requires_block_template(`$0'_depend)
-dontaudit $1 console_device_t:chr_file { read write };
+ requires_block_template(`$0'_depend)
+
+ dontaudit $1 console_device_t:chr_file { read write };
')
define(`terminal_ignore_use_console_depend',`
-type console_device_t;
-class chr_file { read write };
+ type console_device_t;
+
+ class chr_file { read write };
')
########################################
@@ -178,15 +196,16 @@ class chr_file { read write };
# terminal_set_console_attributes(domain)
#
define(`terminal_set_console_attributes',`
-requires_block_template(`$0'_depend)
-devices_list_device_nodes($1,optional)
-allow $1 console_device_t:chr_file setattr;
+ requires_block_template(`$0'_depend)
+
+ devices_list_device_nodes($1)
+ allow $1 console_device_t:chr_file setattr;
')
define(`terminal_set_console_attributes_depend',`
-type console_device_t;
-class chr_file setattr;
-devices_list_device_nodes_depend
+ type console_device_t;
+
+ class chr_file setattr;
')
########################################
@@ -194,15 +213,16 @@ devices_list_device_nodes_depend
# terminal_list_pseudoterminals(domain)
#
define(`terminal_list_pseudoterminals',`
-requires_block_template(`$0'_depend)
-devices_list_device_nodes($1)
-allow $1 devpts_t:dir { getattr search read };
+ requires_block_template(`$0'_depend)
+
+ devices_list_device_nodes($1)
+ allow $1 devpts_t:dir r_dir_perms;
')
define(`terminal_list_pseudoterminals_depend',`
-type devpts_t;
-class dir { getattr search read };
-devices_list_device_nodes_depend
+ type devpts_t;
+
+ class dir r_dir_perms;
')
########################################
@@ -210,13 +230,15 @@ devices_list_device_nodes_depend
# terminal_ignore_list_pseudoterminals(domain)
#
define(`terminal_ignore_list_pseudoterminals',`
-requires_block_template(`$0'_depend)
-dontaudit $1 devpts_t:dir { getattr search read };
+ requires_block_template(`$0'_depend)
+
+ dontaudit $1 devpts_t:dir { getattr search read };
')
define(`terminal_ignore_list_pseudoterminals_depend',`
-type devpts_t;
-class dir { getattr search read };
+ type devpts_t;
+
+ class dir { getattr search read };
')
########################################
@@ -224,14 +246,16 @@ class dir { getattr search read };
# terminal_use_general_pseudoterminal(domain)
#
define(`terminal_use_general_pseudoterminal',`
-requires_block_template(`$0'_depend)
-devices_list_device_nodes($1)
-allow $1 devpts_t:chr_file { read write };
+ requires_block_template(`$0'_depend)
+
+ devices_list_device_nodes($1)
+ allow $1 devpts_t:chr_file { read write };
')
define(`terminal_use_general_pseudoterminal_depend',`
-type devpts_t;
-class chr_file { read write };
+ type devpts_t;
+
+ class chr_file { read write };
')
########################################
@@ -239,13 +263,15 @@ class chr_file { read write };
# terminal_ignore_use_general_pseudoterminal(domain)
#
define(`terminal_ignore_use_general_pseudoterminal',`
-requires_block_template(`$0'_depend)
-dontaudit $1 devpts_t:chr_file { read write };
+ requires_block_template(`$0'_depend)
+
+ dontaudit $1 devpts_t:chr_file { read write };
')
define(`terminal_ignore_use_general_pseudoterminal_depend',`
-type devpts_t;
-class chr_file { read write };
+ type devpts_t;
+
+ class chr_file { read write };
')
########################################
@@ -253,14 +279,16 @@ class chr_file { read write };
# terminal_use_controlling_terminal(domain)
#
define(`terminal_use_controlling_terminal',`
-requires_block_template(`$0'_depend)
-devices_list_device_nodes($1)
-allow $1 devtty_t:chr_file { getattr read write ioctl };
+ requires_block_template(`$0'_depend)
+
+ devices_list_device_nodes($1)
+ allow $1 devtty_t:chr_file { getattr read write ioctl };
')
define(`terminal_use_controlling_terminal_depend',`
-type devtty_t;
-class chr_file { getattr read write ioctl };
+ type devtty_t;
+
+ class chr_file { getattr read write ioctl };
')
########################################
@@ -268,13 +296,15 @@ class chr_file { getattr read write ioctl };
# terminal_ignore_use_pseudoterminal_multiplexer(domain)
#
define(`terminal_ignore_use_pseudoterminal_multiplexer',`
-requires_block_template(`$0'_depend)
-dontaudit $1 ptmx_t:chr_file { getattr read write };
+ requires_block_template(`$0'_depend)
+
+ dontaudit $1 ptmx_t:chr_file { getattr read write };
')
define(`terminal_ignore_use_pseudoterminal_multiplexer_depend',`
-type ptmx_t;
-class chr_file { getattr read write };
+ type ptmx_t;
+
+ class chr_file { getattr read write };
')
########################################
@@ -282,16 +312,18 @@ class chr_file { getattr read write };
# terminal_get_all_private_pseudoterminal_attributes(domain)
#
define(`terminal_get_all_private_pseudoterminal_attributes',`
-requires_block_template(`$0'_depend)
-devices_list_device_nodes($1)
-allow $1 devpts_t:dir { getattr search read };
-allow $1 ptynode:chr_file getattr;
+ requires_block_template(`$0'_depend)
+
+ devices_list_device_nodes($1)
+ allow $1 devpts_t:dir r_dir_perms;
+ allow $1 ptynode:chr_file getattr;
')
define(`terminal_get_all_private_pseudoterminal_attributes_depend',`
-attribute ptynode;
-class dir { getattr search read };
-class chr_file getattr;
+ attribute ptynode;
+
+ class dir r_dir_perms;
+ class chr_file getattr;
')
########################################
@@ -299,16 +331,18 @@ class chr_file getattr;
# terminal_use_all_private_pseudoterminals(domain)
#
define(`terminal_use_all_private_pseudoterminals',`
-requires_block_template(`$0'_depend)
-devices_list_device_nodes($1)
-allow $1 devpts_t:dir { getattr read search };
-allow $1 ptynode:chr_file { getattr read write ioctl };
+ requires_block_template(`$0'_depend)
+
+ devices_list_device_nodes($1)
+ allow $1 devpts_t:dir r_dir_perms;
+ allow $1 ptynode:chr_file { getattr read write ioctl };
')
define(`terminal_use_all_private_pseudoterminals_depend',`
-attribute ptynode;
-class dir { getattr search read };
-class chr_file { getattr read write ioctl };
+ attribute ptynode;
+
+ class dir r_dir_perms;
+ class chr_file { getattr read write ioctl };
')
########################################
@@ -316,13 +350,15 @@ class chr_file { getattr read write ioctl };
# terminal_ignore_use_all_private_pseudoterminals(domain)
#
define(`terminal_ignore_use_all_private_pseudoterminals',`
-requires_block_template(`$0'_depend)
-dontaudit $1 ptynode:chr_file { read write };
+ requires_block_template(`$0'_depend)
+
+ dontaudit $1 ptynode:chr_file { read write };
')
define(`terminal_ignore_use_all_private_pseudoterminals_depend',`
-attribute ptynode;
-class chr_file { read write };
+ attribute ptynode;
+
+ class chr_file { read write };
')
########################################
@@ -330,14 +366,16 @@ class chr_file { read write };
# terminal_get_general_physical_terminal_attributes(domain)
#
define(`terminal_get_general_physical_terminal_attributes',`
-requires_block_template(`$0'_depend)
-devices_list_device_nodes($1)
-allow $1 tty_device_t:chr_file getattr;
+ requires_block_template(`$0'_depend)
+
+ devices_list_device_nodes($1)
+ allow $1 tty_device_t:chr_file getattr;
')
define(`terminal_get_general_physical_terminal_attributes_depend',`
-type tty_device_t;
-class chr_file getattr;
+ type tty_device_t;
+
+ class chr_file getattr;
')
########################################
@@ -345,14 +383,16 @@ class chr_file getattr;
# terminal_set_general_physical_terminal_attributes(domain)
#
define(`terminal_set_general_physical_terminal_attributes',`
-requires_block_template(`$0'_depend)
-devices_list_device_nodes($1)
-allow $1 tty_device_t:chr_file setattr;
+ requires_block_template(`$0'_depend)
+
+ devices_list_device_nodes($1)
+ allow $1 tty_device_t:chr_file setattr;
')
define(`terminal_set_general_physical_terminal_attributes_depend',`
-type tty_device_t;
-class chr_file setattr;
+ type tty_device_t;
+
+ class chr_file setattr;
')
########################################
@@ -360,14 +400,16 @@ class chr_file setattr;
# terminal_relabel_general_physical_terminal(domain)
#
define(`terminal_relabel_general_physical_terminal',`
-requires_block_template(`$0'_depend)
-devices_list_device_nodes($1)
-allow $1 tty_device_t:chr_file { relabelfrom relabelto };
+ requires_block_template(`$0'_depend)
+
+ devices_list_device_nodes($1)
+ allow $1 tty_device_t:chr_file { relabelfrom relabelto };
')
define(`terminal_relabel_general_physical_terminal_depend',`
-type tty_device_t;
-class chr_file { relabelfrom relabelto };
+ type tty_device_t;
+
+ class chr_file { relabelfrom relabelto };
')
########################################
@@ -375,16 +417,18 @@ class chr_file { relabelfrom relabelto };
# terminal_reset_physical_terminal_labels(domain)
#
define(`terminal_reset_physical_terminal_labels',`
-requires_block_template(`$0'_depend)
-devices_list_device_nodes($1)
-allow $1 ttynode:chr_file relabelfrom;
-allow $1 tty_device_t:chr_file relabelto;
+ requires_block_template(`$0'_depend)
+
+ devices_list_device_nodes($1)
+ allow $1 ttynode:chr_file relabelfrom;
+ allow $1 tty_device_t:chr_file relabelto;
')
define(`terminal_reset_physical_terminal_labels_depend',`
-attribute ttynode;
-type tty_device_t;
-class chr_file { relabelfrom relabelto };
+ attribute ttynode;
+
+ type tty_device_t;
+ class chr_file { relabelfrom relabelto };
')
########################################
@@ -400,14 +444,16 @@ class chr_file { relabelfrom relabelto };
## </interface>
#
define(`terminal_write_general_physical_terminal',`
-requires_block_template(`$0'_depend)
-devices_list_device_nodes($1)
-allow $1 tty_device_t:chr_file { getattr write };
+ requires_block_template(`$0'_depend)
+
+ devices_list_device_nodes($1)
+ allow $1 tty_device_t:chr_file { getattr write };
')
define(`terminal_write_general_physical_terminal_depend',`
-type tty_device_t;
-class chr_file { read write };
+ type tty_device_t;
+
+ class chr_file { getattr write };
')
########################################
@@ -415,14 +461,16 @@ class chr_file { read write };
# terminal_use_general_physical_terminal(domain)
#
define(`terminal_use_general_physical_terminal',`
-requires_block_template(`$0'_depend)
-devices_list_device_nodes($1)
-allow $1 tty_device_t:chr_file { getattr read write ioctl };
+ requires_block_template(`$0'_depend)
+
+ devices_list_device_nodes($1)
+ allow $1 tty_device_t:chr_file { getattr read write ioctl };
')
define(`terminal_use_general_physical_terminal_depend',`
-type tty_device_t;
-class chr_file { getattr read write ioctl };
+ type tty_device_t;
+
+ class chr_file { getattr read write ioctl };
')
########################################
@@ -430,13 +478,15 @@ class chr_file { getattr read write ioctl };
# terminal_ignore_use_general_physical_terminal(domain)
#
define(`terminal_ignore_use_general_physical_terminal',`
-requires_block_template(`$0'_depend)
-dontaudit $1 tty_device_t:chr_file { read write };
+ requires_block_template(`$0'_depend)
+
+ dontaudit $1 tty_device_t:chr_file { read write };
')
define(`terminal_ignore_use_general_physical_terminal_depend',`
-type tty_device_t;
-class chr_file { read write };
+ type tty_device_t;
+
+ class chr_file { read write };
')
########################################
@@ -444,14 +494,16 @@ class chr_file { read write };
# terminal_get_all_private_physical_terminal_attributes(domain)
#
define(`terminal_get_all_private_physical_terminal_attributes',`
-requires_block_template(`$0'_depend)
-devices_list_device_nodes($1)
-allow $1 ttynode:chr_file getattr;
+ requires_block_template(`$0'_depend)
+
+ devices_list_device_nodes($1)
+ allow $1 ttynode:chr_file getattr;
')
define(`terminal_get_all_private_physical_terminal_attributes_depend',`
-attribute ttynode;
-class chr_file getattr;
+ attribute ttynode;
+
+ class chr_file getattr;
')
########################################
@@ -459,14 +511,16 @@ class chr_file getattr;
# terminal_set_all_private_physical_terminal_attributes(domain)
#
define(`terminal_set_all_private_physical_terminal_attributes',`
-requires_block_template(`$0'_depend)
-devices_list_device_nodes($1)
-allow $1 ttynode:chr_file setattr;
+ requires_block_template(`$0'_depend)
+
+ devices_list_device_nodes($1)
+ allow $1 ttynode:chr_file setattr;
')
define(`terminal_set_all_private_physical_terminal_attributes_depend',`
-attribute ttynode;
-class chr_file setattr;
+ attribute ttynode;
+
+ class chr_file setattr;
')
########################################
@@ -474,13 +528,15 @@ class chr_file setattr;
# terminal_ignore_get_all_private_physical_terminal_attributes(domain)
#
define(`terminal_ignore_get_all_private_physical_terminal_attributes',`
-requires_block_template(`$0'_depend)
-dontaudit $1 ttynode:chr_file getattr;
+ requires_block_template(`$0'_depend)
+
+ dontaudit $1 ttynode:chr_file getattr;
')
define(`terminal_ignore_get_all_private_physical_terminal_attributes_depend',`
-attribute ttynode;
-class chr_file getattr;
+ attribute ttynode;
+
+ class chr_file getattr;
')
########################################
@@ -488,14 +544,16 @@ class chr_file getattr;
# terminal_relabel_all_private_physical_terminals(domain)
#
define(`terminal_relabel_all_private_physical_terminals',`
-requires_block_template(`$0'_depend)
-devices_list_device_nodes($1)
-allow $1 ttynode:chr_file { relabelfrom relabelto };
+ requires_block_template(`$0'_depend)
+
+ devices_list_device_nodes($1)
+ allow $1 ttynode:chr_file { relabelfrom relabelto };
')
define(`terminal_relabel_all_private_physical_terminals_depend',`
-attribute ttynode;
-class chr_file { relabelfrom relabelto };
+ attribute ttynode;
+
+ class chr_file { relabelfrom relabelto };
')
########################################
@@ -511,14 +569,16 @@ class chr_file { relabelfrom relabelto };
## </interface>
#
define(`terminal_write_all_private_physical_terminals',`
-requires_block_template(`$0'_depend)
-devices_list_device_nodes($1)
-allow $1 ttynode:chr_file { getattr write };
+ requires_block_template(`$0'_depend)
+
+ devices_list_device_nodes($1)
+ allow $1 ttynode:chr_file { getattr write };
')
define(`terminal_write_all_private_physical_terminals_depend',`
-attribute ttynode;
-class chr_file { getattr write };
+ attribute ttynode;
+
+ class chr_file { getattr write };
')
########################################
@@ -526,14 +586,16 @@ class chr_file { getattr write };
# terminal_use_all_private_physical_terminals(domain)
#
define(`terminal_use_all_private_physical_terminals',`
-requires_block_template(`$0'_depend)
-devices_list_device_nodes($1)
-allow $1 ttynode:chr_file { getattr read write ioctl };
+ requires_block_template(`$0'_depend)
+
+ devices_list_device_nodes($1)
+ allow $1 ttynode:chr_file { getattr read write ioctl };
')
define(`terminal_use_all_private_physical_terminals_depend',`
-attribute ttynode;
-class chr_file { getattr read write ioctl };
+ attribute ttynode;
+
+ class chr_file { getattr read write ioctl };
')
########################################
@@ -541,13 +603,15 @@ class chr_file { getattr read write ioctl };
# terminal_ignore_use_all_private_physical_terminals(domain)
#
define(`terminal_ignore_use_all_private_physical_terminals',`
-requires_block_template(`$0'_depend)
-dontaudit $1 ttynode:chr_file { read write };
+ requires_block_template(`$0'_depend)
+
+ dontaudit $1 ttynode:chr_file { read write };
')
define(`terminal_ignore_use_all_private_physical_terminals_depend',`
-attribute ttynode;
-class chr_file { read write };
+ attribute ttynode;
+
+ class chr_file { read write };
')
## </module>
diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if
index 37e17e564..157d94db5 100644
--- a/refpolicy/policy/modules/services/cron.if
+++ b/refpolicy/policy/modules/services/cron.if
@@ -6,215 +6,210 @@
define(`cron_per_userdomain_template',`
-# Type of user crontabs once moved to cron spool.
-type $1_cron_spool_t;
-files_make_file($1_cron_spool_t)
+ # Type of user crontabs once moved to cron spool.
+ type $1_cron_spool_t;
+ files_make_file($1_cron_spool_t)
-type $1_crond_t; # user_crond_domain;
-domain_make_domain($1_crond_t);
-corecommands_make_shell_entrypoint($1_crond_t)
-role $1_r types $1_crond_t;
+ type $1_crond_t; # user_crond_domain;
+ domain_make_domain($1_crond_t);
+ corecommands_make_shell_entrypoint($1_crond_t)
+ role $1_r types $1_crond_t;
-type $1_crontab_t;
-domain_make_domain($1_crontab_t)
-domain_make_entrypoint_file($1_crontab_t,crontab_exec_t)
-role $1_r types $1_crontab_t;
+ type $1_crontab_t;
+ domain_make_domain($1_crontab_t)
+ domain_make_entrypoint_file($1_crontab_t,crontab_exec_t)
+ role $1_r types $1_crontab_t;
-##############################
-#
-# $1_crond_t local policy
-#
+ ##############################
+ #
+ # $1_crond_t local policy
+ #
-allow $1_crond_t self:capability dac_override;
-allow $1_crond_t self:process { sigkill sigstop signull signal setsched };
-allow $1_crond_t self:fifo_file { read getattr write append };
-allow $1_crond_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
-allow $1_crond_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
+ allow $1_crond_t self:capability dac_override;
+ allow $1_crond_t self:process { sigkill sigstop signull signal setsched };
+ allow $1_crond_t self:fifo_file { read getattr write append };
+ allow $1_crond_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
+ allow $1_crond_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
-# The entrypoint interface is not used as this is not
-# a regular entrypoint. Since crontab files are
-# not directly executed, crond must ensure that
-# the crontab file has a type that is appropriate
-# for the domain of the user cron job. It
-# performs an entrypoint permission check
-# for this purpose.
-allow $1_crond_t $1_cron_spool_t:file entrypoint;
+ # The entrypoint interface is not used as this is not
+ # a regular entrypoint. Since crontab files are
+ # not directly executed, crond must ensure that
+ # the crontab file has a type that is appropriate
+ # for the domain of the user cron job. It
+ # performs an entrypoint permission check
+ # for this purpose.
+ allow $1_crond_t $1_cron_spool_t:file entrypoint;
-# Permit a transition from the crond_t domain to this domain.
-# The transition is requested explicitly by the modified crond
-# via setexeccon. There is no way to set up an automatic
-# transition, since crontabs are configuration files, not executables.
-allow crond_t $1_crond_t:process transition;
-dontaudit crond_t $1_crond_t:process { noatsecure siginh rlimitinh };
-allow crond_t $1_crond_t:fd use;
-allow $1_crond_t crond_t:fd use;
-allow $1_crond_t crond_t:fifo_file rw_file_perms;
-allow $1_crond_t crond_t:process sigchld;
+ # Permit a transition from the crond_t domain to this domain.
+ # The transition is requested explicitly by the modified crond
+ # via setexeccon. There is no way to set up an automatic
+ # transition, since crontabs are configuration files, not executables.
+ allow crond_t $1_crond_t:process transition;
+ dontaudit crond_t $1_crond_t:process { noatsecure siginh rlimitinh };
+ allow crond_t $1_crond_t:fd use;
+ allow $1_crond_t crond_t:fd use;
+ allow $1_crond_t crond_t:fifo_file rw_file_perms;
+ allow $1_crond_t crond_t:process sigchld;
-kernel_read_system_state($1_crond_t)
-kernel_read_kernel_sysctl($1_crond_t)
+ kernel_read_system_state($1_crond_t)
+ kernel_read_kernel_sysctl($1_crond_t)
-# ps does not need to access /boot when run from cron
-bootloader_ignore_search_bootloader_data_directory($1_crond_t)
+ # ps does not need to access /boot when run from cron
+ bootloader_ignore_search_bootloader_data_directory($1_crond_t)
-corenetwork_sendrecv_tcp_on_all_interfaces($1_crond_t)
-corenetwork_sendrecv_raw_on_all_interfaces($1_crond_t)
-corenetwork_sendrecv_udp_on_all_interfaces($1_crond_t)
-corenetwork_sendrecv_tcp_on_all_nodes($1_crond_t)
-corenetwork_sendrecv_raw_on_all_nodes($1_crond_t)
-corenetwork_sendrecv_udp_on_all_nodes($1_crond_t)
-corenetwork_sendrecv_tcp_on_all_ports($1_crond_t)
-corenetwork_sendrecv_udp_on_all_ports($1_crond_t)
-corenetwork_bind_tcp_on_all_nodes($1_crond_t)
-corenetwork_bind_udp_on_all_nodes($1_crond_t)
+ corenetwork_sendrecv_tcp_on_all_interfaces($1_crond_t)
+ corenetwork_sendrecv_raw_on_all_interfaces($1_crond_t)
+ corenetwork_sendrecv_udp_on_all_interfaces($1_crond_t)
+ corenetwork_sendrecv_tcp_on_all_nodes($1_crond_t)
+ corenetwork_sendrecv_raw_on_all_nodes($1_crond_t)
+ corenetwork_sendrecv_udp_on_all_nodes($1_crond_t)
+ corenetwork_sendrecv_tcp_on_all_ports($1_crond_t)
+ corenetwork_sendrecv_udp_on_all_ports($1_crond_t)
+ corenetwork_bind_tcp_on_all_nodes($1_crond_t)
+ corenetwork_bind_udp_on_all_nodes($1_crond_t)
-devices_get_pseudorandom_data($1_crond_t)
+ devices_get_pseudorandom_data($1_crond_t)
-filesystem_get_all_filesystems_attributes($1_crond_t)
+ filesystem_get_all_filesystems_attributes($1_crond_t)
-domain_execute_all_entrypoint_programs($1_crond_t)
+ domain_execute_all_entrypoint_programs($1_crond_t)
-files_read_general_application_resources($1_crond_t)
-files_execute_system_config_script($1_crond_t)
-# for nscd:
-files_ignore_search_runtime_data_directory($1_crond_t)
+ files_read_general_application_resources($1_crond_t)
+ files_execute_system_config_script($1_crond_t)
+ # for nscd:
+ files_ignore_search_runtime_data_directory($1_crond_t)
-corecommands_execute_general_programs($1_crond_t)
-corecommands_execute_system_programs($1_crond_t)
+ corecommands_execute_general_programs($1_crond_t)
+ corecommands_execute_system_programs($1_crond_t)
-libraries_use_dynamic_loader($1_crond_t)
-libraries_use_shared_libraries($1_crond_t)
-libraries_execute_library_scripts($1_crond_t)
-libraries_execute_dynamic_loader($1_crond_t)
+ libraries_use_dynamic_loader($1_crond_t)
+ libraries_use_shared_libraries($1_crond_t)
+ libraries_execute_library_scripts($1_crond_t)
+ libraries_execute_dynamic_loader($1_crond_t)
-files_read_runtime_system_config($1_crond_t)
+ files_read_runtime_system_config($1_crond_t)
-logging_search_system_log_directory($1_crond_t)
+ logging_search_system_log_directory($1_crond_t)
-selinux_read_config($1_crond_t)
+ selinux_read_config($1_crond_t)
-miscfiles_read_localization($1_crond_t)
+ miscfiles_read_localization($1_crond_t)
-tunable_policy(`fcron_crond', `
-allow crond_t $1_cron_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename };
-')
+ tunable_policy(`fcron_crond', `
+ allow crond_t $1_cron_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+ ')
-ifdef(`TODO',`
-# Access user files and dirs.
-allow $1_crond_t home_root_t:dir search;
-file_type_auto_trans($1_crond_t, $1_home_dir_t, $1_home_t)
+ ifdef(`TODO',`
+ # Access user files and dirs.
+ allow $1_crond_t home_root_t:dir search;
+ file_type_auto_trans($1_crond_t, $1_home_dir_t, $1_home_t)
-# Run scripts in user home directory and access shared libs.
-can_exec($1_crond_t, $1_home_t)
+ # Run scripts in user home directory and access shared libs.
+ can_exec($1_crond_t, $1_home_t)
-file_type_auto_trans($1_crond_t, tmp_t, $1_tmp_t)
+ file_type_auto_trans($1_crond_t, tmp_t, $1_tmp_t)
-ifdef(`mta.te', `
-domain_auto_trans($1_crond_t, sendmail_exec_t, $1_mail_t)
-allow $1_crond_t sendmail_exec_t:lnk_file { getattr read };
+ ifdef(`mta.te', `
+ domain_auto_trans($1_crond_t, sendmail_exec_t, $1_mail_t)
+ allow $1_crond_t sendmail_exec_t:lnk_file { getattr read };
-# $1_mail_t should only be reading from the cron fifo not needing to write
-dontaudit $1_mail_t crond_t:fifo_file write;
-allow mta_user_agent $1_crond_t:fd use;
-')
+ # $1_mail_t should only be reading from the cron fifo not needing to write
+ dontaudit $1_mail_t crond_t:fifo_file write;
+ allow mta_user_agent $1_crond_t:fd use;
+ ')
-# This domain is granted permissions common to most domains.
-can_ypbind($1_crond_t)
-allow $1_crond_t var_spool_t:dir search;
-allow $1_crond_t var_t:dir r_dir_perms;
-allow $1_crond_t var_t:file { getattr read ioctl };
+ # This domain is granted permissions common to most domains.
+ can_ypbind($1_crond_t)
+ allow $1_crond_t var_spool_t:dir search;
+ allow $1_crond_t var_t:dir r_dir_perms;
+ allow $1_crond_t var_t:file { getattr read ioctl };
-# quiet other ps operations
-dontaudit $1_crond_t domain:dir { getattr search };
-') dnl endif TODO
+ # quiet other ps operations
+ dontaudit $1_crond_t domain:dir { getattr search };
+ ') dnl endif TODO
-##############################
-#
-# $1_crontab_t local policy
-#
+ ##############################
+ #
+ # $1_crontab_t local policy
+ #
-# for ^Z
-allow $1_t $1_crontab_t:process signal;
+ # for ^Z
+ allow $1_t $1_crontab_t:process signal;
-# Allow crond to read those crontabs in cron spool.
-allow crond_t $1_cron_spool_t:file { getattr read };
+ # Allow crond to read those crontabs in cron spool.
+ allow crond_t $1_cron_spool_t:file { getattr read };
-# dac_override is to create the file in the directory under /tmp
-allow $1_crontab_t self:capability { setuid setgid chown dac_override };
-allow $1_crontab_t self:process { sigkill sigstop signull signal };
+ # dac_override is to create the file in the directory under /tmp
+ allow $1_crontab_t self:capability { setuid setgid chown dac_override };
+ allow $1_crontab_t self:process { sigkill sigstop signull signal };
-# create files in /var/spool/cron
-allow $1_crontab_t $1_cron_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename };
-allow $1_crontab_t cron_spool_t:dir { getattr search read write add_name remove_name };
-type_transition $1_crontab_t $1_cron_spool_t:file system_crond_tmp_t;
+ # create files in /var/spool/cron
+ allow $1_crontab_t $1_cron_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+ allow $1_crontab_t cron_spool_t:dir { getattr search read write add_name remove_name };
+ type_transition $1_crontab_t $1_cron_spool_t:file system_crond_tmp_t;
-# crontab signals crond by updating the mtime on the spooldir
-allow $1_crontab_t cron_spool_t:dir setattr;
+ # crontab signals crond by updating the mtime on the spooldir
+ allow $1_crontab_t cron_spool_t:dir setattr;
-allow $1_crontab_t crond_log_t:file { getattr read append };
+ allow $1_crontab_t crond_log_t:file { getattr read append };
-filesystem_get_persistent_filesystem_attributes($1_crontab_t)
+ filesystem_get_persistent_filesystem_attributes($1_crontab_t)
-domain_use_widely_inheritable_file_descriptors($1_crontab_t)
+ domain_use_widely_inheritable_file_descriptors($1_crontab_t)
-files_read_general_system_config($1_crontab_t)
+ files_read_general_system_config($1_crontab_t)
-libraries_use_dynamic_loader($1_crontab_t)
-libraries_use_shared_libraries($1_crontab_t)
+ libraries_use_dynamic_loader($1_crontab_t)
+ libraries_use_shared_libraries($1_crontab_t)
-logging_send_system_log_message($1_crontab_t)
+ logging_send_system_log_message($1_crontab_t)
-miscfiles_read_localization($1_crontab_t)
+ miscfiles_read_localization($1_crontab_t)
-ifdef(`TODO',`
+ tunable_policy(`fcron_crond', `
+ # fcron wants an instant update of a crontab change for the administrator
+ # also crontab does a security check for crontab -u
+ dontaudit $1_crontab_t crond_t:process signal;
+ ')
-# Transition from the user domain to the derived domain.
-domain_auto_trans($1_t, crontab_exec_t, $1_crontab_t)
+ ifdef(`TODO',`
-can_ps($1_t, $1_crontab_t)
+ # Transition from the user domain to the derived domain.
+ domain_auto_trans($1_t, crontab_exec_t, $1_crontab_t)
-dontaudit $1_crontab_t proc_t:dir search;
-dontaudit $1_crontab_t selinux_config_t:dir search;
-# for the checks used by crontab -u
-dontaudit $1_crontab_t security_t:dir search;
+ can_ps($1_t, $1_crontab_t)
-# Type for temporary files.
-file_type_auto_trans($1_crontab_t, tmp_t, $1_tmp_t, { dir file })
+ dontaudit $1_crontab_t proc_t:dir search;
+ dontaudit $1_crontab_t selinux_config_t:dir search;
+ # for the checks used by crontab -u
+ dontaudit $1_crontab_t security_t:dir search;
-# Use the type when creating files in /var/spool/cron.
-allow sysadm_crontab_t $1_cron_spool_t:file { getattr read };
+ # Type for temporary files.
+ file_type_auto_trans($1_crontab_t, tmp_t, $1_tmp_t, { dir file })
-tunable_policy(`fcron_crond', `
-# fcron wants an instant update of a crontab change for the administrator
-# also crontab does a security check for crontab -u
-ifelse(`$1', `sysadm', `
-allow $1_crontab_t self:process setfscreate;
-kernel_get_selinuxfs_mount_point($1_crontab_t)
-', `
-dontaudit $1_crontab_t crond_t:process signal;
-')dnl end ifelse
-')dnl end ifdef fcron
+ # Use the type when creating files in /var/spool/cron.
+ allow sysadm_crontab_t $1_cron_spool_t:file { getattr read };
-# Run helper programs as $1_t
-allow $1_crontab_t { bin_t sbin_t }:dir search;
-allow $1_crontab_t bin_t:lnk_file read;
-domain_auto_trans($1_crontab_t, { bin_t sbin_t shell_exec_t }, $1_t)
+ # Run helper programs as $1_t
+ allow $1_crontab_t { bin_t sbin_t }:dir search;
+ allow $1_crontab_t bin_t:lnk_file read;
+ domain_auto_trans($1_crontab_t, { bin_t sbin_t shell_exec_t }, $1_t)
-# Read user crontabs
-allow $1_crontab_t { $1_home_t $1_home_dir_t }:dir r_dir_perms;
-allow $1_crontab_t $1_home_t:file r_file_perms;
-dontaudit $1_crontab_t $1_home_dir_t:dir write;
+ # Read user crontabs
+ allow $1_crontab_t { $1_home_t $1_home_dir_t }:dir r_dir_perms;
+ allow $1_crontab_t $1_home_t:file r_file_perms;
+ dontaudit $1_crontab_t $1_home_dir_t:dir write;
-# Access terminals.
-allow $1_crontab_t devpts_t:dir { read search getattr };
-allow $1_crontab_t $1_tty_device_t:chr_file { read write getattr ioctl };
-allow $1_crontab_t $1_devpts_t:chr_file { read write getattr ioctl };
+ # Access terminals.
+ allow $1_crontab_t devpts_t:dir { read search getattr };
+ allow $1_crontab_t $1_tty_device_t:chr_file { read write getattr ioctl };
+ allow $1_crontab_t $1_devpts_t:chr_file { read write getattr ioctl };
-# Inherit and use descriptors from gnome-pty-helper.
-ifdef(`gnome-pty-helper.te', `allow $1_crontab_t $1_gph_t:fd use;')
+ # Inherit and use descriptors from gnome-pty-helper.
+ ifdef(`gnome-pty-helper.te', `allow $1_crontab_t $1_gph_t:fd use;')
-dontaudit $1_crontab_t var_run_t:dir search;
-') dnl endif TODO
+ dontaudit $1_crontab_t var_run_t:dir search;
+ ') dnl endif TODO
')
########################################
@@ -223,19 +218,25 @@ dontaudit $1_crontab_t var_run_t:dir search;
#
define(`cron_admin_template',`
+ logging_read_system_logs($1_crond_t)
-logging_read_system_logs($1_crond_t)
+ # Allow our crontab domain to unlink a user cron spool file.
+ #allow $1_crontab_t user_cron_spool_t:file unlink;
-# Allow our crontab domain to unlink a user cron spool file.
-#allow $1_crontab_t user_cron_spool_t:file unlink;
+ # Manipulate other users crontab.
+ kernel_get_selinuxfs_mount_point($1_crontab_t)
+ kernel_validate_selinux_context($1_crontab_t)
+ kernel_compute_selinux_access_vector($1_crontab_t)
+ kernel_compute_selinux_create_context($1_crontab_t)
+ kernel_compute_selinux_relabel_context($1_crontab_t)
+ kernel_compute_selinux_reachable_user_contexts($1_crontab_t)
-# Manipulate other users crontab.
-kernel_get_selinuxfs_mount_point($1_crontab_t)
-kernel_validate_selinux_context($1_crontab_t)
-kernel_compute_selinux_access_vector($1_crontab_t)
-kernel_compute_selinux_create_context($1_crontab_t)
-kernel_compute_selinux_relabel_context($1_crontab_t)
-kernel_compute_selinux_reachable_user_contexts($1_crontab_t)
+ tunable_policy(`fcron_crond', `
+ # fcron wants an instant update of a crontab change for the administrator
+ # also crontab does a security check for crontab -u
+ allow $1_crontab_t self:process setfscreate;
+ kernel_get_selinuxfs_mount_point($1_crontab_t)
+ ')
')
########################################
@@ -243,11 +244,13 @@ kernel_compute_selinux_reachable_user_contexts($1_crontab_t)
# cron_modify_log(domain)
#
define(`cron_modify_log',`
-requires_block_template(`$0'_depend)
-allow $1 crond_log_t:file { getattr read write ioctl lock append };
+ requires_block_template(`$0'_depend)
+
+ allow $1 crond_log_t:file { getattr read write ioctl lock append };
')
define(`cron_modify_log_depend',`
-type crond_log_t;
-class file rw_file_perms;
+ type crond_log_t;
+
+ class file rw_file_perms;
')
diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te
index 206e35ba0..3c7fe1b3d 100644
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@@ -121,17 +121,17 @@ miscfiles_read_localization(crond_t)
userdomain_use_all_unprivileged_users_file_descriptors(crond_t)
tunable_policy(`fcron_crond', `
-allow crond_t system_cron_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+ allow crond_t system_cron_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename };
')
tunable_policy(`targeted_policy', `
-terminal_ignore_use_general_physical_terminal(crond_t)
-terminal_ignore_use_general_pseudoterminal(crond_t)
-files_ignore_read_rootfs_file(crond_t)
+ terminal_ignore_use_general_physical_terminal(crond_t)
+ terminal_ignore_use_general_pseudoterminal(crond_t)
+ files_ignore_read_rootfs_file(crond_t)
')
optional_policy(`udev.te', `
-udev_read_database(crond_t)
+ udev_read_database(crond_t)
')
ifdef(`TODO',`
@@ -293,15 +293,15 @@ miscfiles_manage_man_page_cache(system_crond_t)
selinux_read_config(system_crond_t)
if (cron_can_relabel) {
-selinux_setfiles_transition(system_crond_t)
+ selinux_setfiles_transition(system_crond_t)
} else {
-kernel_get_selinuxfs_mount_point(system_crond_t)
-kernel_validate_selinux_context(system_crond_t)
-kernel_compute_selinux_access_vector(system_crond_t)
-kernel_compute_selinux_create_context(system_crond_t)
-kernel_compute_selinux_relabel_context(system_crond_t)
-kernel_compute_selinux_reachable_user_contexts(system_crond_t)
-selinux_read_file_contexts(system_crond_t)
+ kernel_get_selinuxfs_mount_point(system_crond_t)
+ kernel_validate_selinux_context(system_crond_t)
+ kernel_compute_selinux_access_vector(system_crond_t)
+ kernel_compute_selinux_create_context(system_crond_t)
+ kernel_compute_selinux_relabel_context(system_crond_t)
+ kernel_compute_selinux_reachable_user_contexts(system_crond_t)
+ selinux_read_file_contexts(system_crond_t)
}
ifdef(`TODO',`
diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if
index 2e20c0804..220ae94f2 100644
--- a/refpolicy/policy/modules/services/mta.if
+++ b/refpolicy/policy/modules/services/mta.if
@@ -8,133 +8,135 @@
# mta_per_userdomain_template(userdomain_prefix)
#
define(`mta_per_userdomain_template',`
-requires_block_template(`$0'_depend)
+ requires_block_template(`$0'_depend)
-type $1_mail_t; # , user_mail_domain, nscd_client_domain;
-domain_make_domain($1_mail_t)
-role $1_r types $1_mail_t;
+ type $1_mail_t; # , user_mail_domain, nscd_client_domain;
+ domain_make_domain($1_mail_t)
+ role $1_r types $1_mail_t;
-type $1_mail_tmp_t;
-files_make_temporary_file($1_mail_tmp_t)
+ type $1_mail_tmp_t;
+ files_make_temporary_file($1_mail_tmp_t)
-##############################
-#
-# $1_mail_t local policy
-#
+ ##############################
+ #
+ # $1_mail_t local policy
+ #
-allow $1_mail_t self:capability { setuid setgid chown };
-allow $1_mail_t self:process { sigkill sigstop signull signal setrlimit };
+ allow $1_mail_t self:capability { setuid setgid chown };
+ allow $1_mail_t self:process { sigkill sigstop signull signal setrlimit };
-# tcp networking
-allow $1_mail_t self:tcp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown };
+ # tcp networking
+ allow $1_mail_t self:tcp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown };
-# re-exec itself
-allow $1_mail_t sendmail_exec_t:file { getattr read execute execute_no_trans };
-allow $1_mail_t sendmail_exec_t:lnk_file { getattr read };
+ # re-exec itself
+ allow $1_mail_t sendmail_exec_t:file { getattr read execute execute_no_trans };
+ allow $1_mail_t sendmail_exec_t:lnk_file { getattr read };
-# Transition from the user domain to the derived domain.
-allow $1_t sendmail_exec_t:file { getattr read execute execute_no_trans };
-allow $1_t sendmail_exec_t:lnk_file { getattr read };
-allow $1_t $1_mail_t:process transition;
-type_transition $1_t sendmail_exec_t:process $1_mail_t;
-allow $1_t $1_mail_t:fd use;
-allow $1_mail_t $1_t:fd use;
-allow $1_mail_t $1_t:fifo_file rw_file_perms;
-allow $1_mail_t $1_t:process sigchld;
+ # Transition from the user domain to the derived domain.
+ allow $1_t sendmail_exec_t:file { getattr read execute execute_no_trans };
+ allow $1_t sendmail_exec_t:lnk_file { getattr read };
+ allow $1_t $1_mail_t:process transition;
+ type_transition $1_t sendmail_exec_t:process $1_mail_t;
+ dontaudit $1_t $1_mail_t:process { noatsecure siginh rlimitinh };
-kernel_read_kernel_sysctl($1_mail_t)
+ allow $1_t $1_mail_t:fd use;
+ allow $1_mail_t $1_t:fd use;
+ allow $1_mail_t $1_t:fifo_file rw_file_perms;
+ allow $1_mail_t $1_t:process sigchld;
-corenetwork_sendrecv_tcp_on_all_interfaces($1_mail_t)
-corenetwork_sendrecv_raw_on_all_interfaces($1_mail_t)
-corenetwork_sendrecv_tcp_on_all_nodes($1_mail_t)
-corenetwork_sendrecv_raw_on_all_nodes($1_mail_t)
-corenetwork_sendrecv_tcp_on_all_ports($1_mail_t)
-corenetwork_bind_tcp_on_all_nodes($1_mail_t)
+ kernel_read_kernel_sysctl($1_mail_t)
-domain_use_widely_inheritable_file_descriptors($1_mail_t)
+ corenetwork_sendrecv_tcp_on_all_interfaces($1_mail_t)
+ corenetwork_sendrecv_raw_on_all_interfaces($1_mail_t)
+ corenetwork_sendrecv_tcp_on_all_nodes($1_mail_t)
+ corenetwork_sendrecv_raw_on_all_nodes($1_mail_t)
+ corenetwork_sendrecv_tcp_on_all_ports($1_mail_t)
+ corenetwork_bind_tcp_on_all_nodes($1_mail_t)
-libraries_use_dynamic_loader($1_mail_t)
-libraries_use_shared_libraries($1_mail_t)
+ domain_use_widely_inheritable_file_descriptors($1_mail_t)
-corecommands_execute_general_programs($1_mail_t)
+ libraries_use_dynamic_loader($1_mail_t)
+ libraries_use_shared_libraries($1_mail_t)
-files_read_general_system_config($1_mail_t)
+ corecommands_execute_general_programs($1_mail_t)
-logging_send_system_log_message($1_mail_t)
+ files_read_general_system_config($1_mail_t)
-miscfiles_read_localization($1_mail_t)
+ logging_send_system_log_message($1_mail_t)
-sysnetwork_read_network_config($1_mail_t)
+ miscfiles_read_localization($1_mail_t)
-tunable_policy(`use_dns',`
-allow $1_mail_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
-corenetwork_sendrecv_udp_on_all_interfaces($1_mail_t)
-corenetwork_sendrecv_udp_on_all_nodes($1_mail_t)
-corenetwork_bind_udp_on_all_nodes($1_mail_t)
-corenetwork_sendrecv_udp_on_dns_port($1_mail_t)
-')
+ sysnetwork_read_network_config($1_mail_t)
-optional_policy(`procmail.te',`
-procmail_execute($1_mail_t)
-')
+ tunable_policy(`use_dns',`
+ allow $1_mail_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
+ corenetwork_sendrecv_udp_on_all_interfaces($1_mail_t)
+ corenetwork_sendrecv_udp_on_all_nodes($1_mail_t)
+ corenetwork_bind_udp_on_all_nodes($1_mail_t)
+ corenetwork_sendrecv_udp_on_dns_port($1_mail_t)
+ ')
-ifdef(`TODO',`
+ optional_policy(`procmail.te',`
+ procmail_execute($1_mail_t)
+ ')
-can_ypbind($1_mail_t)
+ ifdef(`TODO',`
-allow $1_mail_t device_t:dir search;
-allow $1_mail_t { var_t var_spool_t }:dir search;
-allow $1_mail_t sbin_t:dir search;
+ can_ypbind($1_mail_t)
-# It wants to check for nscd
-dontaudit $1_mail_t var_run_t:dir search;
+ allow $1_mail_t device_t:dir search;
+ allow $1_mail_t { var_t var_spool_t }:dir search;
+ allow $1_mail_t sbin_t:dir search;
-# For when the user wants to send mail via port 25 localhost
-can_tcp_connect($1_t, mail_server_domain)
+ # It wants to check for nscd
+ dontaudit $1_mail_t var_run_t:dir search;
-# Read user temporary files.
-allow $1_mail_t $1_tmp_t:file r_file_perms;
-dontaudit $1_mail_t $1_tmp_t:file append;
-ifdef(`postfix.te', `
-# postfix seems to need write access if the file handle is opened read/write
-allow $1_mail_t $1_tmp_t:file write;
-')dnl end if postfix
+ # For when the user wants to send mail via port 25 localhost
+ can_tcp_connect($1_t, mail_server_domain)
-allow mta_user_agent $1_tmp_t:file { read getattr };
+ # Read user temporary files.
+ allow $1_mail_t $1_tmp_t:file r_file_perms;
+ dontaudit $1_mail_t $1_tmp_t:file append;
+ ifdef(`postfix.te', `
+ # postfix seems to need write access if the file handle is opened read/write
+ allow $1_mail_t $1_tmp_t:file write;
+ ')
-# Write to the user domain tty.
-allow mta_user_agent $1_tty_device_t:chr_file { read write getattr ioctl };
-allow mta_user_agent devpts_t:dir { read search getattr };
-allow mta_user_agent $1_devpts_t:chr_file { read write getattr ioctl };
+ allow mta_user_agent $1_tmp_t:file { read getattr };
-allow $1_mail_t $1_tty_device_t:chr_file { read write getattr ioctl };
-allow $1_mail_t devpts_t:dir { read search getattr };
-allow $1_mail_t $1_devpts_t:chr_file { read write getattr ioctl };
+ # Write to the user domain tty.
+ allow mta_user_agent $1_tty_device_t:chr_file { read write getattr ioctl };
+ allow mta_user_agent devpts_t:dir { read search getattr };
+ allow mta_user_agent $1_devpts_t:chr_file { read write getattr ioctl };
-# Inherit and use descriptors from gnome-pty-helper.
-ifdef(`gnome-pty-helper.te', `allow $1_mail_t $1_gph_t:fd use;')
+ allow $1_mail_t $1_tty_device_t:chr_file { read write getattr ioctl };
+ allow $1_mail_t devpts_t:dir { read search getattr };
+ allow $1_mail_t $1_devpts_t:chr_file { read write getattr ioctl };
-# Create dead.letter in user home directories.
-file_type_auto_trans($1_mail_t, $1_home_dir_t, $1_home_t, file)
+ # Inherit and use descriptors from gnome-pty-helper.
+ ifdef(`gnome-pty-helper.te', `allow $1_mail_t $1_gph_t:fd use;')
-if (use_samba_home_dirs) {
-rw_dir_create_file($1_mail_t, cifs_t)
-}
+ # Create dead.letter in user home directories.
+ file_type_auto_trans($1_mail_t, $1_home_dir_t, $1_home_t, file)
-# if you do not want to allow dead.letter then use the following instead
-#allow $1_mail_t { $1_home_dir_t $1_home_t }:dir r_dir_perms;
-#allow $1_mail_t $1_home_t:file r_file_perms;
+ if (use_samba_home_dirs) {
+ rw_dir_create_file($1_mail_t, cifs_t)
+ }
-# for reading .forward - maybe we need a new type for it?
-# also for delivering mail to maildir
-file_type_auto_trans(mta_delivery_agent, $1_home_dir_t, $1_home_t)
+ # if you do not want to allow dead.letter then use the following instead
+ #allow $1_mail_t { $1_home_dir_t $1_home_t }:dir r_dir_perms;
+ #allow $1_mail_t $1_home_t:file r_file_perms;
-ifdef(`qmail.te', `
-allow $1_mail_t qmail_etc_t:dir search;
-allow $1_mail_t qmail_etc_t:{ file lnk_file } read;
-')dnl end if qmail
+ # for reading .forward - maybe we need a new type for it?
+ # also for delivering mail to maildir
+ file_type_auto_trans(mta_delivery_agent, $1_home_dir_t, $1_home_t)
-') dnl end TODO
+ ifdef(`qmail.te', `
+ allow $1_mail_t qmail_etc_t:dir search;
+ allow $1_mail_t qmail_etc_t:{ file lnk_file } read;
+ ')
+
+ ') dnl end TODO
')
define(`mta_per_userdomain_template_depend',`
@@ -146,13 +148,14 @@ define(`mta_per_userdomain_template_depend',`
# mta_make_mailserver_domain(domain,entrypointtype)
#
define(`mta_make_mailserver_domain',`
-requires_block_template(`$0'_depend)
-init_make_daemon_domain($1,$2)
-typeattribute $1 mailserver_domain;
+ requires_block_template(`$0'_depend)
+
+ init_make_daemon_domain($1,$2)
+ typeattribute $1 mailserver_domain;
')
define(`mta_make_mailserver_domain_depend',`
-attribute mailserver_domain;
+ attribute mailserver_domain;
')
#######################################
@@ -160,12 +163,13 @@ attribute mailserver_domain;
# mta_make_sendmail_mailserver_domain(domain,entrypointtype)
#
define(`mta_make_sendmail_mailserver_domain',`
-requires_block_template(`$0'_depend)
-mta_make_mailserver_domain($1,sendmail_exec_t)
+ requires_block_template(`$0'_depend)
+
+ mta_make_mailserver_domain($1,sendmail_exec_t)
')
define(`mta_make_sendmail_mailserver_domain_depend',`
-type sendmail_exec_t;
+ type sendmail_exec_t;
')
#######################################
@@ -173,25 +177,28 @@ type sendmail_exec_t;
# mta_send_mail(domain)
#
define(`mta_send_mail',`
-requires_block_template(`$0'_depend)
-allow $1 sendmail_exec_t:lnk_file { getattr read };
-allow $1 sendmail_exec_t:file { getattr read execute };
-allow $1 system_mail_t:process transition;
-type_transition $1 sendmail_exec_t:process system_mail_t;
-dontaudit $1 system_mail_t:process { noatsecure siginh rlimitinh };
-allow $1 system_mail_t:fd use;
-allow system_mail_t $1:fd use;
-allow system_mail_t $1:fifo_file rw_file_perms;
-allow system_mail_t $1:process sigchld;
+ requires_block_template(`$0'_depend)
+
+ allow $1 sendmail_exec_t:lnk_file { getattr read };
+ allow $1 sendmail_exec_t:file { getattr read execute };
+ allow $1 system_mail_t:process transition;
+ type_transition $1 sendmail_exec_t:process system_mail_t;
+ dontaudit $1 system_mail_t:process { noatsecure siginh rlimitinh };
+
+ allow $1 system_mail_t:fd use;
+ allow system_mail_t $1:fd use;
+ allow system_mail_t $1:fifo_file rw_file_perms;
+ allow system_mail_t $1:process sigchld;
')
define(`mta_send_mail_depend',`
-type system_mail_t, sendmail_exec_t;
-class file { getattr read execute };
-class lnk_file { getattr read };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file { ioctl read getattr lock write append };
+ type system_mail_t, sendmail_exec_t;
+
+ class file { getattr read execute };
+ class lnk_file { getattr read };
+ class process { transition noatsecure siginh rlimitinh sigchld };
+ class fd use;
+ class fifo_file rw_file_perms;
')
#######################################
@@ -199,13 +206,15 @@ class fifo_file { ioctl read getattr lock write append };
# mta_execute(domain)
#
define(`mta_execute',`
-requires_block_template(`$0'_depend)
-allow $1 sendmail_exec_t:file { getattr read execute execute_no_trans };
+ requires_block_template(`$0'_depend)
+
+ allow $1 sendmail_exec_t:file { getattr read execute execute_no_trans };
')
define(`mta_execute_depend',`
-type sendmail_exec_t;
-class file { getattr read execute execute_no_trans };
+ type sendmail_exec_t;
+
+ class file { getattr read execute execute_no_trans };
')
########################################
@@ -220,13 +229,15 @@ class file { getattr read execute execute_no_trans };
## </interface>
#
define(`mta_read_mail_aliases',`
-requires_block_template(`$0'_depend)
-allow $1 etc_aliases_t:file { getattr read };
+ requires_block_template(`$0'_depend)
+
+ allow $1 etc_aliases_t:file { getattr read };
')
define(`mta_read_mail_aliases_depend',`
-type etc_aliases_t;
-class file { getattr read };
+ type etc_aliases_t;
+
+ class file { getattr read };
')
#######################################
@@ -234,13 +245,15 @@ class file { getattr read };
# mta_modify_mail_aliases(domain)
#
define(`mta_modify_mail_aliases',`
-requires_block_template(`$0'_depend)
-allow sendmail_t etc_aliases_t:file { getattr read write append setattr };
+ requires_block_template(`$0'_depend)
+
+ allow sendmail_t etc_aliases_t:file { getattr read write append setattr };
')
define(`mta_modify_mail_aliases_depend',`
-type etc_aliases_t;
-class file { getattr read write append setattr };
+ type etc_aliases_t;
+
+ class file { getattr read write append setattr };
')
#######################################
@@ -248,18 +261,20 @@ class file { getattr read write append setattr };
# mta_get_mail_spool_attributes(domain)
#
define(`mta_get_mail_spool_attributes',`
-requires_block_template(`$0'_depend)
-files_search_system_spool_directory($1)
-allow $1 mail_spool_t:dir r_dir_perms;
-allow $1 mail_spool_t:lnk_file read;
-allow $1 mail_spool_t:file getattr;
+ requires_block_template(`$0'_depend)
+
+ files_search_system_spool_directory($1)
+ allow $1 mail_spool_t:dir r_dir_perms;
+ allow $1 mail_spool_t:lnk_file read;
+ allow $1 mail_spool_t:file getattr;
')
define(`mta_get_mail_spool_attributes_depend',`
-type mail_spool_t;
-class dir r_dir_perms;
-class file getattr;
-class lnk_file read;
+ type mail_spool_t;
+
+ class dir r_dir_perms;
+ class file getattr;
+ class lnk_file read;
')
#######################################
@@ -267,16 +282,18 @@ class lnk_file read;
# mta_modify_mail_spool(domain)
#
define(`mta_modify_mail_spool',`
-requires_block_template(`$0'_depend)
-files_search_system_spool_directory($1)
-allow $1 mail_spool_t:dir { read getattr lock search ioctl add_name remove_name write };
-allow $1 mail_spool_t:file { getattr read write append setattr };
+ requires_block_template(`$0'_depend)
+
+ files_search_system_spool_directory($1)
+ allow $1 mail_spool_t:dir { read getattr lock search ioctl add_name remove_name write };
+ allow $1 mail_spool_t:file { getattr read write append setattr };
')
define(`mta_modify_mail_spool_depend',`
-type mail_spool_t;
-class dir { read getattr lock search ioctl add_name remove_name write };
-class file { create ioctl read getattr lock write setattr append link unlink rename };
+ type mail_spool_t;
+
+ class dir { read getattr lock search ioctl add_name remove_name write };
+ class file { create ioctl read getattr lock write setattr append link unlink rename };
')
#######################################
@@ -284,16 +301,18 @@ class file { create ioctl read getattr lock write setattr append link unlink ren
# mta_manage_mail_spool(domain)
#
define(`mta_manage_mail_spool',`
-requires_block_template(`$0'_depend)
-files_search_system_spool_directory($1)
-allow $1 mail_spool_t:dir { read getattr lock search ioctl add_name remove_name write };
-allow $1 mail_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+ requires_block_template(`$0'_depend)
+
+ files_search_system_spool_directory($1)
+ allow $1 mail_spool_t:dir { read getattr lock search ioctl add_name remove_name write };
+ allow $1 mail_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename };
')
define(`mta_manage_mail_spool_depend',`
-type mail_spool_t;
-class dir { read getattr lock search ioctl add_name remove_name write };
-class file { create ioctl read getattr lock write setattr append link unlink rename };
+ type mail_spool_t;
+
+ class dir { read getattr lock search ioctl add_name remove_name write };
+ class file { create ioctl read getattr lock write setattr append link unlink rename };
')
#######################################
@@ -301,15 +320,17 @@ class file { create ioctl read getattr lock write setattr append link unlink ren
# mta_manage_mail_queue(domain)
#
define(`mta_manage_mail_queue',`
-requires_block_template(`$0'_depend)
-allow $1 mqueue_spool_t:dir { read getattr lock search ioctl add_name remove_name write };
-allow $1 mqueue_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+ requires_block_template(`$0'_depend)
+
+ allow $1 mqueue_spool_t:dir { read getattr lock search ioctl add_name remove_name write };
+ allow $1 mqueue_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename };
')
define(`mta_manage_mail_queue_depend',`
-type mqueue_spool_t;
-class dir { read getattr lock search ioctl add_name remove_name write };
-class file { create ioctl read getattr lock write setattr append link unlink rename }
+ type mqueue_spool_t;
+
+ class dir { read getattr lock search ioctl add_name remove_name write };
+ class file { create ioctl read getattr lock write setattr append link unlink rename }
')
## </module>
diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te
index 2ed8b05c8..db452c51c 100644
--- a/refpolicy/policy/modules/services/mta.te
+++ b/refpolicy/policy/modules/services/mta.te
@@ -83,15 +83,15 @@ miscfiles_read_localization(system_mail_t)
sysnetwork_read_network_config(system_mail_t)
tunable_policy(`use_dns',`
-allow system_mail_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
-corenetwork_sendrecv_udp_on_all_interfaces(system_mail_t)
-corenetwork_sendrecv_udp_on_all_nodes(system_mail_t)
-corenetwork_bind_udp_on_all_nodes(system_mail_t)
-corenetwork_sendrecv_udp_on_dns_port(system_mail_t)
+ allow system_mail_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
+ corenetwork_sendrecv_udp_on_all_interfaces(system_mail_t)
+ corenetwork_sendrecv_udp_on_all_nodes(system_mail_t)
+ corenetwork_bind_udp_on_all_nodes(system_mail_t)
+ corenetwork_sendrecv_udp_on_dns_port(system_mail_t)
')
optional_policy(`procmail.te',`
-procmail_execute(system_mail_t)
+ procmail_execute(system_mail_t)
')
ifdef(`TODO',`
diff --git a/refpolicy/policy/modules/services/sendmail.te b/refpolicy/policy/modules/services/sendmail.te
index 4eb4dab66..81746d780 100644
--- a/refpolicy/policy/modules/services/sendmail.te
+++ b/refpolicy/policy/modules/services/sendmail.te
@@ -89,17 +89,17 @@ mta_manage_mail_spool(sendmail_t)
sysnetwork_read_network_config(sendmail_t)
tunable_policy(`targeted_policy', `
-terminal_ignore_use_general_physical_terminal(sendmail_t)
-terminal_ignore_use_general_pseudoterminal(sendmail_t)
-files_ignore_read_rootfs_file(sendmail_t)
+ terminal_ignore_use_general_physical_terminal(sendmail_t)
+ terminal_ignore_use_general_pseudoterminal(sendmail_t)
+ files_ignore_read_rootfs_file(sendmail_t)
')
optional_policy(`selinux.te',`
-selinux_newrole_sigchld(sendmail_t)
+ selinux_newrole_sigchld(sendmail_t)
')
optional_policy(`udev.te', `
-udev_read_database(sendmail_t)
+ udev_read_database(sendmail_t)
')
ifdef(`TODO',`
diff --git a/refpolicy/policy/modules/system/audit.te b/refpolicy/policy/modules/system/audit.te
index 51e33db53..d72014342 100644
--- a/refpolicy/policy/modules/system/audit.te
+++ b/refpolicy/policy/modules/system/audit.te
@@ -52,17 +52,17 @@ libraries_use_shared_libraries(auditd_t)
miscfiles_read_localization(auditd_t)
tunable_policy(`targeted_policy', `
-terminal_ignore_use_general_physical_terminal(auditd_t)
-terminal_ignore_use_general_pseudoterminal(auditd_t)
-files_ignore_read_rootfs_file(auditd_t)
-')dnl end targeted_policy tunable
+ terminal_ignore_use_general_physical_terminal(auditd_t)
+ terminal_ignore_use_general_pseudoterminal(auditd_t)
+ files_ignore_read_rootfs_file(auditd_t)
+')
optional_policy(`selinux.te',`
-selinux_newrole_sigchld(auditd_t)
+ selinux_newrole_sigchld(auditd_t)
')
optional_policy(`udev.te', `
-udev_read_database(auditd_t)
+ udev_read_database(auditd_t)
')
ifdef(`TODO',`
diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if
index e7defa98c..90fc4a7d9 100644
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@@ -8,87 +8,91 @@
# authlogin_per_userdomain_template(userdomain_prefix)
#
define(`authlogin_per_userdomain_template',`
-requires_block_template(`$0'_depend)
+ requires_block_template(`$0'_depend)
-type $1_chkpwd_t, can_read_shadow_passwords; # , nscd_client_domain;
-domain_make_domain($1_chkpwd_t)
-domain_make_entrypoint_file($1_chkpwd_t,chkpwd_exec_t)
-role $1_r types $1_chkpwd_t;
-role $1_r types system_chkpwd_t;
+ type $1_chkpwd_t, can_read_shadow_passwords; # , nscd_client_domain;
+ domain_make_domain($1_chkpwd_t)
+ domain_make_entrypoint_file($1_chkpwd_t,chkpwd_exec_t)
+ role $1_r types $1_chkpwd_t;
+ role $1_r types system_chkpwd_t;
-allow $1_chkpwd_t self:capability setuid;
-allow $1_chkpwd_t self:process getattr;
+ allow $1_chkpwd_t self:capability setuid;
+ allow $1_chkpwd_t self:process getattr;
-files_read_general_system_config_directory($1_chkpwd_t)
-allow $1_chkpwd_t shadow_t:file { getattr read };
+ files_read_general_system_config_directory($1_chkpwd_t)
+ allow $1_chkpwd_t shadow_t:file { getattr read };
-# is_selinux_enabled
-kernel_read_system_state($1_chkpwd_t)
+ # is_selinux_enabled
+ kernel_read_system_state($1_chkpwd_t)
-filesystem_ignore_get_persistent_filesystem_attributes($1_chkpwd_t)
+ filesystem_ignore_get_persistent_filesystem_attributes($1_chkpwd_t)
-domain_use_widely_inheritable_file_descriptors($1_chkpwd_t)
+ domain_use_widely_inheritable_file_descriptors($1_chkpwd_t)
-libraries_use_dynamic_loader($1_chkpwd_t)
-libraries_use_shared_libraries($1_chkpwd_t)
+ libraries_use_dynamic_loader($1_chkpwd_t)
+ libraries_use_shared_libraries($1_chkpwd_t)
-files_read_general_system_config($1_chkpwd_t)
-# for nscd
-files_ignore_search_system_state_data_directory($1_chkpwd_t)
+ files_read_general_system_config($1_chkpwd_t)
+ # for nscd
+ files_ignore_search_system_state_data_directory($1_chkpwd_t)
-logging_send_system_log_message($1_chkpwd_t)
+ logging_send_system_log_message($1_chkpwd_t)
-miscfiles_read_localization($1_chkpwd_t)
+ miscfiles_read_localization($1_chkpwd_t)
-selinux_read_config($1_chkpwd_t)
+ selinux_read_config($1_chkpwd_t)
-#can_ypbind($1_chkpwd_t)
-#can_kerberos($1_chkpwd_t)
-#can_ldap($1_chkpwd_t)
+ #can_ypbind($1_chkpwd_t)
+ #can_kerberos($1_chkpwd_t)
+ #can_ldap($1_chkpwd_t)
-# Transition from the user domain to this domain.
-allow $1_t chkpwd_exec_t:file { getattr read execute };
-allow $1_t $1_chkpwd_t:process transition;
-type_transition $1_t chkpwd_exec_t:process $1_chkpwd_t;
-allow $1_chkpwd_t $1_t:fd use;
-allow $1_t $1_chkpwd_t:fd use;
-allow $1_chkpwd_t $1_t:fifo_file rw_file_perms;
-allow $1_chkpwd_t $1_t:process sigchld;
+ # Transition from the user domain to this domain.
+ allow $1_t chkpwd_exec_t:file { getattr read execute };
+ allow $1_t $1_chkpwd_t:process transition;
+ type_transition $1_t chkpwd_exec_t:process $1_chkpwd_t;
+ dontaudit $1_t $1_chkpwd_t:process { noatsecure siginh rlimitinh };
-# Write to the user domain tty.
-#userdomain_use_$1_terminal($1_chkpwd_t)
-#userdomain_use_$1_pty($1_chkpwd_t)
+ allow $1_chkpwd_t $1_t:fd use;
+ allow $1_t $1_chkpwd_t:fd use;
+ allow $1_chkpwd_t $1_t:fifo_file rw_file_perms;
+ allow $1_chkpwd_t $1_t:process sigchld;
-# Inherit and use descriptors from gnome-pty-helper.
-#ifdef(`gnome-pty-helper.te',`allow $1_chkpwd_t $1_gph_t:fd use;')
+ # Write to the user domain tty.
+ #userdomain_use_$1_terminal($1_chkpwd_t)
+ #userdomain_use_$1_pty($1_chkpwd_t)
-tunable_policy(`use_dns',`
-allow $1_chkpwd_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
-corenetwork_sendrecv_udp_on_all_interfaces($1_chkpwd_t)
-corenetwork_sendrecv_raw_on_all_interfaces($1_chkpwd_t)
-corenetwork_sendrecv_udp_on_all_nodes($1_chkpwd_t)
-corenetwork_sendrecv_raw_on_all_nodes($1_chkpwd_t)
-corenetwork_bind_udp_on_all_nodes($1_chkpwd_t)
-corenetwork_sendrecv_udp_on_dns_port($1_chkpwd_t)
-sysnetwork_read_network_config($1_chkpwd_t)
-')
+ # Inherit and use descriptors from gnome-pty-helper.
+ #ifdef(`gnome-pty-helper.te',`allow $1_chkpwd_t $1_gph_t:fd use;')
-optional_policy(`selinux.te',`
-selinux_newrole_use_file_descriptors($1_chkpwd_t)
-')
+ tunable_policy(`use_dns',`
+ allow $1_chkpwd_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
+ corenetwork_sendrecv_udp_on_all_interfaces($1_chkpwd_t)
+ corenetwork_sendrecv_raw_on_all_interfaces($1_chkpwd_t)
+ corenetwork_sendrecv_udp_on_all_nodes($1_chkpwd_t)
+ corenetwork_sendrecv_raw_on_all_nodes($1_chkpwd_t)
+ corenetwork_bind_udp_on_all_nodes($1_chkpwd_t)
+ corenetwork_sendrecv_udp_on_dns_port($1_chkpwd_t)
+ sysnetwork_read_network_config($1_chkpwd_t)
+ ')
+
+ optional_policy(`selinux.te',`
+ selinux_newrole_use_file_descriptors($1_chkpwd_t)
+ ')
') dnl end authlogin_per_userdomain_template
define(`authlogin_per_userdomain_template_depend',`
-attribute can_read_shadow_passwords;
-type chkpwd_exec_t, system_chkpwd_t, shadow_t;
-class file { getattr read execute };
-class process { getattr transition sigchld };
-class capability setuid;
-class unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown };
-class unix_dgram_socket { create read getattr write setattr append bind connect getopt setopt shutdown };
-class fd use;
-class fifo_file rw_file_perms;
+ attribute can_read_shadow_passwords;
+
+ type chkpwd_exec_t, system_chkpwd_t, shadow_t;
+
+ class file { getattr read execute };
+ class process { getattr transition sigchld };
+ class capability setuid;
+ class unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown };
+ class unix_dgram_socket { create read getattr write setattr append bind connect getopt setopt shutdown };
+ class fd use;
+ class fifo_file rw_file_perms;
')
#######################################
@@ -96,13 +100,13 @@ class fifo_file rw_file_perms;
# authlogin_make_login_program_entrypoint(domain)
#
define(`authlogin_make_login_program_entrypoint',`
-requires_block_template(`$0'_depend)
-domain_make_entrypoint_file($1,login_exec_t)
+ requires_block_template(`$0'_depend)
+
+ domain_make_entrypoint_file($1,login_exec_t)
')
define(`authlogin_make_login_program_entrypoint_depend',`
-type login_exec_t;
-domain_make_entrypoint_file_depend
+ type login_exec_t;
')
########################################
@@ -120,24 +124,27 @@ domain_make_entrypoint_file_depend
## </interface>
#
define(`authlogin_login_program_transition',`
-requires_block_template(`$0'_depend)
-# FIXME: search bin_t
-allow $1 login_exec_t:file { getattr read execute };
-allow $1 $2:process transition;
-type_transition $1 login_exec_t:process $2;
-dontaudit $1 $2:process { noatsecure siginh rlimitinh };
-allow $1 $2:fd use;
-allow $2 $1:fd use;
-allow $2 $1:fifo_file rw_file_perms;
-allow $2 $1:process sigchld;
+ requires_block_template(`$0'_depend)
+
+ # FIXME: search bin_t
+ allow $1 login_exec_t:file { getattr read execute };
+ allow $1 $2:process transition;
+ type_transition $1 login_exec_t:process $2;
+ dontaudit $1 $2:process { noatsecure siginh rlimitinh };
+
+ allow $1 $2:fd use;
+ allow $2 $1:fd use;
+ allow $2 $1:fifo_file rw_file_perms;
+ allow $2 $1:process sigchld;
')
define(`authlogin_login_program_transition_depend',`
-type login_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+ type login_exec_t;
+
+ class file { getattr read execute };
+ class process { transition noatsecure siginh rlimitinh sigchld };
+ class fd use;
+ class fifo_file rw_file_perms;
')
#######################################
@@ -145,41 +152,43 @@ class fifo_file rw_file_perms;
# authlogin_check_password_transition(domain)
#
define(`authlogin_check_password_transition',`
-requires_block_template(`$0'_depend)
-allow $1 chkpwd_exec_t:file { getattr read execute };
-allow $1 system_chkpwd_t:process transition;
-type_transition $1 chkpwd_exec_t:process system_chkpwd_t;
-allow $1 system_chkpwd_t:fd use;
-allow system_chkpwd_t $1:fd use;
-allow system_chkpwd_t $1:fifo_file rw_file_perms;
-allow system_chkpwd_t $1:process sigchld;
+ requires_block_template(`$0'_depend)
-dontaudit $1 shadow_t:file { getattr read };
-#allow $1_t sbin_t:dir search;
-#can_ypbind($1_t)
-#can_kerberos($1_t)
-#can_ldap($1_t)
+ allow $1 chkpwd_exec_t:file { getattr read execute };
+ allow $1 system_chkpwd_t:process transition;
+ type_transition $1 chkpwd_exec_t:process system_chkpwd_t;
-tunable_policy(`use_dns',`
-allow $1 self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
-corenetwork_sendrecv_udp_on_all_interfaces($1)
-corenetwork_sendrecv_raw_on_all_interfaces($1)
-corenetwork_sendrecv_udp_on_all_nodes($1)
-corenetwork_sendrecv_raw_on_all_nodes($1)
-corenetwork_bind_udp_on_all_nodes($1)
-corenetwork_sendrecv_udp_on_dns_port($1)
-sysnetwork_read_network_config($1)
-') dnl end use_dns
+ allow $1 system_chkpwd_t:fd use;
+ allow system_chkpwd_t $1:fd use;
+ allow system_chkpwd_t $1:fifo_file rw_file_perms;
+ allow system_chkpwd_t $1:process sigchld;
-') dnl end check_password_transition
+ dontaudit $1 shadow_t:file { getattr read };
+ #allow $1_t sbin_t:dir search;
+ #can_ypbind($1_t)
+ #can_kerberos($1_t)
+ #can_ldap($1_t)
+
+ tunable_policy(`use_dns',`
+ allow $1 self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
+ corenetwork_sendrecv_udp_on_all_interfaces($1)
+ corenetwork_sendrecv_raw_on_all_interfaces($1)
+ corenetwork_sendrecv_udp_on_all_nodes($1)
+ corenetwork_sendrecv_raw_on_all_nodes($1)
+ corenetwork_bind_udp_on_all_nodes($1)
+ corenetwork_sendrecv_udp_on_dns_port($1)
+ sysnetwork_read_network_config($1)
+ ')
+')
define(`authlogin_check_password_transition_depend',`
-type system_chkpwd_t, chkpwd_exec_t, shadow_t;
-class file { getattr read execute };
-class process { transition sigchld };
-class udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
-class fd use;
-class fifo_file rw_file_perms;
+ type system_chkpwd_t, chkpwd_exec_t, shadow_t;
+
+ class file { getattr read execute };
+ class process { transition sigchld };
+ class udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
+ class fd use;
+ class fifo_file rw_file_perms;
')
#######################################
@@ -187,13 +196,15 @@ class fifo_file rw_file_perms;
# authlogin_ignore_get_shadow_passwords_attributes(domain)
#
define(`authlogin_ignore_get_shadow_passwords_attributes',`
-requires_block_template(`$0'_depend)
-dontaudit $1 shadow_t:file getattr;
+ requires_block_template(`$0'_depend)
+
+ dontaudit $1 shadow_t:file getattr;
')
define(`authlogin_ignore_get_shadow_passwords_attributes_depend',`
-type shadow_t;
-class file getattr;
+ type shadow_t;
+
+ class file getattr;
')
#######################################
@@ -201,16 +212,19 @@ class file getattr;
# authlogin_read_shadow_passwords(domain)
#
define(`authlogin_read_shadow_passwords',`
-requires_block_template(`$0'_depend)
-files_read_general_system_config_directory($1)
-allow $1 shadow_t:file { getattr read };
-typeattribute $1 can_read_shadow_passwords;
+ requires_block_template(`$0'_depend)
+
+ files_read_general_system_config_directory($1)
+ allow $1 shadow_t:file { getattr read };
+ typeattribute $1 can_read_shadow_passwords;
')
define(`authlogin_read_shadow_passwords_depend',`
-attribute can_read_shadow_passwords;
-type shadow_t;
-class file { getattr read };
+ attribute can_read_shadow_passwords;
+
+ type shadow_t;
+
+ class file { getattr read };
')
#######################################
@@ -218,13 +232,15 @@ class file { getattr read };
# authlogin_ignore_read_shadow_passwords(domain)
#
define(`authlogin_ignore_read_shadow_passwords',`
-requires_block_template(`$0'_depend)
-dontaudit $1 shadow_t:file { getattr read };
+ requires_block_template(`$0'_depend)
+
+ dontaudit $1 shadow_t:file { getattr read };
')
define(`authlogin_ignore_read_shadow_passwords_depend',`
-type shadow_t;
-class file { getattr read };
+ type shadow_t;
+
+ class file { getattr read };
')
#######################################
@@ -232,18 +248,18 @@ class file { getattr read };
# authlogin_modify_shadow_passwords(domain)
#
define(`authlogin_modify_shadow_passwords',`
-requires_block_template(`$0'_depend)
-files_read_general_system_config_directory($1)
-allow $1 shadow_t:file { getattr read write };
-typeattribute $1 can_read_shadow_passwords;
-typeattribute $1 can_write_shadow_passwords;
+ requires_block_template(`$0'_depend)
+
+ files_read_general_system_config_directory($1)
+ allow $1 shadow_t:file rw_file_perms;
+ typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
')
define(`authlogin_modify_shadow_passwords_depend',`
-attribute can_read_shadow_passwords;
-attribute can_write_shadow_passwords;
-type shadow_t;
-class file { getattr read write };
+ attribute can_read_shadow_passwords, can_write_shadow_passwords;
+
+ type shadow_t;
+ class file rw_file_perms;
')
#######################################
@@ -251,18 +267,20 @@ class file { getattr read write };
# authlogin_manage_shadow_passwords(domain)
#
define(`authlogin_manage_shadow_passwords',`
-requires_block_template(`$0'_depend)
-files_create_private_config($1,shadow_t,file)
-allow $1 shadow_t:file { create ioctl read getattr lock write setattr append link unlink rename };
-typeattribute $1 can_read_shadow_passwords;
-typeattribute $1 can_write_shadow_passwords;
+ requires_block_template(`$0'_depend)
+
+ allow $1 shadow_t:file create_file_perms;
+ files_create_private_config($1,shadow_t,file)
+
+ typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
')
define(`authlogin_manage_shadow_passwords_depend',`
-attribute can_read_shadow_passwords;
-attribute can_write_shadow_passwords;
-type shadow_t;
-class file { create ioctl read getattr lock write setattr append link unlink rename };
+ attribute can_read_shadow_passwords, can_write_shadow_passwords;
+
+ type shadow_t;
+
+ class file create_file_perms;
')
#######################################
@@ -270,16 +288,19 @@ class file { create ioctl read getattr lock write setattr append link unlink ren
# authlogin_relabel_to_shadow_passwords(domain)
#
define(`authlogin_relabel_to_shadow_passwords',`
-requires_block_template(`$0'_depend)
-files_search_general_system_config_directory($1)
-allow $1 shadow_t:file relabelto;
-typeattribute $1 can_relabelto_shadow_passwords;
+ requires_block_template(`$0'_depend)
+
+ files_search_general_system_config_directory($1)
+ allow $1 shadow_t:file relabelto;
+ typeattribute $1 can_relabelto_shadow_passwords;
')
define(`authlogin_relabel_to_shadow_passwords_depend',`
-attribute can_relabelto_shadow_passwords;
-type shadow_t;
-class file relabelto;
+ attribute can_relabelto_shadow_passwords;
+
+ type shadow_t;
+
+ class file relabelto;
')
#######################################
@@ -287,14 +308,16 @@ class file relabelto;
# authlogin_modify_login_failure_records(domain)
#
define(`authlogin_modify_login_failure_records',`
-requires_block_template(`$0'_depend)
-logging_search_system_log_directory($1)
-allow $1 faillog_t:file { read write append };
+ requires_block_template(`$0'_depend)
+
+ allow $1 faillog_t:file rw_file_perms;
+ logging_search_system_log_directory($1)
')
define(`authlogin_modify_login_failure_records_depend',`
-type faillog_t;
-class file { read write append };
+ type faillog_t;
+
+ class file rw_file_perms;
')
#######################################
@@ -302,14 +325,16 @@ class file { read write append };
# authlogin_modify_last_login_log(domain)
#
define(`authlogin_modify_last_login_log',`
-requires_block_template(`$0'_depend)
-logging_search_system_log_directory($1)
-allow $1 lastlog_t:file { getattr read write setattr };
+ requires_block_template(`$0'_depend)
+
+ logging_search_system_log_directory($1)
+ allow $1 lastlog_t:file { getattr read write setattr };
')
define(`authlogin_modify_last_login_log_depend',`
-type lastlog_t;
-class file { getattr read write setattr };
+ type lastlog_t;
+
+ class file { getattr read write setattr };
')
########################################
@@ -324,23 +349,26 @@ class file { getattr read write setattr };
## </interface>
#
define(`authlogin_pam_transition',`
-requires_block_template(`$0'_depend)
-allow $1 pam_exec_t:file { getattr read execute };
-allow $1 pam_t:process transition;
-type_transition $1 pam_exec_t:process pam_t;
-dontaudit $1 pam_t:process { noatsecure siginh rlimitinh };
-allow $1 pam_t:fd use;
-allow pam_t $1:fd use;
-allow pam_t $1:fifo_file rw_file_perms;
-allow pam_t $1:process sigchld;
+ requires_block_template(`$0'_depend)
+
+ allow $1 pam_exec_t:file { getattr read execute };
+ allow $1 pam_t:process transition;
+ type_transition $1 pam_exec_t:process pam_t;
+ dontaudit $1 pam_t:process { noatsecure siginh rlimitinh };
+
+ allow $1 pam_t:fd use;
+ allow pam_t $1:fd use;
+ allow pam_t $1:fifo_file rw_file_perms;
+ allow pam_t $1:process sigchld;
')
define(`authlogin_pam_transition_depend',`
-type pam_t, pam_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd
-class fifo_file rw_file_perms;
+ type pam_t, pam_exec_t;
+
+ class file { getattr read execute };
+ class process { transition noatsecure siginh rlimitinh sigchld };
+ class fd
+ class fifo_file rw_file_perms;
')
########################################
@@ -361,15 +389,17 @@ class fifo_file rw_file_perms;
## </interface>
#
define(`authlogin_pam_transition_add_role_use_terminal',`
-requires_block_template(`$0'_depend)
-authlogin_pam_transition($1)
-role $2 types pam_t;
-allow pam_t $3:chr_file { getattr read write ioctl };
+ requires_block_template(`$0'_depend)
+
+ authlogin_pam_transition($1)
+ role $2 types pam_t;
+ allow pam_t $3:chr_file { getattr read write ioctl };
')
define(`authlogin_pam_transition_add_role_use_terminal_depend',`
-type pam_t;
-class chr_file { getattr read write ioctl };
+ type pam_t;
+
+ class chr_file { getattr read write ioctl };
')
#######################################
@@ -377,13 +407,15 @@ class chr_file { getattr read write ioctl };
# authlogin_pam_execute(domain)
#
define(`authlogin_pam_execute',`
-requires_block_template(`$0'_depend)
-allow $1 pam_exec_t:file { getattr read execute execute_no_trans };
+ requires_block_template(`$0'_depend)
+
+ allow $1 pam_exec_t:file { getattr read execute execute_no_trans };
')
define(`authlogin_pam_execute_depend',`
-type pam_exec_t;
-class file { getattr read execute execute_no_trans };
+ type pam_exec_t;
+
+ class file { getattr read execute execute_no_trans };
')
#######################################
@@ -391,17 +423,19 @@ class file { getattr read execute execute_no_trans };
# authlogin_pam_read_runtime_data(domain)
#
define(`authlogin_pam_read_runtime_data',`
-requires_block_template(`$0'_depend)
-files_search_system_state_data_directory($1)
-files_search_runtime_data_directory($1)
-allow $1 pam_var_run_t:dir { getattr search read };
-allow $1 pam_var_run_t:file { getattr read };
+ requires_block_template(`$0'_depend)
+
+ files_search_system_state_data_directory($1)
+ files_search_runtime_data_directory($1)
+ allow $1 pam_var_run_t:dir { getattr search read };
+ allow $1 pam_var_run_t:file { getattr read };
')
define(`authlogin_pam_read_runtime_data_depend',`
-type pam_var_run_t;
-class dir { getattr search read };
-class file { getattr read };
+ type pam_var_run_t;
+
+ class dir { getattr search read };
+ class file { getattr read };
')
#######################################
@@ -409,17 +443,19 @@ class file { getattr read };
# authlogin_pam_remove_runtime_data(domain)
#
define(`authlogin_pam_remove_runtime_data',`
-requires_block_template(`$0'_depend)
-files_search_system_state_data_directory($1)
-files_search_runtime_data_directory($1)
-allow $1 pam_var_run_t:dir { getattr search read write remove_name };
-allow $1 pam_var_run_t:file { getattr unlink };
+ requires_block_template(`$0'_depend)
+
+ files_search_system_state_data_directory($1)
+ files_search_runtime_data_directory($1)
+ allow $1 pam_var_run_t:dir { getattr search read write remove_name };
+ allow $1 pam_var_run_t:file { getattr unlink };
')
define(`authlogin_pam_remove_runtime_data_depend',`
-type pam_var_run_t;
-class dir { getattr search read write remove_name };
-class file { getattr unlink };
+ type pam_var_run_t;
+
+ class dir { getattr search read write remove_name };
+ class file { getattr unlink };
')
#######################################
@@ -427,23 +463,26 @@ class file { getattr unlink };
# authlogin_pam_console_transition(domain)
#
define(`authlogin_pam_console_transition',`
-requires_block_template(`$0'_depend)
-allow $1 pam_console_exec_t:file { getattr read execute };
-allow $1 pam_console_t:process transition;
-type_transition $1 pam_console_exec_t:process pam_console_t;
-dontaudit $1 pam_console_t:process { noatsecure siginh rlimitinh };
-allow $1 pam_console_t:fd use;
-allow pam_console_t $1:fd use;
-allow pam_console_t $1:fifo_file rw_file_perms;
-allow pam_console_t $1:process sigchld;
+ requires_block_template(`$0'_depend)
+
+ allow $1 pam_console_exec_t:file { getattr read execute };
+ allow $1 pam_console_t:process transition;
+ type_transition $1 pam_console_exec_t:process pam_console_t;
+ dontaudit $1 pam_console_t:process { noatsecure siginh rlimitinh };
+
+ allow $1 pam_console_t:fd use;
+ allow pam_console_t $1:fd use;
+ allow pam_console_t $1:fifo_file rw_file_perms;
+ allow pam_console_t $1:process sigchld;
')
define(`authlogin_pam_console_transition_depend',`
-type pam_console_t, pam_console_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+ type pam_console_t, pam_console_exec_t;
+
+ class file { getattr read execute };
+ class process { transition noatsecure siginh rlimitinh sigchld };
+ class fd use;
+ class fifo_file rw_file_perms;
')
#######################################
@@ -451,15 +490,17 @@ class fifo_file rw_file_perms;
# authlogin_pam_console_read_runtime_data_dir(domain)
#
define(`authlogin_pam_console_read_runtime_data_dir',`
-requires_block_template(`$0'_depend)
-files_search_system_state_data_directory($1)
-files_search_runtime_data_directory($1)
-allow $1 pam_var_console_t:dir { getattr search read };
+ requires_block_template(`$0'_depend)
+
+ files_search_system_state_data_directory($1)
+ files_search_runtime_data_directory($1)
+ allow $1 pam_var_console_t:dir r_dir_perms;
')
define(`authlogin_pam_console_read_runtime_data_dir_depend',`
-type pam_var_console_t;
-class dir { getattr search read };
+ type pam_var_console_t;
+
+ class dir r_dir_perms;
')
#######################################
@@ -467,17 +508,19 @@ class dir { getattr search read };
# authlogin_pam_console_read_runtime_data(domain)
#
define(`authlogin_pam_console_read_runtime_data',`
-requires_block_template(`$0'_depend)
-files_search_system_state_data_directory($1)
-files_search_runtime_data_directory($1)
-allow $1 pam_var_console_t:dir { getattr search read };
-allow $1 pam_var_console_t:file { getattr read };
+ requires_block_template(`$0'_depend)
+
+ files_search_system_state_data_directory($1)
+ files_search_runtime_data_directory($1)
+ allow $1 pam_var_console_t:dir r_dir_perms;
+ allow $1 pam_var_console_t:file r_file_perms;
')
define(`authlogin_pam_console_read_runtime_data_depend',`
-type pam_var_console_t;
-class dir { getattr search read };
-class file { getattr read };
+ type pam_var_console_t;
+
+ class dir r_dir_perms;
+ class file r_file_perms;
')
#######################################
@@ -485,19 +528,21 @@ class file { getattr read };
# authlogin_pam_console_manage_runtime_data(domain)
#
define(`authlogin_pam_console_manage_runtime_data',`
-requires_block_template(`$0'_depend)
-files_search_system_state_data_directory($1)
-files_search_runtime_data_directory($1)
-allow $1 pam_var_console_t:dir { read getattr lock search ioctl add_name remove_name write };
-allow $1 pam_var_console_t:file { create ioctl read getattr lock write setattr append link unlink rename };
-allow $1 pam_var_console_t:lnk_file { create read getattr setattr link unlink rename };
+ requires_block_template(`$0'_depend)
+
+ files_search_system_state_data_directory($1)
+ files_search_runtime_data_directory($1)
+ allow $1 pam_var_console_t:dir { read getattr lock search ioctl add_name remove_name write };
+ allow $1 pam_var_console_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+ allow $1 pam_var_console_t:lnk_file { create read getattr setattr link unlink rename };
')
define(`authlogin_pam_console_manage_runtime_data_depend',`
-type pam_var_console_t;
-class dir { read getattr lock search ioctl add_name remove_name write };
-class file { create ioctl read getattr lock write setattr append link unlink rename };
-class lnk_file { create read getattr setattr link unlink rename };
+ type pam_var_console_t;
+
+ class dir { read getattr lock search ioctl add_name remove_name write };
+ class file { create ioctl read getattr lock write setattr append link unlink rename };
+ class lnk_file { create read getattr setattr link unlink rename };
')
########################################
@@ -518,12 +563,13 @@ class lnk_file { create read getattr setattr link unlink rename };
#
define(`authlogin_relabel_all_files_except_shadow',`
-requires_block_template(`$0'_depend)
-files_relabel_all_files($1,$2 -shadow_t)
+ requires_block_template(`$0'_depend)
+
+ files_relabel_all_files($1,$2 -shadow_t)
')
define(`authlogin_relabel_all_files_except_shadow_depend',`
-type shadow_t;
+ type shadow_t;
')
########################################
@@ -544,12 +590,13 @@ type shadow_t;
#
define(`authlogin_manage_all_files_except_shadow',`
-requires_block_template(`$0'_depend)
-files_manage_all_files($1,$2 -shadow_t)
+ requires_block_template(`$0'_depend)
+
+ files_manage_all_files($1,$2 -shadow_t)
')
define(`authlogin_manage_all_files_except_shadow_depend',`
-type shadow_t;
+ type shadow_t;
')
########################################
@@ -564,23 +611,26 @@ type shadow_t;
## </interface>
#
define(`authlogin_utempter_transition',`
-requires_block_template(`$0'_depend)
-allow $1 utempter_exec_t:file { getattr read execute };
-allow $1 utempter_t:process transition;
-type_transition $1 utempter_exec_t:process utempter_t;
-dontaudit $1 utempter_t:process { noatsecure siginh rlimitinh };
-allow $1 utempter_t:fd use;
-allow utempter_t $1:fd use;
-allow utempter_t $1:fifo_file rw_file_perms;
-allow utempter_t $1:process sigchld;
+ requires_block_template(`$0'_depend)
+
+ allow $1 utempter_exec_t:file { getattr read execute };
+ allow $1 utempter_t:process transition;
+ type_transition $1 utempter_exec_t:process utempter_t;
+ dontaudit $1 utempter_t:process { noatsecure siginh rlimitinh };
+
+ allow $1 utempter_t:fd use;
+ allow utempter_t $1:fd use;
+ allow utempter_t $1:fifo_file rw_file_perms;
+ allow utempter_t $1:process sigchld;
')
define(`authlogin_utempter_transition_depend',`
-type utempter_t, utempter_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+ type utempter_t, utempter_exec_t;
+
+ class file { getattr read execute };
+ class process { transition noatsecure siginh rlimitinh sigchld };
+ class fd use;
+ class fifo_file rw_file_perms;
')
########################################
@@ -601,15 +651,17 @@ class fifo_file rw_file_perms;
## </interface>
#
define(`authlogin_utempter_transition_add_role_use_terminal',`
-requires_block_template(`$0'_depend)
-authlogin_utempter_transition($1)
-role $2 types utempter_t;
-allow utempter_t $3:chr_file { getattr read write ioctl };
+ requires_block_template(`$0'_depend)
+
+ authlogin_utempter_transition($1)
+ role $2 types utempter_t;
+ allow utempter_t $3:chr_file { getattr read write ioctl };
')
define(`authlogin_utempter_transition_add_role_use_terminal_depend',`
-type utempter_t;
-class chr_file { getattr read write ioctl };
+ type utempter_t;
+
+ class chr_file { getattr read write ioctl };
')
#######################################
@@ -617,14 +669,16 @@ class chr_file { getattr read write ioctl };
# authlogin_read_login_records(domain)
#
define(`authlogin_read_login_records',`
-requires_block_template(`$0'_depend)
-logging_search_system_log_directory($1)
-allow $1 wtmp_t:file { getattr read };
+ requires_block_template(`$0'_depend)
+
+ logging_search_system_log_directory($1)
+ allow $1 wtmp_t:file { getattr read };
')
define(`authlogin_read_login_records_depend',`
-type wtmp_t;
-class file { getattr read };
+ type wtmp_t;
+
+ class file { getattr read };
')
#######################################
@@ -632,13 +686,15 @@ class file { getattr read };
# authlogin_ignore_write_login_records(domain)
#
define(`authlogin_ignore_write_login_records',`
-requires_block_template(`$0'_depend)
-dontaudit $1 wtmp_t:file write;
+ requires_block_template(`$0'_depend)
+
+ dontaudit $1 wtmp_t:file write;
')
define(`authlogin_read_login_records_depend',`
-type wtmp_t;
-class file write;
+ type wtmp_t;
+
+ class file write;
')
#######################################
@@ -646,14 +702,15 @@ class file write;
# authlogin_modify_login_records(domain)
#
define(`authlogin_modify_login_records',`
-requires_block_template(`$0'_depend)
-logging_search_system_log_directory($1)
-allow $1 wtmp_t:file { getattr read write append setattr lock };
+ requires_block_template(`$0'_depend)
+
+ allow $1 wtmp_t:file rw_file_perms;
+ logging_search_system_log_directory($1)
')
define(`authlogin_modify_login_records_depend',`
type wtmp_t;
-class file { getattr read write append setattr lock };
+class file rw_file_perms;
')
## </module>
diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te
index a6852ce1e..6c98d2713 100644
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@@ -109,13 +109,13 @@ logging_send_system_log_message(pam_t)
userdomain_use_all_unprivileged_users_file_descriptors(pam_t)
optional_policy(`locallogin.te',`
-locallogin_use_file_descriptors(pam_t)
+ locallogin_use_file_descriptors(pam_t)
')
ifdef(`TODO',`
can_ypbind(pam_t)
ifdef(`automount.te', `
-allow pam_t autofs_t:dir { search getattr };
+ allow pam_t autofs_t:dir { search getattr };
')
ifdef(`gnome-pty-helper.te', `allow pam_t gphdomain:fd use;')
@@ -171,18 +171,18 @@ selinux_read_file_contexts(pam_console_t)
userdomain_ignore_use_all_unprivileged_users_file_descriptors(pam_console_t)
tunable_policy(`direct_sysadm_daemon', `
-dontaudit pam_console_t admin_tty_type:chr_file rw_file_perms;
+ dontaudit pam_console_t admin_tty_type:chr_file rw_file_perms;
')
tunable_policy(`targeted_policy', `
-terminal_ignore_use_general_physical_terminal(pam_console_t)
-terminal_ignore_use_general_pseudoterminal(pam_console_t)
-files_ignore_read_rootfs_file(pam_console_t)
+ terminal_ignore_use_general_physical_terminal(pam_console_t)
+ terminal_ignore_use_general_pseudoterminal(pam_console_t)
+ files_ignore_read_rootfs_file(pam_console_t)
')
optional_policy(`hotplug.te', `
-hotplug_use_file_descriptors(pam_console_t)
-hotplug_ignore_search_config_directory(pam_console_t)
+ hotplug_use_file_descriptors(pam_console_t)
+ hotplug_ignore_search_config_directory(pam_console_t)
')
optional_policy(`selinux.te',`
@@ -190,14 +190,14 @@ selinux_newrole_sigchld(pam_console_t)
')
optional_policy(`udev.te', `
-udev_read_database(pam_console_t)
+ udev_read_database(pam_console_t)
')
ifdef(`TODO',`
optional_policy(`rhgb.te', `
-allow pam_console_t rhgb_t:process sigchld;
-allow pam_console_t rhgb_t:fd use;
-allow pam_console_t rhgb_t:fifo_file { read write };
+ allow pam_console_t rhgb_t:process sigchld;
+ allow pam_console_t rhgb_t:fd use;
+ allow pam_console_t rhgb_t:fifo_file { read write };
')
allow pam_console_t autofs_t:dir { search getattr };
@@ -215,11 +215,11 @@ scsi_generic_device_t
}:chr_file { getattr setattr };
ifdef(`gpm.te', `
-allow pam_console_t gpmctl_t:sock_file { getattr setattr };
+ allow pam_console_t gpmctl_t:sock_file { getattr setattr };
')
ifdef(`xdm.te', `
-allow pam_console_t xdm_var_run_t:file { getattr read };
+ allow pam_console_t xdm_var_run_t:file { getattr read };
')
') dnl endif TODO
@@ -254,14 +254,14 @@ miscfiles_read_localization(system_chkpwd_t)
selinux_read_config(system_chkpwd_t)
tunable_policy(`use_dns',`
-allow system_chkpwd_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
-corenetwork_sendrecv_udp_on_all_interfaces(system_chkpwd_t)
-corenetwork_sendrecv_raw_on_all_interfaces(system_chkpwd_t)
-corenetwork_sendrecv_udp_on_all_nodes(system_chkpwd_t)
-corenetwork_sendrecv_raw_on_all_nodes(system_chkpwd_t)
-corenetwork_bind_udp_on_all_nodes(system_chkpwd_t)
-corenetwork_sendrecv_udp_on_dns_port(system_chkpwd_t)
-sysnetwork_read_network_config(system_chkpwd_t)
+ allow system_chkpwd_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
+ corenetwork_sendrecv_udp_on_all_interfaces(system_chkpwd_t)
+ corenetwork_sendrecv_raw_on_all_interfaces(system_chkpwd_t)
+ corenetwork_sendrecv_udp_on_all_nodes(system_chkpwd_t)
+ corenetwork_sendrecv_raw_on_all_nodes(system_chkpwd_t)
+ corenetwork_bind_udp_on_all_nodes(system_chkpwd_t)
+ corenetwork_sendrecv_udp_on_dns_port(system_chkpwd_t)
+ sysnetwork_read_network_config(system_chkpwd_t)
')
ifdef(`TODO',`
@@ -270,7 +270,7 @@ can_kerberos(system_chkpwd_t)
can_ldap(system_chkpwd_t)
dontaudit system_chkpwd_t user_tty_type:chr_file rw_file_perms;
-')
+') dnl end TODO
########################################
#
diff --git a/refpolicy/policy/modules/system/clock.if b/refpolicy/policy/modules/system/clock.if
index 0cf5619b1..078b1e07d 100644
--- a/refpolicy/policy/modules/system/clock.if
+++ b/refpolicy/policy/modules/system/clock.if
@@ -13,23 +13,26 @@
## </interface>
#
define(`clock_transition',`
-requires_block_template(`$0'_depend)
-allow $1 hwclock_exec_t:file { getattr read execute };
-allow $1 hwclock_t:process transition;
-type_transition $1 hwclock_exec_t:process hwclock_t;
-dontaudit $1 hwclock_t:process { noatsecure siginh rlimitinh };
-allow $1 hwclock_t:fd use;
-allow hwclock_t $1:fd use;
-allow hwclock_t $1:fifo_file rw_file_perms;
-allow hwclock_t $1:process sigchld;
+ requires_block_template(`$0'_depend)
+
+ allow $1 hwclock_exec_t:file { getattr read execute };
+ allow $1 hwclock_t:process transition;
+ type_transition $1 hwclock_exec_t:process hwclock_t;
+ dontaudit $1 hwclock_t:process { noatsecure siginh rlimitinh };
+
+ allow $1 hwclock_t:fd use;
+ allow hwclock_t $1:fd use;
+ allow hwclock_t $1:fifo_file rw_file_perms;
+ allow hwclock_t $1:process sigchld;
')
define(`clock_transition_depend',`
-type hwclock_t, hwclock_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+ type hwclock_t, hwclock_exec_t;
+
+ class file { getattr read execute };
+ class process { transition noatsecure siginh rlimitinh sigchld };
+ class fd use;
+ class fifo_file rw_file_perms;
')
########################################
@@ -51,15 +54,17 @@ class fifo_file rw_file_perms;
## </interface>
#
define(`clock_transition_add_role_use_terminal',`
-requires_block_template(`$0'_depend)
-clock_transition($1)
-role $2 types hwclock_t;
-allow hwclock_t $3:chr_file { getattr read write ioctl };
+ requires_block_template(`$0'_depend)
+
+ clock_transition($1)
+ role $2 types hwclock_t;
+ allow hwclock_t $3:chr_file { getattr read write ioctl };
')
define(`clock_transition_add_role_use_terminal_depend',`
-type hwclock_t;
-class chr_file { getattr read write ioctl };
+ type hwclock_t;
+
+ class chr_file { getattr read write ioctl };
')
#######################################
@@ -67,13 +72,15 @@ class chr_file { getattr read write ioctl };
# clock_execute(domain)
#
define(`clock_execute',`
-requires_block_template(`$0'_depend)
-allow $1 hwclock_exec_t:file { getattr read execute execute_no_trans };
+ requires_block_template(`$0'_depend)
+
+ allow $1 hwclock_exec_t:file { getattr read execute execute_no_trans };
')
define(`clock_execute_depend',`
-type hwclock_exec_t;
-class file { getattr read execute execute_no_trans };
+ type hwclock_exec_t;
+
+ class file { getattr read execute execute_no_trans };
')
#######################################
@@ -81,14 +88,16 @@ class file { getattr read execute execute_no_trans };
# clock_modify_drift_records(domain)
#
define(`clock_modify_drift_records',`
-requires_block_template(`$0'_depend)
-allow $1 adjtime_t:file { getattr read write ioctl lock append };
-files_read_general_system_config_directory($1)
+ requires_block_template(`$0'_depend)
+
+ allow $1 adjtime_t:file { getattr read write ioctl lock append };
+ files_read_general_system_config_directory($1)
')
define(`clock_modify_drift_records_depend',`
-type adjtime_t;
-class file { getattr read write ioctl lock append };
+ type adjtime_t;
+
+ class file { getattr read write ioctl lock append };
')
## </module>
diff --git a/refpolicy/policy/modules/system/clock.te b/refpolicy/policy/modules/system/clock.te
index acd812b37..51a481a2b 100644
--- a/refpolicy/policy/modules/system/clock.te
+++ b/refpolicy/policy/modules/system/clock.te
@@ -58,21 +58,21 @@ logging_send_system_log_message(hwclock_t)
miscfiles_read_localization(hwclock_t)
tunable_policy(`targeted_policy', `
-terminal_ignore_use_general_physical_terminal(hwclock_t)
-terminal_ignore_use_general_pseudoterminal(hwclock_t)
-files_ignore_read_rootfs_file(hwclock_t)
+ terminal_ignore_use_general_physical_terminal(hwclock_t)
+ terminal_ignore_use_general_pseudoterminal(hwclock_t)
+ files_ignore_read_rootfs_file(hwclock_t)
')
optional_policy(`selinux.te',`
-selinux_newrole_sigchld(hwclock_t)
+ selinux_newrole_sigchld(hwclock_t)
')
optional_policy(`udev.te', `
-udev_read_database(hwclock_t)
+ udev_read_database(hwclock_t)
')
optional_policy(`userdomain.te',`
-userdomain_ignore_use_all_unprivileged_users_file_descriptors(hwclock_t)
+ userdomain_ignore_use_all_unprivileged_users_file_descriptors(hwclock_t)
')
ifdef(`TODO',`
diff --git a/refpolicy/policy/modules/system/corecommands.if b/refpolicy/policy/modules/system/corecommands.if
index ae7942e54..0132ca7cb 100644
--- a/refpolicy/policy/modules/system/corecommands.if
+++ b/refpolicy/policy/modules/system/corecommands.if
@@ -9,12 +9,13 @@
# corecommands_make_shell_entrypoint(domain)
#
define(`corecommands_make_shell_entrypoint',`
-requires_block_template(`$0'_depend)
-domain_make_entrypoint_file($1,shell_exec_t)
+ requires_block_template(`$0'_depend)
+
+ domain_make_entrypoint_file($1,shell_exec_t)
')
define(`corecommands_make_shell_entrypoint_depend',`
-type shell_exec_t;
+ type shell_exec_t;
')
########################################
@@ -22,13 +23,15 @@ type shell_exec_t;
# corecommands_search_general_programs_directory(domain)
#
define(`corecommands_search_general_programs_directory',`
-requires_block_template(`$0'_depend)
-allow $1 bin_t:dir search;
+ requires_block_template(`$0'_depend)
+
+ allow $1 bin_t:dir search;
')
define(`corecommands_search_general_programs_directory_depend',`
-type bin_t;
-class dir search;
+ type bin_t;
+
+ class dir search;
')
########################################
@@ -36,13 +39,15 @@ class dir search;
# corecommands_read_general_programs_directory(domain)
#
define(`corecommands_read_general_programs_directory',`
-requires_block_template(`$0'_depend)
-allow $1 bin_t:dir { getattr search read };
+ requires_block_template(`$0'_depend)
+
+ allow $1 bin_t:dir { getattr search read };
')
define(`corecommands_read_general_programs_directory_depend',`
-type bin_t;
-class dir { getattr search read };
+ type bin_t;
+
+ class dir { getattr search read };
')
########################################
@@ -50,17 +55,19 @@ class dir { getattr search read };
# corecommands_execute_general_programs(domain)
#
define(`corecommands_execute_general_programs',`
-requires_block_template(`$0'_depend)
-allow $1 bin_t:dir { getattr search read };
-allow $1 bin_t:lnk_file { getattr read };
-allow $1 bin_t:file { getattr read ioctl lock execute execute_no_trans };
+ requires_block_template(`$0'_depend)
+
+ allow $1 bin_t:dir { getattr search read };
+ allow $1 bin_t:lnk_file { getattr read };
+ allow $1 bin_t:file { getattr read ioctl lock execute execute_no_trans };
')
define(`corecommands_execute_general_programs_depend',`
-type bin_t;
-class dir { getattr search read };
-class lnk_file { getattr read };
-class file { getattr read ioctl lock execute execute_no_trans };
+ type bin_t;
+
+ class dir { getattr search read };
+ class lnk_file { getattr read };
+ class file { getattr read ioctl lock execute execute_no_trans };
')
########################################
@@ -68,13 +75,15 @@ class file { getattr read ioctl lock execute execute_no_trans };
# corecommands_search_system_programs_directory(domain)
#
define(`corecommands_search_system_programs_directory',`
-requires_block_template(`$0'_depend)
-allow $1 sbin_t:dir search;
+ requires_block_template(`$0'_depend)
+
+ allow $1 sbin_t:dir search;
')
define(`corecommands_search_system_programs_directory_depend',`
-type sbin_t;
-class dir search;
+ type sbin_t;
+
+ class dir search;
')
########################################
@@ -82,13 +91,15 @@ class dir search;
# corecommands_read_system_programs_directory(domain)
#
define(`corecommands_read_system_programs_directory',`
-requires_block_template(`$0'_depend)
-allow $1 sbin_t:dir r_dir_perms;
+ requires_block_template(`$0'_depend)
+
+ allow $1 sbin_t:dir r_dir_perms;
')
define(`corecommands_read_system_programs_directory_depend',`
-type sbin_t;
-class dir r_dir_perms;
+ type sbin_t;
+
+ class dir r_dir_perms;
')
########################################
@@ -96,13 +107,15 @@ class dir r_dir_perms;
# corecommands_ignore_get_system_programs_attributes(domain)
#
define(`corecommands_ignore_get_system_programs_attributes',`
-requires_block_template(`$0'_depend)
-allow $1 sbin_t:file getattr;
+ requires_block_template(`$0'_depend)
+
+ allow $1 sbin_t:file getattr;
')
define(`corecommands_ignore_get_system_programs_attributes_depend',`
-type sbin_t;
-class file getattr;
+ type sbin_t;
+
+ class file getattr;
')
########################################
@@ -110,17 +123,19 @@ class file getattr;
# corecommands_execute_system_programs(domain)
#
define(`corecommands_execute_system_programs',`
-requires_block_template(`$0'_depend)
-allow $1 sbin_t:dir { getattr search read };
-allow $1 sbin_t:lnk_file { getattr read };
-allow $1 sbin_t:file { getattr read ioctl lock execute execute_no_trans };
+ requires_block_template(`$0'_depend)
+
+ allow $1 sbin_t:dir { getattr search read };
+ allow $1 sbin_t:lnk_file { getattr read };
+ allow $1 sbin_t:file { getattr read ioctl lock execute execute_no_trans };
')
define(`corecommands_execute_system_programs_depend',`
-type sbin_t;
-class dir { getattr search read };
-class lnk_file { getattr read };
-class file { getattr read ioctl lock execute execute_no_trans };
+ type sbin_t;
+
+ class dir { getattr search read };
+ class lnk_file { getattr read };
+ class file { getattr read ioctl lock execute execute_no_trans };
')
########################################
@@ -128,17 +143,19 @@ class file { getattr read ioctl lock execute execute_no_trans };
# corecommands_execute_shell(domain)
#
define(`corecommands_execute_shell',`
-requires_block_template(`$0'_depend)
-allow $1 bin_t:dir r_dir_perms;
-allow $1 bin_t:lnk_file { getattr read };
-allow $1 shell_exec_t:file { getattr read lock ioctl execute execute_no_trans };
+ requires_block_template(`$0'_depend)
+
+ allow $1 bin_t:dir r_dir_perms;
+ allow $1 bin_t:lnk_file { getattr read };
+ allow $1 shell_exec_t:file { getattr read lock ioctl execute execute_no_trans };
')
define(`corecommands_execute_shell_depend',`
-type bin_t, shell_exec_t;
-class dir r_dir_perms;
-class lnk_file { getattr read };
-class file { getattr read lock ioctl execute execute_no_trans };
+ type bin_t, shell_exec_t;
+
+ class dir r_dir_perms;
+ class lnk_file { getattr read };
+ class file { getattr read lock ioctl execute execute_no_trans };
')
########################################
@@ -146,17 +163,19 @@ class file { getattr read lock ioctl execute execute_no_trans };
# corecommands_execute_ls(domain)
#
define(`corecommands_execute_ls',`
-requires_block_template(`$0'_depend)
-allow $1 bin_t:dir r_dir_perms;
-allow $1 bin_t:lnk_file { getattr read };
-allow $1 ls_exec_t:file { getattr read lock ioctl execute execute_no_trans };
+ requires_block_template(`$0'_depend)
+
+ allow $1 bin_t:dir r_dir_perms;
+ allow $1 bin_t:lnk_file { getattr read };
+ allow $1 ls_exec_t:file { getattr read lock ioctl execute execute_no_trans };
')
define(`corecommands_execute_shell_depend',`
-type bin_t, ls_exec_t;
-class dir r_dir_perms;
-class lnk_file { getattr read };
-class file { getattr read lock ioctl execute execute_no_trans };
+ type bin_t, ls_exec_t;
+
+ class dir r_dir_perms;
+ class lnk_file { getattr read };
+ class file { getattr read lock ioctl execute execute_no_trans };
')
########################################
@@ -176,26 +195,29 @@ class file { getattr read lock ioctl execute execute_no_trans };
## </interface>
#
define(`corecommands_shell_explicit_transition',`
-requires_block_template(`$0'_depend)
-allow $1 bin_t:dir { getattr search read };
-allow $1 bin_t:lnk_file { getattr read };
-allow $1 shell_exec_t:file { getattr read execute };
-allow $1 $2:process transition;
-dontaudit $1 $2:process { noatsecure siginh rlimitinh };
-allow $1 $2:fd use;
-allow $2 $1:fd use;
-allow $2 $1:fifo_file rw_file_perms;
-allow $2 $1:process sigchld;
+ requires_block_template(`$0'_depend)
+
+ allow $1 bin_t:dir { getattr search read };
+ allow $1 bin_t:lnk_file { getattr read };
+ allow $1 shell_exec_t:file { getattr read execute };
+ allow $1 $2:process transition;
+ dontaudit $1 $2:process { noatsecure siginh rlimitinh };
+
+ allow $1 $2:fd use;
+ allow $2 $1:fd use;
+ allow $2 $1:fifo_file rw_file_perms;
+ allow $2 $1:process sigchld;
')
define(`corecommands_shell_explicit_transition_depend',`
-type bin_t, shell_exec_t;
-class dir { getattr search read };
-class lnk_file { getattr read };
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+ type bin_t, shell_exec_t;
+
+ class dir { getattr search read };
+ class lnk_file { getattr read };
+ class file { getattr read execute };
+ class process { transition noatsecure siginh rlimitinh sigchld };
+ class fd use;
+ class fifo_file rw_file_perms;
')
########################################
@@ -213,13 +235,14 @@ class fifo_file rw_file_perms;
## </interface>
#
define(`corecommands_shell_transition',`
-requires_block_template(`$0'_depend)
-corecommands_shell_explicit_transition($1,$2)
-type_transition $1 shell_exec_t:process $2;
+ requires_block_template(`$0'_depend)
+
+ corecommands_shell_explicit_transition($1,$2)
+ type_transition $1 shell_exec_t:process $2;
')
define(`corecommands_shell_transition_depend',`
-type shell_exec_t;
+ type shell_exec_t;
')
########################################
@@ -227,16 +250,17 @@ type shell_exec_t;
# corecommands_chroot(domain)
#
define(`corecommands_chroot',`
-requires_block_template(`$0'_depend)
-allow $1 chroot_exec_t:file { getattr read execute execute_no_trans };
-# could go to a generic chroot priv:
-allow $1 self:capability sys_chroot;
+ requires_block_template(`$0'_depend)
+
+ allow $1 chroot_exec_t:file { getattr read execute execute_no_trans };
+ allow $1 self:capability sys_chroot;
')
define(`corecommands_chroot_depend',`
-type chroot_exec_t;
-class file { getattr read execute execute_no_trans };
-class capability sys_chroot;
+ type chroot_exec_t;
+
+ class file { getattr read execute execute_no_trans };
+ class capability sys_chroot;
')
## </module>
diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if
index 0125416bc..a0368c92f 100644
--- a/refpolicy/policy/modules/system/domain.if
+++ b/refpolicy/policy/modules/system/domain.if
@@ -6,24 +6,25 @@
# domain_make_base_domain(domain)
#
define(`domain_make_base_domain',`
-requires_block_template(`$0'_depend)
+ requires_block_template(`$0'_depend)
-# mark as a domain
-typeattribute $1 domain;
+ # mark as a domain
+ typeattribute $1 domain;
-# allow the domain to read its /proc/pid entries
-allow $1 self:dir { getattr search read };
-allow $1 self:{ file lnk_file } { getattr read write ioctl };
+ # allow the domain to read its /proc/pid entries
+ allow $1 self:dir { getattr search read };
+ allow $1 self:{ file lnk_file } { getattr read write ioctl };
-# allow $1 to create child processes in this domain
-allow $1 self:process { fork sigchld };
+ # allow $1 to create child processes in this domain
+ allow $1 self:process { fork sigchld };
')
define(`domain_make_base_domain_depend',`
-attribute domain;
-class dir { getattr search read };
-class file { getattr read write ioctl };
-class lnk_file { getattr read };
+ attribute domain;
+
+ class dir { getattr search read };
+ class file { getattr read write ioctl };
+ class lnk_file { getattr read };
')
########################################
@@ -31,26 +32,25 @@ class lnk_file { getattr read };
# domain_make_domain(domain)
#
define(`domain_make_domain',`
+ # start with basic domain
+ domain_make_base_domain($1)
-# start with basic domain
-domain_make_base_domain($1)
+ # Use trusted objects in /dev
+ devices_use_dev_null($1)
+ devices_use_dev_zero($1)
+ terminal_use_controlling_terminal($1)
-# Use trusted objects in /dev
-devices_use_dev_null($1)
-devices_use_dev_zero($1)
-terminal_use_controlling_terminal($1)
+ # read the root directory
+ files_read_root_dir($1)
-# read the root directory
-files_read_root_dir($1)
+ # send init a sigchld
+ init_sigchld($1)
-# send init a sigchld
-init_sigchld($1)
-
-# this seems highly questionable:
-optional_policy(`rpm.te',`
-rpm_use_file_descriptors($1)
-rpm_read_pipe($1)
-')
+ # this seems highly questionable:
+ optional_policy(`rpm.te',`
+ rpm_use_file_descriptors($1)
+ rpm_read_pipe($1)
+ ')
')
########################################
@@ -58,15 +58,17 @@ rpm_read_pipe($1)
# domain_make_entrypoint_file(domain,entrypointfile)
#
define(`domain_make_entrypoint_file',`
-requires_block_template(`$0'_depend)
-allow $1 $2:file entrypoint;
-files_make_file($2)
-typeattribute $2 entry_type;
+ requires_block_template(`$0'_depend)
+
+ files_make_file($2)
+ allow $1 $2:file entrypoint;
+ typeattribute $2 entry_type;
')
define(`domain_make_entrypoint_file_depend',`
-attribute entry_type;
-class file entrypoint;
+ attribute entry_type;
+
+ class file entrypoint;
')
########################################
@@ -74,12 +76,13 @@ class file entrypoint;
# domain_make_file_descriptors_widely_inheritable(domain)
#
define(`domain_make_file_descriptors_widely_inheritable',`
-requires_block_template(`$0'_depend)
-typeattribute $1 privfd;
+ requires_block_template(`$0'_depend)
+
+ typeattribute $1 privfd;
')
define(`domain_make_file_descriptors_widely_inheritable_depend',`
-attribute privfd;
+ attribute privfd;
')
########################################
@@ -87,13 +90,15 @@ attribute privfd;
# domain_use_widely_inheritable_file_descriptors(domain)
#
define(`domain_use_widely_inheritable_file_descriptors',`
-requires_block_template(`$0'_depend)
-allow $1 privfd:fd use;
+ requires_block_template(`$0'_depend)
+
+ allow $1 privfd:fd use;
')
define(`domain_use_widely_inheritable_file_descriptors_depend',`
-attribute privfd;
-class fd use;
+ attribute privfd;
+
+ class fd use;
')
########################################
@@ -101,13 +106,15 @@ class fd use;
# domain_ignore_use_widely_inheritable_file_descriptors(domain)
#
define(`domain_ignore_use_widely_inheritable_file_descriptors',`
-requires_block_template(`$0'_depend)
-dontaudit $1 privfd:fd use;
+ requires_block_template(`$0'_depend)
+
+ dontaudit $1 privfd:fd use;
')
define(`domain_ignore_use_widely_inheritable_file_descriptors_depend',`
-attribute privfd;
-class fd use;
+ attribute privfd;
+
+ class fd use;
')
########################################
@@ -115,13 +122,15 @@ class fd use;
# domain_set_all_domains_priorities(domain)
#
define(`domain_set_all_domains_priorities',`
-requires_block_template(`$0'_depend)
-allow $1 domain:process setsched;
+ requires_block_template(`$0'_depend)
+
+ allow $1 domain:process setsched;
')
define(`domain_set_all_domains_priorities_depend',`
-attribute domain;
-class process setsched;
+ attribute domain;
+
+ class process setsched;
')
########################################
@@ -136,13 +145,15 @@ class process setsched;
## </interface>
#
define(`domain_signal_all_domains',`
-requires_block_template(`$0'_depend)
-allow $1 domain:process signal;
+ requires_block_template(`$0'_depend)
+
+ allow $1 domain:process signal;
')
define(`domain_signal_all_domains_depend',`
-attribute domain;
-class process signal;
+ attribute domain;
+
+ class process signal;
')
########################################
@@ -157,13 +168,15 @@ class process signal;
## </interface>
#
define(`domain_signull_all_domains',`
-requires_block_template(`$0'_depend)
-allow $1 domain:process signull;
+ requires_block_template(`$0'_depend)
+
+ allow $1 domain:process signull;
')
define(`domain_signull_all_domains_depend',`
-attribute domain;
-class process signull;
+ attribute domain;
+
+ class process signull;
')
########################################
@@ -178,13 +191,15 @@ class process signull;
## </interface>
#
define(`domain_sigstop_all_domains',`
-requires_block_template(`$0'_depend)
-allow $1 domain:process sigstop;
+ requires_block_template(`$0'_depend)
+
+ allow $1 domain:process sigstop;
')
define(`domain_sigstop_all_domains_depend',`
-attribute domain;
-class process sigstop;
+ attribute domain;
+
+ class process sigstop;
')
########################################
@@ -199,13 +214,15 @@ class process sigstop;
## </interface>
#
define(`domain_sigchld_all_domains',`
-requires_block_template(`$0'_depend)
-allow $1 domain:process sigchld;
+ requires_block_template(`$0'_depend)
+
+ allow $1 domain:process sigchld;
')
define(`domain_sigchld_all_domains_depend',`
-attribute domain;
-class process sigchld;
+ attribute domain;
+
+ class process sigchld;
')
########################################
@@ -220,15 +237,17 @@ class process sigchld;
## </interface>
#
define(`domain_kill_all_domains',`
-requires_block_template(`$0'_depend)
-allow $1 domain:process sigkill;
-allow $1 self:capability kill;
+ requires_block_template(`$0'_depend)
+
+ allow $1 domain:process sigkill;
+ allow $1 self:capability kill;
')
define(`domain_kill_all_domains_depend',`
-attribute domain;
-class process sigkill;
-class capability kill;
+ attribute domain;
+
+ class process sigkill;
+ class capability kill;
')
########################################
@@ -243,24 +262,27 @@ class capability kill;
## </interface>
#
define(`domain_read_all_domains_process_state',`
-requires_block_template(`$0'_depend)
-allow $1 domain:dir { getattr search read };
-allow $1 domain:lnk_file { getattr read };
-allow $1 domain:file { getattr read };
-allow $1 domain:process getattr;
-# We need to suppress this denial because procps tries to access
-# /proc/pid/environ and this now triggers a ptrace check in recent kernels
-# (2.4 and 2.6). Might want to change procps to not do this, or only if
-# running in a privileged domain.
-dontaudit $1 domain:process ptrace;
+ requires_block_template(`$0'_depend)
+
+ allow $1 domain:dir { getattr search read };
+ allow $1 domain:lnk_file { getattr read };
+ allow $1 domain:file { getattr read };
+ allow $1 domain:process getattr;
+
+ # We need to suppress this denial because procps tries to access
+ # /proc/pid/environ and this now triggers a ptrace check in recent kernels
+ # (2.4 and 2.6). Might want to change procps to not do this, or only if
+ # running in a privileged domain.
+ dontaudit $1 domain:process ptrace;
')
define(`domain_read_all_domains_process_state_depend',`
-attribute domain;
-class dir { getattr search read };
-class lnk_file { getattr read };
-class file { getattr read };
-class process { getattr ptrace };
+ attribute domain;
+
+ class dir { getattr search read };
+ class lnk_file { getattr read };
+ class file { getattr read };
+ class process { getattr ptrace };
')
########################################
@@ -276,13 +298,15 @@ class process { getattr ptrace };
## </interface>
#
define(`domain_ignore_read_all_domains_process_dirs',`
-requires_block_template(`$0'_depend)
-dontaudit $1 domain:dir r_dir_perms;
+ requires_block_template(`$0'_depend)
+
+ dontaudit $1 domain:dir r_dir_perms;
')
define(`domain_ignore_read_all_domains_process_dirs_depend',`
-attribute domain;
-class dir r_dir_perms;
+ attribute domain;
+
+ class dir r_dir_perms;
')
@@ -298,13 +322,15 @@ class dir r_dir_perms;
## </interface>
#
define(`domain_get_all_domains_session_id',`
-requires_block_template(`$0'_depend)
-allow $1 domain:process getsession;
+ requires_block_template(`$0'_depend)
+
+ allow $1 domain:process getsession;
')
define(`domain_get_all_domains_session_id_depend',`
-attribute domain;
-class process getsession;
+ attribute domain;
+
+ class process getsession;
')
########################################
@@ -320,13 +346,15 @@ class process getsession;
## </interface>
#
define(`domain_ignore_get_all_domains_udp_socket_attributes',`
-requires_block_template(`$0'_depend)
-dontaudit $1 domain:udp_socket getattr;
+ requires_block_template(`$0'_depend)
+
+ dontaudit $1 domain:udp_socket getattr;
')
define(`domain_ignore_get_all_domains_udp_socket_attributes_depend',`
-attribute domain;
-class udp_socket getattr;
+ attribute domain;
+
+ class udp_socket getattr;
')
########################################
@@ -342,13 +370,15 @@ class udp_socket getattr;
## </interface>
#
define(`domain_ignore_get_all_domains_tcp_socket_attributes',`
-requires_block_template(`$0'_depend)
-dontaudit $1 domain:tcp_socket getattr;
+ requires_block_template(`$0'_depend)
+
+ dontaudit $1 domain:tcp_socket getattr;
')
define(`domain_ignore_get_all_domains_tcp_socket_attributes_depend',`
-attribute domain;
-class tcp_socket getattr;
+ attribute domain;
+
+ class tcp_socket getattr;
')
########################################
@@ -364,13 +394,15 @@ class tcp_socket getattr;
## </interface>
#
define(`domain_ignore_get_all_domains_unix_dgram_socket_attributes',`
-requires_block_template(`$0'_depend)
-dontaudit $1 domain:unix_dgram_socket getattr;
+ requires_block_template(`$0'_depend)
+
+ dontaudit $1 domain:unix_dgram_socket getattr;
')
define(`domain_ignore_get_all_domains_unix_dgram_socket_attributes_depend',`
-attribute domain;
-class unix_dgram_socket getattr;
+ attribute domain;
+
+ class unix_dgram_socket getattr;
')
########################################
@@ -386,13 +418,15 @@ class unix_dgram_socket getattr;
## </interface>
#
define(`domain_ignore_get_all_domains_pipe_attributes',`
-requires_block_template(`$0'_depend)
-dontaudit $1 domain:fifo_file getattr;
+ requires_block_template(`$0'_depend)
+
+ dontaudit $1 domain:fifo_file getattr;
')
define(`domain_ignore_get_all_domains_pipe_attributes_depend',`
-attribute domain;
-class fifo_file getattr;
+ attribute domain;
+
+ class fifo_file getattr;
')
########################################
@@ -400,13 +434,15 @@ class fifo_file getattr;
# domain_execute_all_entrypoint_programs(domain)
#
define(`domain_execute_all_entrypoint_programs',`
-requires_block_template(`$0'_depend)
-allow $1 entry_type:file { getattr read ioctl lock execute execute_no_trans };
+ requires_block_template(`$0'_depend)
+
+ allow $1 entry_type:file { getattr read ioctl lock execute execute_no_trans };
')
define(`domain_execute_all_entrypoint_programs_depend',`
-attribute entry_type;
-class file { getattr read ioctl lock execute execute_no_trans };
+ attribute entry_type;
+
+ class file { getattr read ioctl lock execute execute_no_trans };
')
########################################
@@ -414,15 +450,17 @@ class file { getattr read ioctl lock execute execute_no_trans };
# domain_read_all_entrypoint_programs(domain)
#
define(`domain_read_all_entrypoint_programs',`
-requires_block_template(`$0'_depend)
-allow $1 entry_type:lnk_file { getattr read };
-allow $1 entry_type:file r_file_perms;
+ requires_block_template(`$0'_depend)
+
+ allow $1 entry_type:lnk_file { getattr read };
+ allow $1 entry_type:file r_file_perms;
')
define(`domain_read_all_entrypoint_programs_depend',`
-attribute entry_type;
-class file r_file_perms;
-class lnk_file { getattr read };
+ attribute entry_type;
+
+ class file r_file_perms;
+ class lnk_file { getattr read };
')
## </module>
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index 49d57d696..116f0c477 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -6,14 +6,15 @@
# files_make_file(type)
#
define(`files_make_file',`
-requires_block_template(`$0'_depend)
-typeattribute $1 file_type;
-filesystem_associate($1)
-filesystem_noxattr_associate($1)
+ requires_block_template(`$0'_depend)
+
+ filesystem_associate($1)
+ filesystem_noxattr_associate($1)
+ typeattribute $1 file_type;
')
define(`files_make_file_depend',`
-attribute file_type;
+ attribute file_type;
')
########################################
@@ -21,13 +22,14 @@ attribute file_type;
# files_make_lock_file(type)
#
define(`files_make_lock_file',`
-requires_block_template(`$0'_depend)
-files_make_file($1)
-typeattribute $1 lockfile;
+ requires_block_template(`$0'_depend)
+
+ files_make_file($1)
+ typeattribute $1 lockfile;
')
define(`files_make_lock_file_depend',`
-attribute lockfile;
+ attribute lockfile;
')
########################################
@@ -35,13 +37,14 @@ attribute lockfile;
# files_make_mountpoint(type)
#
define(`files_make_mountpoint',`
-requires_block_template(`$0'_depend)
-files_make_file($1)
-typeattribute $1 mountpoint;
+ requires_block_template(`$0'_depend)
+
+ files_make_file($1)
+ typeattribute $1 mountpoint;
')
define(`files_make_mountpoint_depend',`
-attribute mountpoint;
+ attribute mountpoint;
')
########################################
@@ -49,13 +52,14 @@ attribute mountpoint;
# files_make_daemon_runtime_file(type)
#
define(`files_make_daemon_runtime_file',`
-requires_block_template(`$0'_depend)
-files_make_file($1)
-typeattribute $1 pidfile;
+ requires_block_template(`$0'_depend)
+
+ files_make_file($1)
+ typeattribute $1 pidfile;
')
define(`files_make_daemon_runtime_file_depend',`
-attribute pidfile;
+ attribute pidfile;
')
########################################
@@ -63,13 +67,14 @@ attribute pidfile;
# files_make_temporary_file(type)
#
define(`files_make_temporary_file',`
-requires_block_template(`$0'_depend)
-files_make_file($1)
-typeattribute $1 tmpfile;
+ requires_block_template(`$0'_depend)
+
+ files_make_file($1)
+ typeattribute $1 tmpfile;
')
define(`files_make_temporary_file_depend',`
-attribute tmpfile;
+ attribute tmpfile;
')
########################################
@@ -85,14 +90,15 @@ attribute tmpfile;
## </interface>
#
define(`files_make_tmpfs_file',`
-requires_block_template(`$0'_depend)
-files_make_file($1)
-filesystem_tmpfs_associate($1)
-typeattribute $1 tmpfsfile;
+ requires_block_template(`$0'_depend)
+
+ files_make_file($1)
+ filesystem_tmpfs_associate($1)
+ typeattribute $1 tmpfsfile;
')
define(`files_make_tmpfs_file_depend',`
-attribute tmpfsfile;
+ attribute tmpfsfile;
')
########################################
@@ -100,21 +106,23 @@ attribute tmpfsfile;
# files_get_all_file_attributes(domain)
define(`files_get_all_file_attributes',`
-requires_block_template(`$0'_depend)
-allow $1 file_type:dir { search getattr };
-allow $1 file_type:file getattr;
-allow $1 file_type:lnk_file getattr;
-allow $1 file_type:fifo_file getattr;
-allow $1 file_type:sock_file getattr;
+ requires_block_template(`$0'_depend)
+
+ allow $1 file_type:dir { search getattr };
+ allow $1 file_type:file getattr;
+ allow $1 file_type:lnk_file getattr;
+ allow $1 file_type:fifo_file getattr;
+ allow $1 file_type:sock_file getattr;
')
define(`files_get_all_file_attributes_depend',`
-attribute file_type;
-class dir { search getattr };
-class file getattr;
-class lnk_file getattr;
-class fifo_file getattr;
-class sock_file getattr;
+ attribute file_type;
+
+ class dir { search getattr };
+ class file getattr;
+ class lnk_file getattr;
+ class fifo_file getattr;
+ class sock_file getattr;
')
########################################
@@ -134,27 +142,30 @@ class sock_file getattr;
## </interface>
#
define(`files_relabel_all_files',`
-requires_block_template(`$0'_depend)
-allow $1 { file_type $2 }:dir { r_dir_perms relabelfrom relabelto };
-allow $1 { file_type $2 }:file { getattr relabelfrom relabelto };
-allow $1 { file_type $2 }:lnk_file { getattr relabelfrom relabelto };
-allow $1 { file_type $2 }:fifo_file { getattr relabelfrom relabelto };
-allow $1 { file_type $2 }:sock_file { getattr relabelfrom relabelto };
-allow $1 { file_type $2 }:blk_file { getattr relabelfrom };
-allow $1 { file_type $2 }:chr_file { getattr relabelfrom };
-# satisfy the assertions:
-selinux_relabelto_binary_policy($1)
+ requires_block_template(`$0'_depend)
+
+ allow $1 { file_type $2 }:dir { r_dir_perms relabelfrom relabelto };
+ allow $1 { file_type $2 }:file { getattr relabelfrom relabelto };
+ allow $1 { file_type $2 }:lnk_file { getattr relabelfrom relabelto };
+ allow $1 { file_type $2 }:fifo_file { getattr relabelfrom relabelto };
+ allow $1 { file_type $2 }:sock_file { getattr relabelfrom relabelto };
+ allow $1 { file_type $2 }:blk_file { getattr relabelfrom };
+ allow $1 { file_type $2 }:chr_file { getattr relabelfrom };
+
+ # satisfy the assertions:
+ selinux_relabelto_binary_policy($1)
')
define(`files_relabel_all_files_depend',`
-attribute file_type;
-class dir { r_dir_perms relabelfrom relabelto };
-class file { relabelfrom relabelto };
-class lnk_file { relabelfrom relabelto };
-class fifo_file { relabelfrom relabelto };
-class sock_file { relabelfrom relabelto };
-class blk_file relabelfrom;
-class chr_file relabelfrom;
+ attribute file_type;
+
+ class dir { r_dir_perms relabelfrom relabelto };
+ class file { relabelfrom relabelto };
+ class lnk_file { relabelfrom relabelto };
+ class fifo_file { relabelfrom relabelto };
+ class sock_file { relabelfrom relabelto };
+ class blk_file relabelfrom;
+ class chr_file relabelfrom;
')
########################################
@@ -174,24 +185,27 @@ class chr_file relabelfrom;
## </interface>
#
define(`files_manage_all_files',`
-requires_block_template(`$0'_depend)
-allow $1 { file_type $2 }:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
-allow $1 { file_type $2 }:file { create ioctl read getattr lock write setattr append link unlink rename };
-allow $1 { file_type $2 }:lnk_file { create read getattr setattr link unlink rename };
-allow $1 { file_type $2 }:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
-allow $1 { file_type $2 }:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
-# satisfy the assertions:
-selinux_write_binary_policy($1)
-bootloader_manage_kernel_modules($1)
+ requires_block_template(`$0'_depend)
+
+ allow $1 { file_type $2 }:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
+ allow $1 { file_type $2 }:file { create ioctl read getattr lock write setattr append link unlink rename };
+ allow $1 { file_type $2 }:lnk_file { create read getattr setattr link unlink rename };
+ allow $1 { file_type $2 }:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
+ allow $1 { file_type $2 }:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
+
+ # satisfy the assertions:
+ selinux_write_binary_policy($1)
+ bootloader_manage_kernel_modules($1)
')
define(`files_manage_all_files_depend',`
-attribute file_type;
-class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
-class file { create ioctl read getattr lock write setattr append link unlink rename };
-class lnk_file { create read getattr setattr link unlink rename };
-class fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
-class sock_file { create ioctl read getattr lock write setattr append link unlink rename };
+ attribute file_type;
+
+ class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
+ class file { create ioctl read getattr lock write setattr append link unlink rename };
+ class lnk_file { create read getattr setattr link unlink rename };
+ class fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
+ class sock_file { create ioctl read getattr lock write setattr append link unlink rename };
')
########################################
@@ -199,13 +213,15 @@ class sock_file { create ioctl read getattr lock write setattr append link unlin
# files_search_all_directories(domain)
#
define(`files_search_all_directories',`
-requires_block_template(`$0'_depend)
-allow $1 file_type:dir search;
+ requires_block_template(`$0'_depend)
+
+ allow $1 file_type:dir search;
')
define(`files_search_all_directories_depend',`
-attribute file_type;
-class dir search;
+ attribute file_type;
+
+ class dir search;
')
########################################
@@ -213,13 +229,15 @@ class dir search;
# files_read_all_directories(domain)
#
define(`files_read_all_directories',`
-requires_block_template(`$0'_depend)
-allow $1 file_type:dir r_dir_perms;
+ requires_block_template(`$0'_depend)
+
+ allow $1 file_type:dir r_dir_perms;
')
define(`files_read_all_directories_depend',`
-attribute file_type;
-class dir r_dir_perms;
+ attribute file_type;
+
+ class dir r_dir_perms;
')
########################################
@@ -227,13 +245,15 @@ class dir r_dir_perms;
# files_ignore_search_all_directories(domain)
#
define(`files_ignore_search_all_directories',`
-requires_block_template(`$0'_depend)
-dontaudit $1 file_type:dir search;
+ requires_block_template(`$0'_depend)
+
+ dontaudit $1 file_type:dir search;
')
define(`files_ignore_search_all_directories_depend',`
-attribute file_type;
-class dir search;
+ attribute file_type;
+
+ class dir search;
')
#######################################
@@ -241,13 +261,15 @@ class dir search;
# files_relabelto_all_file_type_filesystems(domain)
#
define(`files_relabelto_all_file_type_filesystems',`
-requires_block_template(`$0'_depend)
-allow $1 file_type:filesystem relabelto;
+ requires_block_template(`$0'_depend)
+
+ allow $1 file_type:filesystem relabelto;
')
define(`files_relabelto_all_file_type_filesystems_depend',`
-attribute file_type;
-filesystem relabelto;
+ attribute file_type;
+
+ filesystem relabelto;
')
#######################################
@@ -255,13 +277,15 @@ filesystem relabelto;
# files_mount_all_file_type_filesystems(domain)
#
define(`files_mount_all_file_type_filesystems',`
-requires_block_template(`$0'_depend)
-allow $1 file_type:filesystem mount;
+ requires_block_template(`$0'_depend)
+
+ allow $1 file_type:filesystem mount;
')
define(`files_mount_all_file_type_filesystems_depend',`
-attribute file_type;
-filesystem mount;
+ attribute file_type;
+
+ filesystem mount;
')
#######################################
@@ -269,13 +293,15 @@ filesystem mount;
# files_unmount_all_file_type_filesystems(domain)
#
define(`files_unmount_all_file_type_filesystems',`
-requires_block_template(`$0'_depend)
-allow $1 file_type:filesystem mount;
+ requires_block_template(`$0'_depend)
+
+ allow $1 file_type:filesystem mount;
')
define(`files_unmount_all_file_type_filesystems_depend',`
-attribute file_type;
-filesystem mount;
+ attribute file_type;
+
+ filesystem mount;
')
########################################
@@ -283,13 +309,15 @@ filesystem mount;
# files_mount_on_all_mountpoints(domain)
#
define(`files_mount_on_all_mountpoints',`
-requires_block_template(`$0'_depend)
-allow $1 mountpoint:dir { getattr search mounton };
+ requires_block_template(`$0'_depend)
+
+ allow $1 mountpoint:dir { getattr search mounton };
')
define(`files_mount_on_all_mountpoints_depend',`
-attribute mountpoint;
-class dir { getattr search mounton };
+ attribute mountpoint;
+
+ class dir { getattr search mounton };
')
########################################
@@ -297,15 +325,17 @@ class dir { getattr search mounton };
# files_read_root_dir(domain)
#
define(`files_read_root_dir',`
-requires_block_template(`$0'_depend)
-allow $1 root_t:dir r_dir_perms;
-allow $1 root_t:lnk_file { getattr read };
+ requires_block_template(`$0'_depend)
+
+ allow $1 root_t:dir r_dir_perms;
+ allow $1 root_t:lnk_file { getattr read };
')
define(`files_read_root_dir_depend',`
-type root_t;
-class dir r_dir_perms;
-class lnk_file { getattr read };
+ type root_t;
+
+ class dir r_dir_perms;
+ class lnk_file { getattr read };
')
########################################
@@ -313,13 +343,15 @@ class lnk_file { getattr read };
# files_create_root_dir_entry(domain)
#
define(`files_create_root_dir_entry',`
-requires_block_template(`$0'_depend)
-allow $1 root_t:dir ra_dir_perms;
+ requires_block_template(`$0'_depend)
+
+ allow $1 root_t:dir ra_dir_perms;
')
define(`files_create_root_dir_entry_depend',`
-type root_t;
-class dir ra_dir_perms;
+ type root_t;
+
+ class dir ra_dir_perms;
')
########################################
@@ -327,13 +359,15 @@ class dir ra_dir_perms;
# files_ignore_read_rootfs_file(domain)
#
define(`files_ignore_read_rootfs_file',`
-requires_block_template(`$0'_depend)
-dontaudit $1 root_t:file read;
+ requires_block_template(`$0'_depend)
+
+ dontaudit $1 root_t:file read;
')
define(`files_ignore_read_rootfs_file_depend',`
-type root_t;
-class file read;
+ type root_t;
+
+ class file read;
')
########################################
@@ -341,13 +375,15 @@ class file read;
# files_ignore_modify_rootfs_file(domain)
#
define(`files_ignore_modify_rootfs_file',`
-requires_block_template(`$0'_depend)
-dontaudit $1 root_t:file { read write };
+ requires_block_template(`$0'_depend)
+
+ dontaudit $1 root_t:file { read write };
')
define(`files_ignore_modify_rootfs_file_depend',`
-type root_t;
-class file { read write };
+ type root_t;
+
+ class file { read write };
')
########################################
@@ -355,13 +391,15 @@ class file { read write };
# files_ignore_modify_rootfs_device(domain)
#
define(`files_ignore_modify_rootfs_device',`
-requires_block_template(`$0'_depend)
-dontaudit $1 root_t:chr_file { read write };
+ requires_block_template(`$0'_depend)
+
+ dontaudit $1 root_t:chr_file { read write };
')
define(`files_ignore_modify_rootfs_device_depend',`
-type root_t;
-class chr_file { read write };
+ type root_t;
+
+ class chr_file { read write };
')
########################################
@@ -384,18 +422,21 @@ class chr_file { read write };
## </interface>
#
define(`files_create_private_root_dir_entry',`
-requires_block_template(`$0'_depend)
-allow $1 root_t:dir { getattr search read write add_name remove_name };
-ifelse(`$3',`',`
-type_transition $1 root_t:file $2;
-',`
-type_transition $1 root_t:$3 $2;
-') dnl end ifelse
+ requires_block_template(`$0'_depend)
+
+ allow $1 root_t:dir rw_dir_perms;
+
+ ifelse(`$3',`',`
+ type_transition $1 root_t:file $2;
+ ',`
+ type_transition $1 root_t:$3 $2;
+ ') dnl end ifelse
')
define(`files_create_private_root_dir_entry_depend',`
type root_t;
-class dir { getattr search read write add_name remove_name };
+
+class dir rw_dir_perms;
')
########################################
@@ -403,13 +444,15 @@ class dir { getattr search read write add_name remove_name };
# files_remove_root_dir_entry(domain)
#
define(`files_remove_root_dir_entry',`
-requires_block_template(`$0'_depend)
-allow $1 root_t:dir { getattr search read write remove_name };
+ requires_block_template(`$0'_depend)
+
+ allow $1 root_t:dir { getattr search read write remove_name };
')
define(`files_remove_root_dir_entry_depend',`
-type root_t;
-class dir { getattr search read write remove_name };
+ type root_t;
+
+ class dir { getattr search read write remove_name };
')
########################################
@@ -417,13 +460,15 @@ class dir { getattr search read write remove_name };
# files_unmount_root_filesystem(domain)
#
define(`files_unmount_root_filesystem',`
-requires_block_template(`$0'_depend)
-allow $1 root_t:filesystem unmount;
+ requires_block_template(`$0'_depend)
+
+ allow $1 root_t:filesystem unmount;
')
define(`files_unmount_root_filesystem_depend',`
-type root_t;
-class filesystem unmount;
+ type root_t;
+
+ class filesystem unmount;
')
########################################
@@ -431,13 +476,15 @@ class filesystem unmount;
# files_search_general_system_config_directory(domain)
#
define(`files_search_general_system_config_directory',`
-requires_block_template(`$0'_depend)
-allow $1 etc_t:dir search;
+ requires_block_template(`$0'_depend)
+
+ allow $1 etc_t:dir search;
')
define(`files_search_general_system_config_directory_depend',`
-type etc_t;
-class dir search;
+ type etc_t;
+
+ class dir search;
')
########################################
@@ -445,13 +492,15 @@ class dir search;
# files_read_general_system_config_directory(domain)
#
define(`files_read_general_system_config_directory',`
-requires_block_template(`$0'_depend)
-allow $1 etc_t:dir { getattr search read };
+ requires_block_template(`$0'_depend)
+
+ allow $1 etc_t:dir { getattr search read };
')
define(`files_read_general_system_config_directory_depend',`
-type etc_t;
-class dir { getattr search read };
+ type etc_t;
+
+ class dir { getattr search read };
')
########################################
@@ -459,17 +508,19 @@ class dir { getattr search read };
# files_read_general_system_config(domain)
#
define(`files_read_general_system_config',`
-requires_block_template(`$0'_depend)
-allow $1 etc_t:dir { getattr search read };
-allow $1 etc_t:file { getattr read ioctl };
-allow $1 etc_t:lnk_file { getattr read };
+ requires_block_template(`$0'_depend)
+
+ allow $1 etc_t:dir { getattr search read };
+ allow $1 etc_t:file { getattr read ioctl };
+ allow $1 etc_t:lnk_file { getattr read };
')
define(`files_read_general_system_config_depend',`
-type etc_t;
-class dir { getattr search read };
-class file { getattr read };
-class lnk_file { getattr read };
+ type etc_t;
+
+ class dir { getattr search read };
+ class file { getattr read };
+ class lnk_file { getattr read };
')
########################################
@@ -477,17 +528,19 @@ class lnk_file { getattr read };
# files_modify_general_system_config(domain)
#
define(`files_modify_general_system_config',`
-requires_block_template(`$0'_depend)
-allow $1 etc_t:dir { getattr search read };
-allow $1 etc_t:file { getattr read write ioctl };
-allow $1 etc_t:lnk_file { getattr read };
+ requires_block_template(`$0'_depend)
+
+ allow $1 etc_t:dir { getattr search read };
+ allow $1 etc_t:file { getattr read write ioctl };
+ allow $1 etc_t:lnk_file { getattr read };
')
define(`files_modify_general_system_config_depend',`
-type etc_t;
-class dir { getattr search read };
-class file { getattr read write ioctl };
-class lnk_file { getattr read };
+ type etc_t;
+
+ class dir { getattr search read };
+ class file { getattr read write ioctl };
+ class lnk_file { getattr read };
')
########################################
@@ -495,17 +548,19 @@ class lnk_file { getattr read };
# files_manage_general_system_config(domain)
#
define(`files_manage_general_system_config',`
-requires_block_template(`$0'_depend)
-allow $1 etc_t:dir { read getattr lock search ioctl add_name remove_name write };
-allow $1 etc_t:file { create ioctl read getattr lock write setattr append link unlink rename };
-allow $1 etc_t:lnk_file { getattr read };
+ requires_block_template(`$0'_depend)
+
+ allow $1 etc_t:dir { read getattr lock search ioctl add_name remove_name write };
+ allow $1 etc_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+ allow $1 etc_t:lnk_file { getattr read };
')
define(`files_manage_general_system_config_depend',`
-type etc_t;
-class dir { read getattr lock search ioctl add_name remove_name write };
-class file { create ioctl read getattr lock write setattr append link unlink rename };
-class lnk_file { getattr read };
+ type etc_t;
+
+ class dir { read getattr lock search ioctl add_name remove_name write };
+ class file { create ioctl read getattr lock write setattr append link unlink rename };
+ class lnk_file { getattr read };
')
########################################
@@ -520,15 +575,17 @@ class lnk_file { getattr read };
## </interface>
#
define(`files_remove_general_system_config',`
-requires_block_template(`$0'_depend)
-allow $1 etc_t:dir { getattr search read write remove_name };
-allow $1 etc_t:file unlink;
+ requires_block_template(`$0'_depend)
+
+ allow $1 etc_t:dir { getattr search read write remove_name };
+ allow $1 etc_t:file unlink;
')
define(`files_remove_general_system_config_depend',`
-type etc_t;
-class dir { getattr search read write remove_name };
-class file unlink;
+ type etc_t;
+
+ class dir { getattr search read write remove_name };
+ class file unlink;
')
########################################
@@ -536,36 +593,40 @@ class file unlink;
# files_execute_system_config_script(domain)
#
define(`files_execute_system_config_script',`
-requires_block_template(`$0'_depend)
-allow $1 etc_t:dir { getattr search read };
-allow $1 etc_t:lnk_file { getattr read };
-allow $1 etc_t:file { getattr read execute execute_no_trans };
+ requires_block_template(`$0'_depend)
+
+ allow $1 etc_t:dir { getattr search read };
+ allow $1 etc_t:lnk_file { getattr read };
+ allow $1 etc_t:file { getattr read execute execute_no_trans };
')
define(`files_execute_system_config_script_depend',`
-type etc_t;
-class dir { getattr search read };
-class lnk_file { getattr read };
-class file { getattr read execute execute_no_trans };
+ type etc_t;
+
+ class dir { getattr search read };
+ class lnk_file { getattr read };
+ class file { getattr read execute execute_no_trans };
')
########################################
#
-# files_create_boot_flag(type)
+# files_create_boot_flag(domain)
#
# /halt, /.autofsck, etc
#
define(`files_create_boot_flag',`
-requires_block_template(`$0'_depend)
-allow $1 root_t:dir { getattr search read write add_name remove_name };
-allow $1 etc_runtime_t:file { create read write setattr unlink };
-type_transition $1 root_t:file etc_runtime_t;
+ requires_block_template(`$0'_depend)
+
+ allow $1 root_t:dir { getattr search read write add_name remove_name };
+ allow $1 etc_runtime_t:file { create read write setattr unlink };
+ type_transition $1 root_t:file etc_runtime_t;
')
define(`files_create_boot_flag_depend',`
-type root_t, etc_runtime_t;
-class dir { getattr search read write add_name };
-class file { create read write setattr };
+ type root_t, etc_runtime_t;
+
+ class dir { getattr search read write add_name };
+ class file { create read write setattr };
')
########################################
@@ -573,16 +634,18 @@ class file { create read write setattr };
# files_manage_runtime_system_config(type)
#
define(`files_manage_runtime_system_config',`
-requires_block_template(`$0'_depend)
-allow $1 etc_t:dir { getattr search read write add_name remove_name };
-allow $1 etc_runtime_t:file { getattr create read write append setattr rename link unlink lock };
-type_transition $1 etc_t:file etc_runtime_t;
+ requires_block_template(`$0'_depend)
+
+ allow $1 etc_t:dir { getattr search read write add_name remove_name };
+ allow $1 etc_runtime_t:file { getattr create read write append setattr rename link unlink lock };
+ type_transition $1 etc_t:file etc_runtime_t;
')
define(`files_manage_runtime_system_config_depend',`
-type etc_t, etc_runtime_t;
-class dir { getattr search read write add_name };
-class file { getattr create read write append setattr rename unlink unlink lock };
+ type etc_t, etc_runtime_t;
+
+ class dir { getattr search read write add_name };
+ class file { getattr create read write append setattr rename unlink unlink lock };
')
########################################
@@ -590,15 +653,17 @@ class file { getattr create read write append setattr rename unlink unlink lock
# files_read_runtime_system_config(domain)
#
define(`files_read_runtime_system_config',`
-requires_block_template(`$0'_depend)
-allow $1 etc_t:dir { getattr search read };
-allow $1 etc_runtime_t:file { getattr read };
+ requires_block_template(`$0'_depend)
+
+ allow $1 etc_t:dir { getattr search read };
+ allow $1 etc_runtime_t:file { getattr read };
')
define(`files_read_runtime_system_config_depend',`
-type etc_t, etc_runtime_t;
-class dir { getattr search read };
-class file { getattr read };
+ type etc_t, etc_runtime_t;
+
+ class dir { getattr search read };
+ class file { getattr read };
')
########################################
@@ -606,18 +671,20 @@ class file { getattr read };
# files_create_private_config(domain,privatetype,[class(es)])
#
define(`files_create_private_config',`
-requires_block_template(`$0'_depend)
-allow $1 etc_t:dir { getattr search read write add_name remove_name };
-ifelse(`$3',`',`
-type_transition $1 etc_t:file $2;
-',`
-type_transition $1 etc_t:$3 $2;
-') dnl end ifelse
+ requires_block_template(`$0'_depend)
+
+ allow $1 etc_t:dir rw_dir_perms;
+ ifelse(`$3',`',`
+ type_transition $1 etc_t:file $2;
+ ',`
+ type_transition $1 etc_t:$3 $2;
+ ')
')
define(`files_create_private_config_depend',`
type etc_t;
-class dir { getattr search read write add_name remove_name };
+
+class dir rw_dir_perms;
')
########################################
@@ -625,13 +692,15 @@ class dir { getattr search read write add_name remove_name };
# files_modify_isid_type_dir(domain)
#
define(`files_modify_isid_type_dir',`
-requires_block_template(`$0'_depend)
-allow $1 file_t:dir rw_dir_perms;
+ requires_block_template(`$0'_depend)
+
+ allow $1 file_t:dir rw_dir_perms;
')
define(`files_modify_isid_type_dir_depend',`
-type file_t;
-class dir rw_dir_perms;
+ type file_t;
+
+ class dir rw_dir_perms;
')
########################################
@@ -639,13 +708,15 @@ class dir rw_dir_perms;
# files_ignore_get_isid_type_dir_attrib(domain)
#
define(`files_ignore_get_isid_type_dir_attrib',`
-requires_block_template(`$0'_depend)
-dontaudit $1 file_t:dir search;
+ requires_block_template(`$0'_depend)
+
+ dontaudit $1 file_t:dir search;
')
define(`files_ignore_get_isid_type_dir_attrib_depend',`
-type file_t;
-class dir search;
+ type file_t;
+
+ class dir search;
')
########################################
@@ -653,13 +724,15 @@ class dir search;
# files_ignore_search_isid_type_dir(domain)
#
define(`files_ignore_search_isid_type_dir',`
-requires_block_template(`$0'_depend)
-dontaudit $1 file_t:dir search;
+ requires_block_template(`$0'_depend)
+
+ dontaudit $1 file_t:dir search;
')
define(`files_ignore_search_isid_type_dir_depend',`
-type file_t;
-class dir search;
+ type file_t;
+
+ class dir search;
')
########################################
@@ -674,13 +747,15 @@ class dir search;
## </interface>
#
define(`files_list_home_directories',`
-requires_block_template(`$0'_depend)
-allow $1 home_root_t:dir { getattr search read };
+ requires_block_template(`$0'_depend)
+
+ allow $1 home_root_t:dir { getattr search read };
')
define(`files_list_home_directories_depend',`
-type home_root_t;
-class dir { getattr search read };
+ type home_root_t;
+
+ class dir { getattr search read };
')
########################################
@@ -688,13 +763,15 @@ class dir { getattr search read };
# files_read_mnt_dir(domain)
#
define(`files_read_mnt_dir',`
-requires_block_template(`$0'_depend)
-allow $1 mnt_t:dir { getattr search read };
+ requires_block_template(`$0'_depend)
+
+ allow $1 mnt_t:dir { getattr search read };
')
define(`files_read_runtime_system_config_depend',`
-type mnt_t;
-class dir { getattr search read };
+ type mnt_t;
+
+ class dir { getattr search read };
')
########################################
@@ -702,18 +779,21 @@ class dir { getattr search read };
# files_create_private_tmp_data(domain,private_type,[object class(es)])
#
define(`files_create_private_tmp_data',`
-requires_block_template(`$0'_depend)
-allow $1 tmp_t:dir { getattr search read write add_name remove_name };
-ifelse(`$3',`',`
-type_transition $1 tmp_t:file $2;
-',`
-type_transition $1 tmp_t:$3 $2;
-')
+ requires_block_template(`$0'_depend)
+
+ allow $1 tmp_t:dir { getattr search read write add_name remove_name };
+
+ ifelse(`$3',`',`
+ type_transition $1 tmp_t:file $2;
+ ',`
+ type_transition $1 tmp_t:$3 $2;
+ ')
')
define(`files_create_private_tmp_data_depend',`
-type tmp_t;
-class dir { getattr search read write add_name };
+ type tmp_t;
+
+ class dir { getattr search read write add_name };
')
########################################
@@ -721,21 +801,23 @@ class dir { getattr search read write add_name };
# files_remove_all_tmp_data(domain)
#
define(`files_remove_all_tmp_data',`
-requires_block_template(`$0'_depend)
-allow $1 tmpfile:dir { getattr search read write add_name remove_name rmdir };
-allow $1 tmpfile:file { getattr unlink };
-allow $1 tmpfile:lnk_file { getattr unlink };
-allow $1 tmpfile:fifo_file { getattr unlink };
-allow $1 tmpfile:sock_file { getattr unlink };
+ requires_block_template(`$0'_depend)
+
+ allow $1 tmpfile:dir { getattr search read write add_name remove_name rmdir };
+ allow $1 tmpfile:file { getattr unlink };
+ allow $1 tmpfile:lnk_file { getattr unlink };
+ allow $1 tmpfile:fifo_file { getattr unlink };
+ allow $1 tmpfile:sock_file { getattr unlink };
')
define(`files_remove_all_tmp_data_depend',`
-attribute tmpfile;
-class dir { getattr search read write add_name remove_name rmdir };
-class file { getattr unlink };
-class lnk_file { getattr unlink };
-class fifo_file { getattr unlink };
-class sock_file { getattr unlink };
+ attribute tmpfile;
+
+ class dir { getattr search read write add_name remove_name rmdir };
+ class file { getattr unlink };
+ class lnk_file { getattr unlink };
+ class fifo_file { getattr unlink };
+ class sock_file { getattr unlink };
')
########################################
@@ -743,13 +825,15 @@ class sock_file { getattr unlink };
# files_search_general_application_resources_dir(domain)
#
define(`files_search_general_application_resources_dir',`
-requires_block_template(`$0'_depend)
-allow $1 usr_t:dir search;
+ requires_block_template(`$0'_depend)
+
+ allow $1 usr_t:dir search;
')
define(`files_search_general_application_resources_dir_depend',`
-type usr_t;
-class dir search;
+ type usr_t;
+
+ class dir search;
')
########################################
@@ -757,16 +841,18 @@ class dir search;
# files_read_general_application_resources(domain)
#
define(`files_read_general_application_resources',`
-requires_block_template(`$0'_depend)
-allow $1 usr_t:dir { getattr search read };
-allow $1 usr_t:{ file lnk_file } { getattr read };
+ requires_block_template(`$0'_depend)
+
+ allow $1 usr_t:dir { getattr search read };
+ allow $1 usr_t:{ file lnk_file } { getattr read };
')
define(`files_read_general_application_resources_depend',`
-type usr_t;
-class dir { getattr search read };
-class file { getattr read };
-class lnk_file { getattr read };
+ type usr_t;
+
+ class dir { getattr search read };
+ class file { getattr read };
+ class lnk_file { getattr read };
')
########################################
@@ -781,18 +867,20 @@ class lnk_file { getattr read };
## </interface>
#
define(`files_execute_system_source_code_scripts',`
-requires_block_template(`$0'_depend)
-allow $1 usr_t:dir search;
-allow $1 src_t:dir { getattr search read };
-allow $1 src_t:lnk_file { getattr read };
-allow $1 src_t:file { getattr read execute execute_no_trans };
+ requires_block_template(`$0'_depend)
+
+ allow $1 usr_t:dir search;
+ allow $1 src_t:dir { getattr search read };
+ allow $1 src_t:lnk_file { getattr read };
+ allow $1 src_t:file { getattr read execute execute_no_trans };
')
define(`files_read_system_source_code_depend',`
-type usr_t, src_t;
-class dir { getattr search read };
-class file { getattr read execute execute_no_trans };
-class lnk_file { getattr read };
+ type usr_t, src_t;
+
+ class dir { getattr search read };
+ class file { getattr read execute execute_no_trans };
+ class lnk_file { getattr read };
')
########################################
@@ -800,17 +888,19 @@ class lnk_file { getattr read };
# files_read_system_source_code(domain)
#
define(`files_read_system_source_code',`
-requires_block_template(`$0'_depend)
-allow $1 usr_t:dir search;
-allow $1 src_t:dir { getattr search read };
-allow $1 src_t:{ file lnk_file } { getattr read };
+ requires_block_template(`$0'_depend)
+
+ allow $1 usr_t:dir search;
+ allow $1 src_t:dir { getattr search read };
+ allow $1 src_t:{ file lnk_file } { getattr read };
')
define(`files_read_system_source_code_depend',`
-type usr_t, src_t;
-class dir { getattr search read };
-class file { getattr read };
-class lnk_file { getattr read };
+ type usr_t, src_t;
+
+ class dir { getattr search read };
+ class file { getattr read };
+ class lnk_file { getattr read };
')
########################################
@@ -818,13 +908,15 @@ class lnk_file { getattr read };
# files_search_system_state_data_directory(domain)
#
define(`files_search_system_state_data_directory',`
-requires_block_template(`$0'_depend)
-allow $1 var_t:dir search;
+ requires_block_template(`$0'_depend)
+
+ allow $1 var_t:dir search;
')
define(`files_search_system_state_data_directory_depend',`
-type var_t;
-class dir search;
+ type var_t;
+
+ class dir search;
')
########################################
@@ -832,13 +924,15 @@ class dir search;
# files_ignore_search_system_state_data_directory(domain)
#
define(`files_ignore_search_system_state_data_directory',`
-requires_block_template(`$0'_depend)
-dontaudit $1 var_t:dir search;
+ requires_block_template(`$0'_depend)
+
+ dontaudit $1 var_t:dir search;
')
define(`files_ignore_search_system_state_data_directory_depend',`
-type var_t;
-class dir search;
+ type var_t;
+
+ class dir search;
')
########################################
@@ -846,16 +940,18 @@ class dir search;
# files_manage_pseudorandom_saved_seed(domain)
#
define(`files_manage_pseudorandom_saved_seed',`
-requires_block_template(`$0'_depend)
-allow $1 var_t:dir search;
-allow $1 var_lib_t:dir { getattr search read write add_name remove_name };
-allow $1 var_lib_t:file { getattr create read write setattr unlink };
+ requires_block_template(`$0'_depend)
+
+ allow $1 var_t:dir search;
+ allow $1 var_lib_t:dir { getattr search read write add_name remove_name };
+ allow $1 var_lib_t:file { getattr create read write setattr unlink };
')
define(`files_manage_pseudorandom_saved_seed_depend',`
-type var_t, var_lib_t;
-class dir { getattr search read write add_name remove_name };
-class file { getattr create read write setattr unlink };
+ type var_t, var_lib_t;
+
+ class dir { getattr search read write add_name remove_name };
+ class file { getattr create read write setattr unlink };
')
########################################
@@ -863,15 +959,17 @@ class file { getattr create read write setattr unlink };
# files_get_system_lock_file_attributes(domain)
#
define(`files_get_system_lock_file_attributes',`
-requires_block_template(`$0'_depend)
-allow $1 var_lock_t:dir { getattr search read };
-allow $1 var_lock_t:file getattr;
+ requires_block_template(`$0'_depend)
+
+ allow $1 var_lock_t:dir { getattr search read };
+ allow $1 var_lock_t:file getattr;
')
define(`files_get_system_lock_file_attributes_depend',`
-type var_lock_t;
-class dir { getattr search read };
-class file getattr;
+ type var_lock_t;
+
+ class dir { getattr search read };
+ class file getattr;
')
########################################
@@ -879,15 +977,17 @@ class file getattr;
# files_manage_system_lock_files(domain)
#
define(`files_manage_system_lock_files',`
-requires_block_template(`$0'_depend)
-allow $1 var_lock_t:dir { getattr search create read write setattr add_name remove_name rmdir };
-allow $1 var_lock_t:file { getattr create read write setattr unlink };
+ requires_block_template(`$0'_depend)
+
+ allow $1 var_lock_t:dir { getattr search create read write setattr add_name remove_name rmdir };
+ allow $1 var_lock_t:file { getattr create read write setattr unlink };
')
define(`files_manage_system_lock_files_depend',`
-type var_lock_t;
-class dir { getattr search create read write setattr add_name remove_name rmdir };
-class file { getattr create read write setattr unlink };
+ type var_lock_t;
+
+ class dir { getattr search create read write setattr add_name remove_name rmdir };
+ class file { getattr create read write setattr unlink };
')
########################################
@@ -895,15 +995,17 @@ class file { getattr create read write setattr unlink };
# files_remove_all_lock_files(domain)
#
define(`files_remove_all_lock_files',`
-requires_block_template(`$0'_depend)
-allow $1 lockfile:dir { getattr search read write add_name remove_name };
-allow $1 lockfile:file { getattr unlink };
+ requires_block_template(`$0'_depend)
+
+ allow $1 lockfile:dir { getattr search read write add_name remove_name };
+ allow $1 lockfile:file { getattr unlink };
')
define(`files_remove_all_lock_files_depend',`
-attribute lockfile;
-class dir { getattr search read write add_name remove_name };
-class file { getattr unlink };
+ attribute lockfile;
+
+ class dir { getattr search read write add_name remove_name };
+ class file { getattr unlink };
')
########################################
@@ -911,19 +1013,22 @@ class file { getattr unlink };
# files_create_private_lock_file(domain,private_type,[object class(es)])
#
define(`files_create_private_lock_file',`
-requires_block_template(`$0'_depend)
-allow $1 var_t:dir search;
-allow $1 var_lock_t:dir { getattr search read write add_name remove_name };
-ifelse(`$3',`',`
-type_transition $1 var_lock_t:file $2;
-',`
-type_transition $1 var_lock_t:$3 $2;
-')
+ requires_block_template(`$0'_depend)
+
+ allow $1 var_t:dir search;
+ allow $1 var_lock_t:dir rw_dir_perms;
+
+ ifelse(`$3',`',`
+ type_transition $1 var_lock_t:file $2;
+ ',`
+ type_transition $1 var_lock_t:$3 $2;
+ ')
')
define(`files_create_private_lock_file_depend',`
-type var_t, var_lock_t;
-class dir { getattr search read write add_name };
+ type var_t, var_lock_t;
+
+ class dir rw_dir_perms;
')
########################################
@@ -931,14 +1036,16 @@ class dir { getattr search read write add_name };
# files_search_runtime_data_directory(domain)
#
define(`files_search_runtime_data_directory',`
-requires_block_template(`$0'_depend)
-allow $1 var_t:dir search;
-allow $1 var_run_t:dir search;
+ requires_block_template(`$0'_depend)
+
+ allow $1 var_t:dir search;
+ allow $1 var_run_t:dir search;
')
define(`files_search_runtime_data_directory_depend',`
-type var_t, var_run_t;
-class dir search;
+ type var_t, var_run_t;
+
+ class dir search;
')
########################################
@@ -946,13 +1053,15 @@ class dir search;
# files_ignore_search_runtime_data_directory(domain)
#
define(`files_ignore_search_runtime_data_directory',`
-requires_block_template(`$0'_depend)
-allow $1 var_run_t:dir search;
+ requires_block_template(`$0'_depend)
+
+ allow $1 var_run_t:dir search;
')
define(`files_ignore_search_runtime_data_directory_depend',`
-type var_run_t;
-class dir search;
+ type var_run_t;
+
+ class dir search;
')
########################################
@@ -960,14 +1069,16 @@ class dir search;
# files_read_runtime_data_directory(domain)
#
define(`files_read_runtime_data_directory',`
-requires_block_template(`$0'_depend)
-allow $1 var_t:dir search;
-allow $1 var_run_t:dir { getattr search read };
+ requires_block_template(`$0'_depend)
+
+ allow $1 var_t:dir search;
+ allow $1 var_run_t:dir { getattr search read };
')
define(`files_read_runtime_data_directory_depend',`
-type var_t, var_run_t;
-class dir { getattr search read };
+ type var_t, var_run_t;
+
+ class dir { getattr search read };
')
########################################
@@ -975,19 +1086,22 @@ class dir { getattr search read };
# files_create_daemon_runtime_data(domain,pidfile,[object class(es)])
#
define(`files_create_daemon_runtime_data',`
-requires_block_template(`$0'_depend)
-allow $1 var_t:dir search;
-allow $1 var_run_t:dir { getattr search read write add_name remove_name };
-ifelse(`$3',`',`
-type_transition $1 var_run_t:file $2;
-',`
-type_transition $1 var_run_t:$3 $2;
-') dnl end ifelse
+ requires_block_template(`$0'_depend)
+
+ allow $1 var_t:dir search;
+ allow $1 var_run_t:dir rw_dir_perms;
+
+ ifelse(`$3',`',`
+ type_transition $1 var_run_t:file $2;
+ ',`
+ type_transition $1 var_run_t:$3 $2;
+ ')
')
define(`files_create_daemon_runtime_data_depend',`
-type var_t, var_run_t;
-class dir { getattr search read write add_name remove_name };
+ type var_t, var_run_t;
+
+ class dir rw_dir_perms;
')
########################################
@@ -995,16 +1109,18 @@ class dir { getattr search read write add_name remove_name };
# files_modify_system_runtime_data(domain)
#
define(`files_modify_system_runtime_data',`
-requires_block_template(`$0'_depend)
-allow $1 var_t:dir search;
-allow $1 var_run_t:dir { getattr search read };
-allow $1 var_run_t:file { getattr read write };
+ requires_block_template(`$0'_depend)
+
+ allow $1 var_t:dir search;
+ allow $1 var_run_t:dir { getattr search read };
+ allow $1 var_run_t:file { getattr read write };
')
define(`files_modify_system_runtime_data_depend',`
-type var_t, var_run_t;
-class dir { getattr search read };
-class file { getattr read write };
+ type var_t, var_run_t;
+
+ class dir { getattr search read };
+ class file { getattr read write };
')
########################################
@@ -1020,13 +1136,15 @@ class file { getattr read write };
#
define(`files_ignore_write_all_daemon_runtime_data',`
-requires_block_template(`$0'_depend)
-dontaudit $1 pidfile:file write;
+ requires_block_template(`$0'_depend)
+
+ dontaudit $1 pidfile:file write;
')
define(`files_ignore_write_all_daemon_runtime_data_depend',`
-attribute pidfile;
-class file write;
+ attribute pidfile;
+
+ class file write;
')
########################################
@@ -1042,13 +1160,15 @@ class file write;
#
define(`files_ignore_ioctl_all_daemon_runtime_data',`
-requires_block_template(`$0'_depend)
-dontaudit $1 pidfile:file ioctl;
+ requires_block_template(`$0'_depend)
+
+ dontaudit $1 pidfile:file ioctl;
')
define(`files_ignore_ioctl_all_daemon_runtime_data_depend',`
-attribute pidfile;
-class file ioctl;
+ attribute pidfile;
+
+ class file ioctl;
')
########################################
@@ -1056,17 +1176,19 @@ class file ioctl;
# files_read_all_daemon_runtime_data(domain)
#
define(`files_read_all_daemon_runtime_data',`
-requires_block_template(`$0'_depend)
-allow $1 var_t:dir search;
-allow $1 pidfile:dir r_dir_perms;
-allow $1 pidfile:file r_file_perms;
+ requires_block_template(`$0'_depend)
+
+ allow $1 var_t:dir search;
+ allow $1 pidfile:dir r_dir_perms;
+ allow $1 pidfile:file r_file_perms;
')
define(`files_read_all_daemon_runtime_data_depend',`
-attribute pidfile;
-type var_t;
-class dir r_dir_perms;
-class file r_file_perms;
+ attribute pidfile;
+
+ type var_t;
+ class dir r_dir_perms;
+ class file r_file_perms;
')
########################################
@@ -1074,22 +1196,25 @@ class file r_file_perms;
# files_remove_all_daemon_runtime_data(domain)
#
define(`files_remove_all_daemon_runtime_data',`
-requires_block_template(`$0'_depend)
-allow $1 var_t:dir search;
-allow $1 var_run_t:{ sock_file lnk_file } { getattr unlink };
-allow $1 var_run_t:dir rmdir;
-allow $1 pidfile:dir { getattr search read write add_name remove_name };
-allow $1 pidfile:file { getattr unlink };
-allow $1 pidfile:sock_file { getattr unlink };
+ requires_block_template(`$0'_depend)
+
+ allow $1 var_t:dir search;
+ allow $1 var_run_t:{ sock_file lnk_file } { getattr unlink };
+ allow $1 var_run_t:dir rmdir;
+ allow $1 pidfile:dir rw_dir_perms;
+ allow $1 pidfile:file { getattr unlink };
+ allow $1 pidfile:sock_file { getattr unlink };
')
define(`files_remove_all_daemon_runtime_data_depend',`
-attribute pidfile;
-type var_t, var_run_t;
-class dir { getattr search read write add_name remove_name rmdir };
-class file { getattr unlink };
-class lnk_file { getattr unlink };
-class sock_file { getattr unlink };
+ attribute pidfile;
+
+ type var_t, var_run_t;
+
+ class dir rw_dir_perms;
+ class file { getattr unlink };
+ class lnk_file { getattr unlink };
+ class sock_file { getattr unlink };
')
########################################
@@ -1097,14 +1222,16 @@ class sock_file { getattr unlink };
# files_search_system_spool_directory(domain)
#
define(`files_search_system_spool_directory',`
-requires_block_template(`$0'_depend)
-allow $1 var_t:dir search;
-allow $1 var_spool_t:dir search;
+ requires_block_template(`$0'_depend)
+
+ allow $1 var_t:dir search;
+ allow $1 var_spool_t:dir search;
')
define(`files_search_system_spool_directory_depend',`
-type var_t, var_spool_t;
-class dir search;
+ type var_t, var_spool_t;
+
+ class dir search;
')
########################################
@@ -1112,14 +1239,16 @@ class dir search;
# files_read_system_spool_directory(domain)
#
define(`files_read_system_spool_directory',`
-requires_block_template(`$0'_depend)
-allow $1 var_t:dir search;
-allow $1 var_spool_t:dir { getattr search read };
+ requires_block_template(`$0'_depend)
+
+ allow $1 var_t:dir search;
+ allow $1 var_spool_t:dir { getattr search read };
')
define(`files_read_system_spool_directory_depend',`
-type var_t, var_spool_t;
-class dir { getattr search read };
+ type var_t, var_spool_t;
+
+ class dir { getattr search read };
')
########################################
@@ -1127,16 +1256,18 @@ class dir { getattr search read };
# files_read_system_spools(domain)
#
define(`files_read_system_spools',`
-requires_block_template(`$0'_depend)
-allow $1 var_t:dir search;
-allow $1 var_spool_t:dir { getattr search read };
-allow $1 var_spool_t:file { getattr read };
+ requires_block_template(`$0'_depend)
+
+ allow $1 var_t:dir search;
+ allow $1 var_spool_t:dir { getattr search read };
+ allow $1 var_spool_t:file { getattr read };
')
define(`files_read_system_spools_depend',`
-type var_t, var_spool_t;
-class dir { getattr search read };
-class file { getattr read };
+ type var_t, var_spool_t;
+
+ class dir { getattr search read };
+ class file { getattr read };
')
########################################
@@ -1144,16 +1275,18 @@ class file { getattr read };
# files_manage_system_spools(domain)
#
define(`files_manage_system_spools',`
-requires_block_template(`$0'_depend)
-allow $1 var_t:dir search;
-allow $1 var_spool_t:dir { getattr search read write add_name remove_name };
-allow $1 var_spool_t:file { getattr create read write append unlink setattr };
+ requires_block_template(`$0'_depend)
+
+ allow $1 var_t:dir search;
+ allow $1 var_spool_t:dir { getattr search read write add_name remove_name };
+ allow $1 var_spool_t:file { getattr create read write append unlink setattr };
')
define(`files_manage_system_spools_depend',`
-type var_t, var_spool_t;
-class dir { getattr search read write add_name remove_name };
-class file { getattr create read write append unlink setattr };
+ type var_t, var_spool_t;
+
+ class dir { getattr search read write add_name remove_name };
+ class file { getattr create read write append unlink setattr };
')
## </module>
diff --git a/refpolicy/policy/modules/system/getty.if b/refpolicy/policy/modules/system/getty.if
index 8f7fa56d1..ce277329e 100644
--- a/refpolicy/policy/modules/system/getty.if
+++ b/refpolicy/policy/modules/system/getty.if
@@ -4,23 +4,26 @@
# getty_transition(domain)
#
define(`getty_transition',`
-requires_block_template(`$0'_depend)
-allow $1 getty_exec_t:file { getattr read execute };
-allow $1 getty_t:process transition;
-type_transition $1 getty_exec_t:process getty_t;
-dontaudit $1 getty_t:process { noatsecure siginh rlimitinh };
-allow $1 getty_t:fd use;
-allow getty_t $1:fd use;
-allow getty_t $1:fifo_file rw_file_perms;
-allow getty_t $1:process sigchld;
+ requires_block_template(`$0'_depend)
+
+ allow $1 getty_exec_t:file { getattr read execute };
+ allow $1 getty_t:process transition;
+ type_transition $1 getty_exec_t:process getty_t;
+ dontaudit $1 getty_t:process { noatsecure siginh rlimitinh };
+
+ allow $1 getty_t:fd use;
+ allow getty_t $1:fd use;
+ allow getty_t $1:fifo_file rw_file_perms;
+ allow getty_t $1:process sigchld;
')
define(`getty_transition_depend',`
-type getty_t, getty_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+ type getty_t, getty_exec_t;
+
+ class file { getattr read execute };
+ class process { transition noatsecure siginh rlimitinh sigchld };
+ class fd use;
+ class fifo_file rw_file_perms;
')
#######################################
@@ -28,13 +31,15 @@ class fifo_file rw_file_perms;
# getty_read_log_file(domain)
#
define(`getty_read_log_file',`
-requires_block_template(`$0'_depend)
-allow $1 getty_log_t:file { getattr read };
+ requires_block_template(`$0'_depend)
+
+ allow $1 getty_log_t:file { getattr read };
')
define(`getty_read_log_file_depend',`
-type getty_log_t;
-class file { getattr read };
+ type getty_log_t;
+
+ class file { getattr read };
')
#######################################
@@ -42,13 +47,15 @@ class file { getattr read };
# getty_read_config_file(domain)
#
define(`getty_read_config_file',`
-requires_block_template(`$0'_depend)
-allow $1 getty_etc_t:file { getattr read };
+ requires_block_template(`$0'_depend)
+
+ allow $1 getty_etc_t:file { getattr read };
')
define(`getty_read_config_file_depend',`
-type getty_etc_t;
-class file { getattr read };
+ type getty_etc_t;
+
+ class file { getattr read };
')
#######################################
@@ -56,11 +63,13 @@ class file { getattr read };
# getty_modify_config_file(domain)
#
define(`getty_modify_config_file',`
-requires_block_template(`$0'_depend)
-allow $1 getty_etc_t:file { getattr read write };
+ requires_block_template(`$0'_depend)
+
+ allow $1 getty_etc_t:file { getattr read write };
')
define(`getty_modify_config_file_depend',`
-type getty_etc_t;
-class file { getattr read write };
+ type getty_etc_t;
+
+ class file { getattr read write };
')
diff --git a/refpolicy/policy/modules/system/hostname.if b/refpolicy/policy/modules/system/hostname.if
index e0b38856e..a1144fd23 100644
--- a/refpolicy/policy/modules/system/hostname.if
+++ b/refpolicy/policy/modules/system/hostname.if
@@ -14,23 +14,26 @@
## </interface>
#
define(`hostname_transition',`
-requires_block_template(`$0'_depend)
-allow $1 hostname_exec_t:file { getattr read execute };
-allow $1 hostname_t:process transition;
-type_transition $1 hostname_exec_t:process hostname_t;
-dontaudit $1 hostname_t:process { noatsecure siginh rlimitinh };
-allow $1 hostname_t:fd use;
-allow hostname_t $1:fd use;
-allow hostname_t $1:fifo_file rw_file_perms;
-allow hostname_t $1:process sigchld;
+ requires_block_template(`$0'_depend)
+
+ allow $1 hostname_exec_t:file { getattr read execute };
+ allow $1 hostname_t:process transition;
+ type_transition $1 hostname_exec_t:process hostname_t;
+ dontaudit $1 hostname_t:process { noatsecure siginh rlimitinh };
+
+ allow $1 hostname_t:fd use;
+ allow hostname_t $1:fd use;
+ allow hostname_t $1:fifo_file rw_file_perms;
+ allow hostname_t $1:process sigchld;
')
define(`hostname_transition_depend',`
-type hostname_t, hostname_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+ type hostname_t, hostname_exec_t;
+
+ class file { getattr read execute };
+ class process { transition noatsecure siginh rlimitinh sigchld };
+ class fd use;
+ class fifo_file rw_file_perms;
')
########################################
@@ -53,15 +56,17 @@ class fifo_file rw_file_perms;
## </interface>
#
define(`hostname_transition_add_role_use_terminal',`
-requires_block_template(`$0'_depend)
-hostname_transition($1)
-role $2 types hostname_t;
-allow hostname_t $3:chr_file { getattr read write ioctl };
+ requires_block_template(`$0'_depend)
+
+ hostname_transition($1)
+ role $2 types hostname_t;
+ allow hostname_t $3:chr_file { getattr read write ioctl };
')
define(`hostname_transition_add_role_use_terminal_depend',`
-type hostname_t;
-class chr_file { getattr read write ioctl };
+ type hostname_t;
+
+ class chr_file { getattr read write ioctl };
')
#######################################
@@ -69,13 +74,15 @@ class chr_file { getattr read write ioctl };
# hostname_execute(domain)
#
define(`hostname_execute',`
-requires_block_template(`$0'_depend)
-allow $1 hostname_exec_t:file { getattr read execute execute_no_trans };
+ requires_block_template(`$0'_depend)
+
+ allow $1 hostname_exec_t:file { getattr read execute execute_no_trans };
')
define(`hostname_execute_depend',`
-type hostname_exec_t;
-class file { getattr read execute execute_no_trans };
+ type hostname_exec_t;
+
+ class file { getattr read execute execute_no_trans };
')
## </module>
diff --git a/refpolicy/policy/modules/system/hostname.te b/refpolicy/policy/modules/system/hostname.te
index a519b588c..465647472 100644
--- a/refpolicy/policy/modules/system/hostname.te
+++ b/refpolicy/policy/modules/system/hostname.te
@@ -55,36 +55,36 @@ miscfiles_read_localization(hostname_t)
userdomain_use_all_users_file_descriptors(hostname_t)
tunable_policy(`distro_redhat', `
-filesystem_use_tmpfs_character_devices(hostname_t)
+ filesystem_use_tmpfs_character_devices(hostname_t)
')
tunable_policy(`targeted_policy', `
-terminal_ignore_use_general_physical_terminal(hostname_t)
-terminal_ignore_use_general_pseudoterminal(hostname_t)
-files_ignore_read_rootfs_file(hostname_t)
-')dnl end targeted_policy tunable
+ terminal_ignore_use_general_physical_terminal(hostname_t)
+ terminal_ignore_use_general_pseudoterminal(hostname_t)
+ files_ignore_read_rootfs_file(hostname_t)
+')
tunable_policy(`use_dns',`
-allow hostname_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
-corenetwork_sendrecv_udp_on_all_interfaces(hostname_t)
-corenetwork_sendrecv_raw_on_all_interfaces(hostname_t)
-corenetwork_sendrecv_udp_on_all_nodes(hostname_t)
-corenetwork_sendrecv_raw_on_all_nodes(hostname_t)
-corenetwork_bind_udp_on_all_nodes(hostname_t)
-corenetwork_sendrecv_udp_on_dns_port(hostname_t)
-sysnetwork_read_network_config(hostname_t)
+ allow hostname_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
+ corenetwork_sendrecv_udp_on_all_interfaces(hostname_t)
+ corenetwork_sendrecv_raw_on_all_interfaces(hostname_t)
+ corenetwork_sendrecv_udp_on_all_nodes(hostname_t)
+ corenetwork_sendrecv_raw_on_all_nodes(hostname_t)
+ corenetwork_bind_udp_on_all_nodes(hostname_t)
+ corenetwork_sendrecv_udp_on_dns_port(hostname_t)
+ sysnetwork_read_network_config(hostname_t)
')
optional_policy(`hotplug.te',`
-hotplug_ignore_use_file_descriptors(hostname_t)
+ hotplug_ignore_use_file_descriptors(hostname_t)
')
optional_policy(`selinux.te',`
-selinux_newrole_sigchld(hostname_t)
+ selinux_newrole_sigchld(hostname_t)
')
optional_policy(`udev.te', `
-udev_read_database(hostname_t)
+ udev_read_database(hostname_t)
')
ifdef(`TODO',`
diff --git a/refpolicy/policy/modules/system/hotplug.if b/refpolicy/policy/modules/system/hotplug.if
index 16244ed4d..dfea44f47 100644
--- a/refpolicy/policy/modules/system/hotplug.if
+++ b/refpolicy/policy/modules/system/hotplug.if
@@ -9,23 +9,26 @@
# hotplug_transition(domain)
#
define(`hotplug_transition',`
-requires_block_template(`$0'_depend)
-allow $1 hotplug_exec_t:file { getattr read execute };
-allow $1 hotplug_t:process transition;
-type_transition $1 hotplug_exec_t:process hotplug_t;
-dontaudit $1 hotplug_t:process { noatsecure siginh rlimitinh };
-allow $1 hotplug_t:fd use;
-allow hotplug_t $1:fd use;
-allow hotplug_t $1:fifo_file rw_file_perms;
-allow hotplug_t $1:process sigchld;
+ requires_block_template(`$0'_depend)
+
+ allow $1 hotplug_exec_t:file { getattr read execute };
+ allow $1 hotplug_t:process transition;
+ type_transition $1 hotplug_exec_t:process hotplug_t;
+ dontaudit $1 hotplug_t:process { noatsecure siginh rlimitinh };
+
+ allow $1 hotplug_t:fd use;
+ allow hotplug_t $1:fd use;
+ allow hotplug_t $1:fifo_file rw_file_perms;
+ allow hotplug_t $1:process sigchld;
')
define(`hotplug_transition_depend',`
-type hotplug_t, hotplug_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+ type hotplug_t, hotplug_exec_t;
+
+ class file { getattr read execute };
+ class process { transition noatsecure siginh rlimitinh sigchld };
+ class fd use;
+ class fifo_file rw_file_perms;
')
#######################################
@@ -33,13 +36,15 @@ class fifo_file rw_file_perms;
# hotplug_execute(domain)
#
define(`hotplug_execute',`
-requires_block_template(`$0'_depend)
-allow $1 hotplug_exec_t:file { getattr read execute execute_no_trans };
+ requires_block_template(`$0'_depend)
+
+ allow $1 hotplug_exec_t:file { getattr read execute execute_no_trans };
')
define(`hotplug_execute_depend',`
-type hotplug_t;
-class file { getattr read execute execute_no_trans };
+ type hotplug_t;
+
+ class file { getattr read execute execute_no_trans };
')
#######################################
@@ -47,13 +52,15 @@ class file { getattr read execute execute_no_trans };
# hotplug_use_file_descriptors(domain)
#
define(`hotplug_use_file_descriptors',`
-requires_block_template(`$0'_depend)
-allow $1 hotplug_t:fd use;
+ requires_block_template(`$0'_depend)
+
+ allow $1 hotplug_t:fd use;
')
define(`hotplug_use_file_descriptors_depend',`
-type hotplug_t;
-class fd use;
+ type hotplug_t;
+
+ class fd use;
')
#######################################
@@ -61,13 +68,15 @@ class fd use;
# hotplug_ignore_use_file_descriptors(domain)
#
define(`hotplug_ignore_use_file_descriptors',`
-requires_block_template(`$0'_depend)
-dontaudit $1 hotplug_t:fd use;
+ requires_block_template(`$0'_depend)
+
+ dontaudit $1 hotplug_t:fd use;
')
define(`hotplug_ignore_use_file_descriptors_depend',`
-type hotplug_t;
-class fd use;
+ type hotplug_t;
+
+ class fd use;
')
########################################
@@ -75,13 +84,15 @@ class fd use;
# hotplug_ignore_search_config_directory(domain)
#
define(`hotplug_ignore_search_config_directory',`
-requires_block_template(`$0'_depend)
-dontaudit $1 hotplug_etc_t:dir search;
+ requires_block_template(`$0'_depend)
+
+ dontaudit $1 hotplug_etc_t:dir search;
')
define(`hotplug_ignore_search_config_directory_depend',`
-type hotplug_etc_t;
-class dir search;
+ type hotplug_etc_t;
+
+ class dir search;
')
########################################
@@ -96,18 +107,20 @@ class dir search;
## </interface>
#
define(`hotplug_read_config',`
-requires_block_template(`$0'_depend)
-files_search_general_system_config_directory($1)
-allow $1 hotplug_etc_t:file { read getattr lock ioctl };
-allow $1 hotplug_etc_t:dir { read getattr lock search ioctl };
-allow $1 hotplug_etc_t:lnk_file { getattr read };
+ requires_block_template(`$0'_depend)
+
+ files_search_general_system_config_directory($1)
+ allow $1 hotplug_etc_t:file { read getattr lock ioctl };
+ allow $1 hotplug_etc_t:dir { read getattr lock search ioctl };
+ allow $1 hotplug_etc_t:lnk_file { getattr read };
')
define(`hotplug_read_config_depend',`
-type hotplug_etc_t;
-class file { read getattr lock ioctl };
-class dir { read getattr lock search ioctl };
-class lnk_file { getattr read };
+ type hotplug_etc_t;
+
+ class file { read getattr lock ioctl };
+ class dir { read getattr lock search ioctl };
+ class lnk_file { getattr read };
')
## </module>
diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te
index 6d15da135..a80fa32a0 100644
--- a/refpolicy/policy/modules/system/hotplug.te
+++ b/refpolicy/policy/modules/system/hotplug.te
@@ -109,60 +109,60 @@ sysnetwork_read_network_config(hotplug_t)
userdomain_ignore_use_all_unprivileged_users_file_descriptors(hotplug_t)
tunable_policy(`distro_redhat', `
-optional_policy(`netutils.te', `
-# for arping used for static IP addresses on PCMCIA ethernet
-netutils_transition(hotplug_t)
-filesystem_use_tmpfs_character_devices(hotplug_t)
-') dnl endif netutils optional
-files_get_system_lock_file_attributes(hotplug_t)
-')dnl end distro_redhat tunable
+ optional_policy(`netutils.te', `
+ # for arping used for static IP addresses on PCMCIA ethernet
+ netutils_transition(hotplug_t)
+ filesystem_use_tmpfs_character_devices(hotplug_t)
+ ')
+ files_get_system_lock_file_attributes(hotplug_t)
+')
tunable_policy(`targeted_policy', `
-terminal_ignore_use_general_physical_terminal(hotplug_t)
-terminal_ignore_use_general_pseudoterminal(hotplug_t)
-files_ignore_read_rootfs_file(hotplug_t)
+ terminal_ignore_use_general_physical_terminal(hotplug_t)
+ terminal_ignore_use_general_pseudoterminal(hotplug_t)
+ files_ignore_read_rootfs_file(hotplug_t)
')
optional_policy(`consoletype.te',`
-consoletype_transition(hotplug_t)
+ consoletype_transition(hotplug_t)
')
optional_policy(`hostname.te',`
-hostname_execute(hotplug_t)
+ hostname_execute(hotplug_t)
')
optional_policy(`iptables.te',`
-iptables_transition(hotplug_t)
+ iptables_transition(hotplug_t)
')
optional_policy(`mta.te', `
-mta_send_mail(hotplug_t)
+ mta_send_mail(hotplug_t)
')
optional_policy(`selinux.te',`
-selinux_newrole_sigchld(hotplug_t)
+ selinux_newrole_sigchld(hotplug_t)
')
optional_policy(`sysnetwork.te',`
-sysnetwork_ifconfig_transition(hotplug_t)
+ sysnetwork_ifconfig_transition(hotplug_t)
')
optional_policy(`udev.te', `
-udev_transition(hotplug_t)
-udev_read_database(hotplug_t)
+ udev_transition(hotplug_t)
+ udev_read_database(hotplug_t)
')
optional_policy(`updfstab.te', `
-updfstab_transition(hotplug_t)
+ updfstab_transition(hotplug_t)
')
ifdef(`TODO',`
allow hotplug_t autofs_t:dir { search getattr };
dontaudit hotplug_t sysadm_home_dir_t:dir search;
optional_policy(`rhgb.te', `
-allow hotplug_t rhgb_t:process sigchld;
-allow hotplug_t rhgb_t:fd use;
-allow hotplug_t rhgb_t:fifo_file { read write };
+ allow hotplug_t rhgb_t:process sigchld;
+ allow hotplug_t rhgb_t:fd use;
+ allow hotplug_t rhgb_t:fifo_file { read write };
')
allow kernel_t hotplug_etc_t:dir search;
@@ -180,20 +180,20 @@ dontaudit hotplug_t domain:dir { getattr search };
dontaudit hotplug_t { init_t kernel_t }:file read;
optional_policy(`hald.te', `
-allow hotplug_t hald_t:unix_dgram_socket sendto;
+ allow hotplug_t hald_t:unix_dgram_socket sendto;
')
# this goes to hald:
optional_policy(`hotplug.te',`
-allow hald_t hotplug_etc_t:dir search;
-allow hald_t hotplug_etc_t:file { getattr read };
+ allow hald_t hotplug_etc_t:dir search;
+ allow hald_t hotplug_etc_t:file { getattr read };
')
optional_policy(`fsadm.te', `
-domain_auto_trans(hotplug_t, fsadm_exec_t, fsadm_t)
+ domain_auto_trans(hotplug_t, fsadm_exec_t, fsadm_t)
')
optional_policy(`lpd.te', `
-allow hotplug_t printer_device_t:chr_file setattr;
+ allow hotplug_t printer_device_t:chr_file setattr;
')
') dnl end TODO
diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if
index e419b3ba9..8181116c4 100644
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@@ -126,23 +126,26 @@ define(`init_make_system_domain_depend',`
# init_transition(domain)
#
define(`init_transition',`
-requires_block_template(`$0'_depend)
-allow $1 init_exec_t:file { getattr read execute };
-allow $1 init_t:process transition;
-type_transition $1 init_exec_t:process init_t;
-dontaudit $1 init_t:process { noatsecure siginh rlimitinh };
-allow $1 init_t:fd use;
-allow init_t $1:fd use;
-allow init_t $1:fifo_file rw_file_perms;
-allow init_t $1:process sigchld;
+ requires_block_template(`$0'_depend)
+
+ allow $1 init_exec_t:file { getattr read execute };
+ allow $1 init_t:process transition;
+ type_transition $1 init_exec_t:process init_t;
+ dontaudit $1 init_t:process { noatsecure siginh rlimitinh };
+
+ allow $1 init_t:fd use;
+ allow init_t $1:fd use;
+ allow init_t $1:fifo_file rw_file_perms;
+ allow init_t $1:process sigchld;
')
define(`init_transition_depend',`
-type init_t, init_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+ type init_t, init_exec_t;
+
+ class file { getattr read execute };
+ class process { transition noatsecure siginh rlimitinh sigchld };
+ class fd use;
+ class fifo_file rw_file_perms;
')
########################################
@@ -150,13 +153,15 @@ class fifo_file rw_file_perms;
# init_get_process_group(domain)
#
define(`init_get_process_group',`
-requires_block_template(`$0'_depend)
-allow $1 init_t:process getpgid;
+ requires_block_template(`$0'_depend)
+
+ allow $1 init_t:process getpgid;
')
define(`init_get_process_group_depend',`
-type init_t;
-class process getpgid;
+ type init_t;
+
+ class process getpgid;
')
########################################
@@ -164,13 +169,15 @@ class process getpgid;
# init_get_control_channel_attributes(domain)
#
define(`init_get_control_channel_attributes',`
-requires_block_template(`$0'_depend)
-allow $1 initctl_t:fifo_file getattr;
+ requires_block_template(`$0'_depend)
+
+ allow $1 initctl_t:fifo_file getattr;
')
define(`init_get_control_channel_attributes_depend',`
-type initctl_t;
-class fifo_file getattr;
+ type initctl_t;
+
+ class fifo_file getattr;
')
########################################
@@ -178,13 +185,15 @@ class fifo_file getattr;
# init_ignore_get_control_channel_attributes(domain)
#
define(`init_ignore_get_control_channel_attributes',`
-requires_block_template(`$0'_depend)
-dontaudit $1 initctl_t:fifo_file getattr;
+ requires_block_template(`$0'_depend)
+
+ dontaudit $1 initctl_t:fifo_file getattr;
')
define(`init_get_control_channel_attributes_depend',`
-type initctl_t;
-class fifo_file getattr;
+ type initctl_t;
+
+ class fifo_file getattr;
')
########################################
@@ -192,14 +201,16 @@ class fifo_file getattr;
# init_use_control_channel(domain)
#
define(`init_use_control_channel',`
-requires_block_template(`$0'_depend)
-allow $1 initctl_t:fifo_file { getattr read write };
-devices_list_device_nodes($1)
+ requires_block_template(`$0'_depend)
+
+ devices_list_device_nodes($1)
+ allow $1 initctl_t:fifo_file { getattr read write };
')
define(`init_use_control_channel_depend',`
-type initctl_t;
-class fifo_file { getattr read write };
+ type initctl_t;
+
+ class fifo_file { getattr read write };
')
########################################
@@ -207,13 +218,15 @@ class fifo_file { getattr read write };
# init_ignore_use_control_channel(domain)
#
define(`init_ignore_use_control_channel',`
-requires_block_template(`$0'_depend)
-dontaudit $1 initctl_t:fifo_file { read write };
+ requires_block_template(`$0'_depend)
+
+ dontaudit $1 initctl_t:fifo_file { read write };
')
define(`init_ignore_use_control_channel_depend',`
-type initctl_t;
-class fifo_file { read write };
+ type initctl_t;
+
+ class fifo_file { read write };
')
########################################
@@ -221,13 +234,15 @@ class fifo_file { read write };
# init_sigchld(domain)
#
define(`init_sigchld',`
-requires_block_template(`$0'_depend)
-allow $1 init_t:process sigchld;
+ requires_block_template(`$0'_depend)
+
+ allow $1 init_t:process sigchld;
')
define(`init_sigchld_depend',`
-type init_t;
-class process sigchld;
+ type init_t;
+
+ class process sigchld;
')
########################################
@@ -235,13 +250,15 @@ class process sigchld;
# init_use_file_descriptors(domain)
#
define(`init_use_file_descriptors',`
-requires_block_template(`$0'_depend)
-allow $1 init_t:fd use;
+ requires_block_template(`$0'_depend)
+
+ allow $1 init_t:fd use;
')
define(`init_use_file_descriptors_depend',`
-type init_t;
-class fd use;
+ type init_t;
+
+ class fd use;
')
########################################
@@ -249,13 +266,15 @@ class fd use;
# init_ignore_use_file_descriptors(domain)
#
define(`init_ignore_use_file_descriptors',`
-requires_block_template(`$0'_depend)
-dontaudit $1 init_t:fd use;
+ requires_block_template(`$0'_depend)
+
+ dontaudit $1 init_t:fd use;
')
define(`init_ignore_use_file_descriptors_depend',`
-type init_t;
-class fd use;
+ type init_t;
+
+ class fd use;
')
########################################
@@ -263,23 +282,26 @@ class fd use;
# init_script_transition(domain)
#
define(`init_script_transition',`
-requires_block_template(`$0'_depend)
-allow $1 initrc_exec_t:file { getattr read execute };
-allow $1 initrc_t:process transition;
-type_transition $1 initrc_exec_t:process init_t;
-dontaudit $1 init_t:process { noatsecure siginh rlimitinh };
-allow $1 initrc_t:fd use;
-allow initrc_t $1:fd use;
-allow initrc_t $1:fifo_file rw_file_perms;
-allow initrc_t $1:process sigchld;
+ requires_block_template(`$0'_depend)
+
+ allow $1 initrc_exec_t:file { getattr read execute };
+ allow $1 initrc_t:process transition;
+ type_transition $1 initrc_exec_t:process init_t;
+ dontaudit $1 init_t:process { noatsecure siginh rlimitinh };
+
+ allow $1 initrc_t:fd use;
+ allow initrc_t $1:fd use;
+ allow initrc_t $1:fifo_file rw_file_perms;
+ allow initrc_t $1:process sigchld;
')
define(`init_script_transition_depend',`
-type initrc_t, initrc_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+ type initrc_t, initrc_exec_t;
+
+ class file { getattr read execute };
+ class process { transition noatsecure siginh rlimitinh sigchld };
+ class fd use;
+ class fifo_file rw_file_perms;
')
########################################
@@ -287,13 +309,15 @@ class fifo_file rw_file_perms;
# init_script_execute(domain)
#
define(`init_script_execute',`
-requires_block_template(`$0'_depend)
-allow $1 initrc_exec_t:file { getattr read execute execute_no_trans };
+ requires_block_template(`$0'_depend)
+
+ allow $1 initrc_exec_t:file { getattr read execute execute_no_trans };
')
define(`init_script_execute_depend',`
-type initrc_exec_t;
-class file { getattr read execute execute_no_trans };
+ type initrc_exec_t;
+
+ class file { getattr read execute execute_no_trans };
')
########################################
@@ -308,23 +332,26 @@ class file { getattr read execute execute_no_trans };
## </interface>
#
define(`init_script_read_process_state',`
-requires_block_template(`$0'_depend)
-allow $1 initrc_t:dir { search getattr read };
-allow $1 initrc_t:{ file lnk_file } { read getattr };
-allow $1 initrc_t:process getattr;
-# We need to suppress this denial because procps tries to access
-# /proc/pid/environ and this now triggers a ptrace check in recent kernels
-# (2.4 and 2.6). Might want to change procps to not do this, or only if
-# running in a privileged domain.
-dontaudit $1 initrc_t:process ptrace;
+ requires_block_template(`$0'_depend)
+
+ allow $1 initrc_t:dir { search getattr read };
+ allow $1 initrc_t:{ file lnk_file } { read getattr };
+ allow $1 initrc_t:process getattr;
+
+ # We need to suppress this denial because procps tries to access
+ # /proc/pid/environ and this now triggers a ptrace check in recent kernels
+ # (2.4 and 2.6). Might want to change procps to not do this, or only if
+ # running in a privileged domain.
+ dontaudit $1 initrc_t:process ptrace;
')
define(`init_script_read_process_state_depend',`
-type initrc_t;
-class dir { search getattr read };
-class file { read getattr };
-class lnk_file { read getattr };
-class process { getattr ptrace };
+ type initrc_t;
+
+ class dir { search getattr read };
+ class file { read getattr };
+ class lnk_file { read getattr };
+ class process { getattr ptrace };
')
########################################
@@ -332,13 +359,15 @@ class process { getattr ptrace };
# init_script_use_file_descriptors(domain)
#
define(`init_script_use_file_descriptors',`
-requires_block_template(`$0'_depend)
-allow $1 initrc_t:fd use;
+ requires_block_template(`$0'_depend)
+
+ allow $1 initrc_t:fd use;
')
define(`init_script_use_file_descriptors_depend',`
-type initrc_t;
-class fd use;
+ type initrc_t;
+
+ class fd use;
')
########################################
@@ -346,13 +375,15 @@ class fd use;
# init_script_ignore_use_file_descriptors(domain)
#
define(`init_script_ignore_use_file_descriptors',`
-requires_block_template(`$0'_depend)
-dontaudit $1 initrc_t:fd use;
+ requires_block_template(`$0'_depend)
+
+ dontaudit $1 initrc_t:fd use;
')
define(`init_script_ignore_use_file_descriptors_depend',`
-type initrc_t;
-class fd use;
+ type initrc_t;
+
+ class fd use;
')
########################################
@@ -360,13 +391,15 @@ class fd use;
# init_script_get_process_group(domain)
#
define(`init_script_get_process_group',`
-requires_block_template(`$0'_depend)
-allow $1 initrc_t:process getpgid;
+ requires_block_template(`$0'_depend)
+
+ allow $1 initrc_t:process getpgid;
')
define(`init_script_get_process_group_depend',`
-type initrc_t;
-class process getpgid;
+ type initrc_t;
+
+ class process getpgid;
')
########################################
@@ -374,14 +407,16 @@ class process getpgid;
# init_script_use_pseudoterminal(domain)
#
define(`init_script_use_pseudoterminal',`
-requires_block_template(`$0'_depend)
-terminal_list_pseudoterminals($1)
-allow $1 initrc_devpts_t:chr_file { getattr read write ioctl };
+ requires_block_template(`$0'_depend)
+
+ terminal_list_pseudoterminals($1)
+ allow $1 initrc_devpts_t:chr_file { getattr read write ioctl };
')
define(`init_script_use_pseudoterminal_depend',`
-type initrc_devpts_t;
-class chr_file { getattr read write ioctl };
+ type initrc_devpts_t;
+
+ class chr_file { getattr read write ioctl };
')
########################################
@@ -389,13 +424,15 @@ class chr_file { getattr read write ioctl };
# init_script_ignore_use_pseudoterminal(domain)
#
define(`init_script_ignore_use_pseudoterminal',`
-requires_block_template(`$0'_depend)
-allow $1 initrc_devpts_t:chr_file { read write ioctl };
+ requires_block_template(`$0'_depend)
+
+ allow $1 initrc_devpts_t:chr_file { read write ioctl };
')
define(`init_script_ignore_use_pseudoterminal_depend',`
-type initrc_devpts_t;
-class chr_file { read write ioctl };
+ type initrc_devpts_t;
+
+ class chr_file { read write ioctl };
')
########################################
@@ -410,14 +447,16 @@ class chr_file { read write ioctl };
## </interface>
#
define(`init_script_modify_temporary_data',`
-requires_block_template(`$0'_depend)
-# FIXME: read tmp_t
-allow $1 initrc_tmp_t:file { getattr read write };
+ requires_block_template(`$0'_depend)
+
+ # FIXME: read tmp_t
+ allow $1 initrc_tmp_t:file { getattr read write };
')
define(`init_script_modify_temporary_data_depend',`
-type initrc_var_run_t;
-class file { getattr read write };
+ type initrc_var_run_t;
+
+ class file { getattr read write };
')
########################################
@@ -425,14 +464,16 @@ class file { getattr read write };
# init_script_read_runtime_data(domain)
#
define(`init_script_read_runtime_data',`
-requires_block_template(`$0'_depend)
-files_read_runtime_data_directory($1)
-allow $1 initrc_var_run_t:file { getattr read lock };
+ requires_block_template(`$0'_depend)
+
+ files_read_runtime_data_directory($1)
+ allow $1 initrc_var_run_t:file { getattr read lock };
')
define(`init_script_read_runtime_data_depend',`
-type initrc_var_run_t;
-class file { getattr read lock };
+ type initrc_var_run_t;
+
+ class file { getattr read lock };
')
########################################
@@ -440,13 +481,15 @@ class file { getattr read lock };
# init_script_ignore_write_runtime_data(domain)
#
define(`init_script_ignore_write_runtime_data',`
-requires_block_template(`$0'_depend)
-dontaudit $1 initrc_var_run_t:file { write lock };
+ requires_block_template(`$0'_depend)
+
+ dontaudit $1 initrc_var_run_t:file { write lock };
')
define(`init_script_ignore_write_runtime_data_depend',`
-type initrc_var_run_t;
-class file { write lock };
+ type initrc_var_run_t;
+
+ class file { write lock };
')
########################################
@@ -454,14 +497,16 @@ class file { write lock };
# init_script_modify_runtime_data(domain)
#
define(`init_script_modify_runtime_data',`
-requires_block_template(`$0'_depend)
-files_read_runtime_data_directory($1)
-allow $1 initrc_var_run_t:file { getattr read write append lock };
+ requires_block_template(`$0'_depend)
+
+ files_read_runtime_data_directory($1)
+ allow $1 initrc_var_run_t:file { getattr read write append lock };
')
define(`init_script_modify_runtime_data_depend',`
-type initrc_var_run_t;
-class file { getattr read write append lock };
+ type initrc_var_run_t;
+
+ class file { getattr read write append lock };
')
########################################
@@ -469,13 +514,15 @@ class file { getattr read write append lock };
# init_script_ignore_modify_runtime_data(domain)
#
define(`init_script_ignore_modify_runtime_data',`
-requires_block_template(`$0'_depend)
-dontaudit $1 initrc_var_run_t:file { getattr read write append };
+ requires_block_template(`$0'_depend)
+
+ dontaudit $1 initrc_var_run_t:file { getattr read write append };
')
define(`init_script_ignore_modify_runtime_data_depend',`
-type initrc_var_run_t;
-class file { getattr read write append };
+ type initrc_var_run_t;
+
+ class file { getattr read write append };
')
## </module>
diff --git a/refpolicy/policy/modules/system/iptables.if b/refpolicy/policy/modules/system/iptables.if
index 5c06db21f..fd7d663b1 100644
--- a/refpolicy/policy/modules/system/iptables.if
+++ b/refpolicy/policy/modules/system/iptables.if
@@ -13,23 +13,26 @@
## </interface>
#
define(`iptables_transition',`
-requires_block_template(`$0'_depend)
-allow $1 iptables_exec_t:file { getattr read execute };
-allow $1 iptables_t:process transition;
-type_transition $1 iptables_exec_t:process iptables_t;
-dontaudit $1 iptables_t:process { noatsecure siginh rlimitinh };
-allow $1 iptables_t:fd use;
-allow iptables_t $1:fd use;
-allow iptables_t $1:fifo_file rw_file_perms;
-allow iptables_t $1:process sigchld;
+ requires_block_template(`$0'_depend)
+
+ allow $1 iptables_exec_t:file { getattr read execute };
+ allow $1 iptables_t:process transition;
+ type_transition $1 iptables_exec_t:process iptables_t;
+ dontaudit $1 iptables_t:process { noatsecure siginh rlimitinh };
+
+ allow $1 iptables_t:fd use;
+ allow iptables_t $1:fd use;
+ allow iptables_t $1:fifo_file rw_file_perms;
+ allow iptables_t $1:process sigchld;
')
define(`iptables_transition_depend',`
-type iptables_t, iptables_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+ type iptables_t, iptables_exec_t;
+
+ class file { getattr read execute };
+ class process { transition noatsecure siginh rlimitinh sigchld };
+ class fd use;
+ class fifo_file rw_file_perms;
')
########################################
@@ -51,15 +54,17 @@ class fifo_file rw_file_perms;
## </interface>
#
define(`iptables_transition_add_role_use_terminal',`
-requires_block_template(`$0'_depend)
-iptables_transition($1)
-role $2 types iptables_t;
-allow iptables_t $3:chr_file { getattr read write ioctl };
+ requires_block_template(`$0'_depend)
+
+ iptables_transition($1)
+ role $2 types iptables_t;
+ allow iptables_t $3:chr_file { getattr read write ioctl };
')
define(`iptables_transition_add_role_use_terminal_depend',`
-type iptables_t;
-class chr_file { getattr read write ioctl };
+ type iptables_t;
+
+ class chr_file { getattr read write ioctl };
')
########################################
@@ -74,13 +79,15 @@ class chr_file { getattr read write ioctl };
## </interface>
#
define(`iptables_execute',`
-requires_block_template(`$0'_depend)
-allow $1 iptables_exec_t:file { getattr read execute execute_no_trans };
+ requires_block_template(`$0'_depend)
+
+ allow $1 iptables_exec_t:file { getattr read execute execute_no_trans };
')
define(`iptables_execute_depend',`
-type iptables_t, iptables_exec_t;
-class file { getattr read execute execute_no_trans };
+ type iptables_t, iptables_exec_t;
+
+ class file { getattr read execute execute_no_trans };
')
## </module>
diff --git a/refpolicy/policy/modules/system/iptables.te b/refpolicy/policy/modules/system/iptables.te
index adfd2b284..89c8fd2d9 100644
--- a/refpolicy/policy/modules/system/iptables.te
+++ b/refpolicy/policy/modules/system/iptables.te
@@ -117,10 +117,10 @@ allow iptables_t autofs_t:dir { search getattr };
can_ypbind(iptables_t)
optional_policy(`gnome-pty-helper.te',`
-allow iptables_t sysadm_gph_t:fd use;
+ allow iptables_t sysadm_gph_t:fd use;
')
optional_policy(`firstboot.te', `
-allow iptables_t firstboot_t:fifo_file write;
+ allow iptables_t firstboot_t:fifo_file write;
')
') dnl ifdef TODO
diff --git a/refpolicy/policy/modules/system/libraries.if b/refpolicy/policy/modules/system/libraries.if
index b91984886..e88e0656b 100644
--- a/refpolicy/policy/modules/system/libraries.if
+++ b/refpolicy/policy/modules/system/libraries.if
@@ -13,23 +13,26 @@
## </interface>
#
define(`libraries_ldconfig_transition',`
-requires_block_template(`$0'_depend)
-allow $1 ldconfig_exec_t:file { getattr read execute };
-allow $1 ldconfig_t:process transition;
-type_transition $1 ldconfig_exec_t:process ldconfig_t;
-dontaudit $1 ldconfig_t:process { noatsecure siginh rlimitinh };
-allow $1 ldconfig_t:fd use;
-allow ldconfig_t $1:fd use;
-allow ldconfig_t $1:fifo_file rw_file_perms;
-allow ldconfig_t $1:process sigchld;
+ requires_block_template(`$0'_depend)
+
+ allow $1 ldconfig_exec_t:file { getattr read execute };
+ allow $1 ldconfig_t:process transition;
+ type_transition $1 ldconfig_exec_t:process ldconfig_t;
+ dontaudit $1 ldconfig_t:process { noatsecure siginh rlimitinh };
+
+ allow $1 ldconfig_t:fd use;
+ allow ldconfig_t $1:fd use;
+ allow ldconfig_t $1:fifo_file rw_file_perms;
+ allow ldconfig_t $1:process sigchld;
')
define(`libraries_ldconfig_transition_depend',`
-type ldconfig_t, ldconfig_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+ type ldconfig_t, ldconfig_exec_t;
+
+ class file { getattr read execute };
+ class process { transition noatsecure siginh rlimitinh sigchld };
+ class fd use;
+ class fifo_file rw_file_perms;
')
########################################
@@ -50,15 +53,17 @@ class fifo_file rw_file_perms;
## </interface>
#
define(`libraries_ldconfig_transition_add_role_use_terminal',`
-requires_block_template(`$0'_depend)
-libraries_ldconfig_transition($1)
-role $2 types ldconfig_t;
-allow ldconfig_t $3:chr_file { getattr read write ioctl };
+ requires_block_template(`$0'_depend)
+
+ libraries_ldconfig_transition($1)
+ role $2 types ldconfig_t;
+ allow ldconfig_t $3:chr_file { getattr read write ioctl };
')
define(`libraries_ldconfig_transition_add_role_use_terminal_depend',`
-type ldconfig_t;
-class chr_file { getattr read write ioctl };
+ type ldconfig_t;
+
+ class chr_file { getattr read write ioctl };
')
########################################
@@ -74,20 +79,22 @@ class chr_file { getattr read write ioctl };
## </interface>
#
define(`libraries_use_dynamic_loader',`
-requires_block_template(`$0'_depend)
-files_read_general_system_config_directory($1)
-allow $1 lib_t:dir r_dir_perms;
-allow $1 lib_t:lnk_file r_file_perms;
-allow $1 ld_so_t:lnk_file r_file_perms;
-allow $1 ld_so_t:file rx_file_perms;
-allow $1 ld_so_cache_t:file r_file_perms;
+ requires_block_template(`$0'_depend)
+
+ files_read_general_system_config_directory($1)
+ allow $1 lib_t:dir r_dir_perms;
+ allow $1 lib_t:lnk_file r_file_perms;
+ allow $1 ld_so_t:lnk_file r_file_perms;
+ allow $1 ld_so_t:file rx_file_perms;
+ allow $1 ld_so_cache_t:file r_file_perms;
')
define(`libraries_use_dynamic_loader_depend',`
-type lib_t, ld_so_t, ld_so_cache_t;
-class dir r_dir_perms;
-class lnk_file r_file_perms;
-class file rx_file_perms;
+ type lib_t, ld_so_t, ld_so_cache_t;
+
+ class dir r_dir_perms;
+ class lnk_file r_file_perms;
+ class file rx_file_perms;
')
########################################
@@ -103,15 +110,17 @@ class file rx_file_perms;
## </interface>
#
define(`libraries_legacy_use_dynamic_loader',`
-requires_block_template(`$0'_depend)
-libraries_use_dynamic_loader($1)
-allow $1 ld_so_t:file execmod;
-allow $1 ld_so_cache_t:file execute;
+ requires_block_template(`$0'_depend)
+
+ libraries_use_dynamic_loader($1)
+ allow $1 ld_so_t:file execmod;
+ allow $1 ld_so_cache_t:file execute;
')
define(`libraries_legacy_use_dynamic_loader_depend',`
-type ld_so_t, ld_so_cache_t;
-class file { execute execmod };
+ type ld_so_t, ld_so_cache_t;
+
+ class file { execute execmod };
')
########################################
@@ -131,18 +140,20 @@ class file { execute execmod };
## </interface>
#
define(`libraries_execute_dynamic_loader',`
-requires_block_template(`$0'_depend)
-allow $1 lib_t:dir r_dir_perms;
-allow $1 lib_t:lnk_file r_file_perms;
-allow $1 ld_so_t:lnk_file r_file_perms;
-allow $1 ld_so_t:file { r_file_perms execute execute_no_trans };
+ requires_block_template(`$0'_depend)
+
+ allow $1 lib_t:dir r_dir_perms;
+ allow $1 lib_t:lnk_file r_file_perms;
+ allow $1 ld_so_t:lnk_file r_file_perms;
+ allow $1 ld_so_t:file { r_file_perms execute execute_no_trans };
')
define(`libraries_execute_dynamic_loader_depend',`
-type lib_t, ld_so_t;
-class dir r_dir_perms;
-class lnk_file r_file_perms;
-class file { r_file_perms execute execute_no_trans };
+ type lib_t, ld_so_t;
+
+ class dir r_dir_perms;
+ class lnk_file r_file_perms;
+ class file { r_file_perms execute execute_no_trans };
')
########################################
@@ -158,14 +169,16 @@ class file { r_file_perms execute execute_no_trans };
## </interface>
#
define(`libraries_modify_dynamic_loader_cache',`
-requires_block_template(`$0'_depend)
-files_read_general_system_config_directory($1)
-allow $1 ld_so_cache_t:file { getattr read write };
+ requires_block_template(`$0'_depend)
+
+ files_read_general_system_config_directory($1)
+ allow $1 ld_so_cache_t:file { getattr read write };
')
define(`libraries_modify_dynamic_loader_cache_depend',`
-type ld_so_cache_t;
-class file { getattr read write };
+ type ld_so_cache_t;
+
+ class file { getattr read write };
')
########################################
@@ -181,16 +194,18 @@ class file { getattr read write };
## </interface>
#
define(`libraries_read_library_resources',`
-requires_block_template(`$0'_depend)
-allow $1 lib_t:dir { getattr read search };
-allow $1 lib_t:{ file lnk_file } { getattr read };
+ requires_block_template(`$0'_depend)
+
+ allow $1 lib_t:dir { getattr read search };
+ allow $1 lib_t:{ file lnk_file } { getattr read };
')
define(`libraries_read_library_resources_depend',`
-type lib_t;
-class dir { getattr read search };
-class lnk_file { getattr read };
-class file { getattr read };
+ type lib_t;
+
+ class dir { getattr read search };
+ class lnk_file { getattr read };
+ class file { getattr read };
')
########################################
@@ -205,17 +220,19 @@ class file { getattr read };
## </interface>
#
define(`libraries_execute_library_scripts',`
-requires_block_template(`$0'_depend)
-allow $1 lib_t:dir { getattr read search };
-allow $1 lib_t:lnk_file { getattr read };
-allow $1 lib_t:file { getattr read execute execute_no_trans };
+ requires_block_template(`$0'_depend)
+
+ allow $1 lib_t:dir { getattr read search };
+ allow $1 lib_t:lnk_file { getattr read };
+ allow $1 lib_t:file { getattr read execute execute_no_trans };
')
define(`libraries_execute_library_scripts_depend',`
-type lib_t;
-class dir { getattr read search };
-class lnk_file { getattr read };
-class file { getattr read execute execute_no_trans };
+ type lib_t;
+
+ class dir { getattr read search };
+ class lnk_file { getattr read };
+ class file { getattr read execute execute_no_trans };
')
########################################
@@ -230,19 +247,21 @@ class file { getattr read execute execute_no_trans };
## </interface>
#
define(`libraries_use_shared_libraries',`
-requires_block_template(`$0'_depend)
-files_search_general_application_resources_dir($1)
-allow $1 lib_t:dir r_dir_perms;
-allow $1 lib_t:lnk_file r_file_perms;
-allow $1 { shlib_t texrel_shlib_t }:lnk_file r_file_perms;
-allow $1 { shlib_t texrel_shlib_t }:file rx_file_perms;
+ requires_block_template(`$0'_depend)
+
+ files_search_general_application_resources_dir($1)
+ allow $1 lib_t:dir r_dir_perms;
+ allow $1 lib_t:lnk_file r_file_perms;
+ allow $1 { shlib_t texrel_shlib_t }:lnk_file r_file_perms;
+ allow $1 { shlib_t texrel_shlib_t }:file rx_file_perms;
')
define(`libraries_use_shared_libraries_depend',`
-type lib_t, shlib_t, texrel_shlib_t;
-class dir r_dir_perms;
-class lnk_file r_file_perms;
-class file rx_dir_perms;
+ type lib_t, shlib_t, texrel_shlib_t;
+
+ class dir r_dir_perms;
+ class lnk_file r_file_perms;
+ class file rx_dir_perms;
')
########################################
@@ -258,14 +277,16 @@ class file rx_dir_perms;
## </interface>
#
define(`libraries_legacy_use_shared_libraries',`
-requires_block_template(`$0'_depend)
-libraries_use_shared_libraries($1)
-allow $1 { shlib_t texrel_shlib_t }:file execmod;
+ requires_block_template(`$0'_depend)
+
+ libraries_use_shared_libraries($1)
+ allow $1 { shlib_t texrel_shlib_t }:file execmod;
')
define(`libraries_legacy_use_shared_libraries_depend',`
-type shlib_t, texrel_shlib_t;
-class file execmod;
+ type shlib_t, texrel_shlib_t;
+
+ class file execmod;
')
## </module>
diff --git a/refpolicy/policy/modules/system/libraries.te b/refpolicy/policy/modules/system/libraries.te
index 4345fa85b..bb73e2c2f 100644
--- a/refpolicy/policy/modules/system/libraries.te
+++ b/refpolicy/policy/modules/system/libraries.te
@@ -80,21 +80,21 @@ ifdef(`TODO',`
allow ldconfig_t tmp_t:dir search;
ifdef(`apache.te', `
-# dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway
-dontaudit ldconfig_t httpd_modules_t:dir search;
+ # dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway
+ dontaudit ldconfig_t httpd_modules_t:dir search;
')
allow ldconfig_t { var_t var_lib_t }:dir search;
ifdef(`hide_broken_symptoms', `
-ifdef(`unconfined.te',`
-dontaudit ldconfig_t unconfined_t:tcp_socket { read write };
-')
+ ifdef(`unconfined.te',`
+ dontaudit ldconfig_t unconfined_t:tcp_socket { read write };
+ ')
')
ifdef(`targeted_policy', `
-allow ldconfig_t lib_t:file r_file_perms;
-unconfined_domain(ldconfig_t)
+ allow ldconfig_t lib_t:file r_file_perms;
+ unconfined_domain(ldconfig_t)
')
') dnl end TODO
diff --git a/refpolicy/policy/modules/system/locallogin.if b/refpolicy/policy/modules/system/locallogin.if
index 4e4fbd5f7..66ee967b1 100644
--- a/refpolicy/policy/modules/system/locallogin.if
+++ b/refpolicy/policy/modules/system/locallogin.if
@@ -4,12 +4,13 @@
# locallogin_transition(domain)
#
define(`locallogin_transition',`
-requires_block_template(`$0'_depend)
-authlogin_login_program_transition($1,local_login_t)
+ requires_block_template(`$0'_depend)
+
+ authlogin_login_program_transition($1,local_login_t)
')
define(`locallogin_transition_depend',`
-type local_login_t;
+ type local_login_t;
')
########################################
@@ -17,11 +18,13 @@ type local_login_t;
# locallogin_use_file_descriptors(domain)
#
define(`locallogin_use_file_descriptors',`
-requires_block_template(`$0'_depend)
-allow $1 local_login_t:fd use;
+ requires_block_template(`$0'_depend)
+
+ allow $1 local_login_t:fd use;
')
define(`locallogin_use_file_descriptors_depend',`
-type local_login_t;
-class fd use;
+ type local_login_t;
+
+ class fd use;
')
diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te
index 7449aae03..c2967635e 100644
--- a/refpolicy/policy/modules/system/locallogin.te
+++ b/refpolicy/policy/modules/system/locallogin.te
@@ -117,7 +117,7 @@ ifdef(`TODO',`
can_ypbind(local_login_t)
ifdef(`automount.te', `
-allow local_login_t autofs_t:dir { search getattr };
+ allow local_login_t autofs_t:dir { search getattr };
')
allow local_login_t bin_t:dir r_dir_perms;
@@ -125,8 +125,8 @@ allow local_login_t bin_t:notdevfile_class_set r_file_perms;
allow local_login_t sbin_t:dir r_dir_perms;
allow local_login_t sbin_t:notdevfile_class_set r_file_perms;
if (read_default_t) {
-allow local_login_t default_t:dir r_dir_perms;
-allow local_login_t default_t:notdevfile_class_set r_file_perms;
+ allow local_login_t default_t:dir r_dir_perms;
+ allow local_login_t default_t:notdevfile_class_set r_file_perms;
}
# Read directories and files with the readable_t type.
@@ -144,18 +144,18 @@ allow local_login_t mnt_t:dir r_dir_perms;
# FIXME: what is this for?
optional_policy(`xdm.te', `
-allow xdm_t local_login_t:process signull;
+ allow xdm_t local_login_t:process signull;
')
ifdef(`crack.te', `
-allow local_login_t crack_db_t:file r_file_perms;
+ allow local_login_t crack_db_t:file r_file_perms;
')
allow local_login_t mouse_device_t:chr_file { getattr setattr };
tunable_policy(`targeted_policy',`
-unconfined_domain(local_login_t)
-domain_auto_trans(local_login_t, shell_exec_t, unconfined_t)
+ unconfined_domain(local_login_t)
+ domain_auto_trans(local_login_t, shell_exec_t, unconfined_t)
')
# Do not audit denied attempts to access devices.
@@ -173,7 +173,7 @@ dontaudit local_login_t scanner_device_t:chr_file { getattr setattr };
dontaudit local_login_t mnt_t:dir r_dir_perms;
optional_policy(`gpm.te',`
-allow local_login_t gpmctl_t:sock_file { getattr setattr };
+ allow local_login_t gpmctl_t:sock_file { getattr setattr };
')
# Allow setting of attributes on sound devices.
@@ -231,21 +231,21 @@ userdomain_use_all_unprivileged_users_file_descriptors(sulogin_t)
# suse and debian do not use pam with sulogin...
ifdef(`monolithic_policy',`
-ifdef(`distro_suse', `define(`sulogin_no_pam')')
-ifdef(`distro_debian', `define(`sulogin_no_pam')')
+ ifdef(`distro_suse', `define(`sulogin_no_pam')')
+ ifdef(`distro_debian', `define(`sulogin_no_pam')')
') dnl end monolithic_policy
tunable_policy(`sulogin_no_pam', `
-allow sulogin_t self:capability sys_tty_config;
-init_get_process_group(sulogin_t)
+ allow sulogin_t self:capability sys_tty_config;
+ init_get_process_group(sulogin_t)
', `
-allow sulogin_t self:process setexec;
-kernel_get_selinuxfs_mount_point(sulogin_t)
-kernel_validate_selinux_context(sulogin_t)
-kernel_compute_selinux_access_vector(sulogin_t)
-kernel_compute_selinux_create_context(sulogin_t)
-kernel_compute_selinux_relabel_context(sulogin_t)
-kernel_compute_selinux_reachable_user_contexts(sulogin_t)
+ allow sulogin_t self:process setexec;
+ kernel_get_selinuxfs_mount_point(sulogin_t)
+ kernel_validate_selinux_context(sulogin_t)
+ kernel_compute_selinux_access_vector(sulogin_t)
+ kernel_compute_selinux_create_context(sulogin_t)
+ kernel_compute_selinux_relabel_context(sulogin_t)
+ kernel_compute_selinux_reachable_user_contexts(sulogin_t)
')
ifdef(`TODO',`
@@ -254,7 +254,7 @@ allow sulogin_t sysadm_devpts_t:chr_file { getattr ioctl read write };
can_ypbind(sulogin_t)
ifdef(`automount.te', `
-allow sulogin_t autofs_t:dir { search getattr };
+ allow sulogin_t autofs_t:dir { search getattr };
')
allow sulogin_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
diff --git a/refpolicy/policy/modules/system/logging.if b/refpolicy/policy/modules/system/logging.if
index 46d1f8358..d2a5a141f 100644
--- a/refpolicy/policy/modules/system/logging.if
+++ b/refpolicy/policy/modules/system/logging.if
@@ -6,13 +6,14 @@
# logging_make_log_file(domain)
#
define(`logging_make_log_file',`
-requires_block_template(`$0'_depend)
-files_make_file($1)
-typeattribute $1 logfile;
+ requires_block_template(`$0'_depend)
+
+ files_make_file($1)
+ typeattribute $1 logfile;
')
define(`logging_make_log_file_depend',`
-attribute logfile;
+ attribute logfile;
')
########################################
@@ -20,18 +21,21 @@ attribute logfile;
# logging_create_private_log(domain,privatetype,[class(es)])
#
define(`logging_create_private_log',`
-requires_block_template(`$0'_depend)
-allow $1 var_log_t:dir { getattr search read write add_name remove_name };
-ifelse(`$3',`',`
-type_transition $1 var_log_t:file $2;
-',`
-type_transition $1 var_log_t:$3 $2;
-') dnl end ifelse
+ requires_block_template(`$0'_depend)
+
+ allow $1 var_log_t:dir rw_dir_perms;
+
+ ifelse(`$3',`',`
+ type_transition $1 var_log_t:file $2;
+ ',`
+ type_transition $1 var_log_t:$3 $2;
+ ')
')
define(`logging_create_private_log_depend',`
-type var_log_t;
-class dir { getattr search read write add_name remove_name };
+ type var_log_t;
+
+ class dir rw_dir_perms;
')
#######################################
@@ -39,23 +43,27 @@ class dir { getattr search read write add_name remove_name };
# logging_send_system_log_message(domain)
#
define(`logging_send_system_log_message',`
-requires_block_template(`$0'_depend)
-allow $1 devlog_t:lnk_file read;
-allow $1 devlog_t:sock_file { ioctl read getattr lock write append };
-# the type of socket depends on the syslog daemon
-allow $1 syslogd_t:unix_dgram_socket sendto;
-allow $1 syslogd_t:unix_stream_socket connectto;
-allow $1 self:unix_dgram_socket { create read getattr write setattr append bind connect getopt setopt shutdown };
-allow $1 self:unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown };
-# cjp: this should most likely be removed:
-terminal_use_console($1)
+ requires_block_template(`$0'_depend)
+
+ allow $1 devlog_t:lnk_file read;
+ allow $1 devlog_t:sock_file { ioctl read getattr lock write append };
+
+ # the type of socket depends on the syslog daemon
+ allow $1 syslogd_t:unix_dgram_socket sendto;
+ allow $1 syslogd_t:unix_stream_socket connectto;
+ allow $1 self:unix_dgram_socket { create read getattr write setattr append bind connect getopt setopt shutdown };
+ allow $1 self:unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown };
+
+ # cjp: this should most likely be removed:
+ terminal_use_console($1)
')
define(`logging_send_system_log_message_depend',`
-type syslogd_t, devlog_t;
-class sock_file { ioctl read getattr lock write append };
-class unix_dgram_socket { create read getattr write setattr append bind connect getopt setopt shutdown sendto };
-class unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown connectto };
+ type syslogd_t, devlog_t;
+
+ class sock_file { ioctl read getattr lock write append };
+ class unix_dgram_socket { create read getattr write setattr append bind connect getopt setopt shutdown sendto };
+ class unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown connectto };
')
########################################
@@ -72,14 +80,16 @@ class unix_stream_socket { create read getattr write setattr append bind connect
## </interface>
#
define(`logging_search_system_log_directory',`
-requires_block_template(`$0'_depend)
-files_search_system_state_data_directory($1)
-allow $1 var_log_t:dir search;
+ requires_block_template(`$0'_depend)
+
+ files_search_system_state_data_directory($1)
+ allow $1 var_log_t:dir search;
')
define(`logging_search_system_log_directory_depend',`
-type var_log_t;
-class dir search;
+ type var_log_t;
+
+ class dir search;
')
#######################################
@@ -87,13 +97,15 @@ class dir search;
# logging_ignore_get_all_logs_attributes(domain)
#
define(`logging_ignore_get_all_logs_attributes',`
-requires_block_template(`$0'_depend)
-dontaudit $1 logfile:file getattr;
+ requires_block_template(`$0'_depend)
+
+ dontaudit $1 logfile:file getattr;
')
define(`logging_ignore_get_all_logs_attributes_depend',`
-attribute logfile;
-class file getattr;
+ attribute logfile;
+
+ class file getattr;
')
#######################################
@@ -101,17 +113,20 @@ class file getattr;
# logging_append_all_logs(domain)
#
define(`logging_append_all_logs',`
-requires_block_template(`$0'_depend)
-files_search_system_state_data_directory($1)
-allow $1 var_log_t:dir { getattr search read };
-allow $1 logfile:file { getattr append };
+ requires_block_template(`$0'_depend)
+
+ files_search_system_state_data_directory($1)
+ allow $1 var_log_t:dir { getattr search read };
+ allow $1 logfile:file { getattr append };
')
define(`logging_append_all_logs_depend',`
-attribute logfile;
-type var_log_t;
-class dir { getattr search read };
-class file { getattr append };
+ attribute logfile;
+
+ type var_log_t;
+
+ class dir { getattr search read };
+ class file { getattr append };
')
#######################################
@@ -119,17 +134,20 @@ class file { getattr append };
# logging_read_all_logs(domain)
#
define(`logging_read_all_logs',`
-requires_block_template(`$0'_depend)
-files_search_system_state_data_directory($1)
-allow $1 var_log_t:dir { getattr search read };
-allow $1 logfile:file { getattr read };
+ requires_block_template(`$0'_depend)
+
+ files_search_system_state_data_directory($1)
+ allow $1 var_log_t:dir { getattr search read };
+ allow $1 logfile:file { getattr read };
')
define(`logging_read_all_logs_depend',`
-attribute logfile;
-type var_log_t;
-class dir { getattr search read };
-class file { getattr read };
+ attribute logfile;
+
+ type var_log_t;
+
+ class dir { getattr search read };
+ class file { getattr read };
')
#######################################
@@ -137,16 +155,18 @@ class file { getattr read };
# logging_read_system_logs(domain)
#
define(`logging_read_system_logs',`
-requires_block_template(`$0'_depend)
-files_search_system_state_data_directory($1)
-allow $1 var_log_t:dir { getattr search read };
-allow $1 var_log_t:file { getattr read };
+ requires_block_template(`$0'_depend)
+
+ files_search_system_state_data_directory($1)
+ allow $1 var_log_t:dir { getattr search read };
+ allow $1 var_log_t:file { getattr read };
')
define(`logging_read_system_logs_depend',`
-type var_log_t;
-class dir { getattr search read };
-class file { getattr read };
+ type var_log_t;
+
+ class dir { getattr search read };
+ class file { getattr read };
')
#######################################
@@ -154,16 +174,18 @@ class file { getattr read };
# logging_write_system_logs(domain)
#
define(`logging_write_system_logs',`
-requires_block_template(`$0'_depend)
-files_search_system_state_data_directory($1)
-allow $1 var_log_t:dir { getattr search read };
-allow $1 var_log_t:file { getattr write };
+ requires_block_template(`$0'_depend)
+
+ files_search_system_state_data_directory($1)
+ allow $1 var_log_t:dir { getattr search read };
+ allow $1 var_log_t:file { getattr write };
')
define(`logging_write_system_logs_depend',`
-type var_log_t;
-class dir { getattr search read };
-class file { getattr write };
+ type var_log_t;
+
+ class dir { getattr search read };
+ class file { getattr write };
')
#######################################
@@ -171,16 +193,18 @@ class file { getattr write };
# logging_modify_system_logs(domain)
#
define(`logging_modify_system_logs',`
-requires_block_template(`$0'_depend)
-files_search_system_state_data_directory($1)
-allow $1 var_log_t:dir { getattr search read };
-allow $1 var_log_t:file { getattr read write append };
+ requires_block_template(`$0'_depend)
+
+ files_search_system_state_data_directory($1)
+ allow $1 var_log_t:dir { getattr search read };
+ allow $1 var_log_t:file { getattr read write append };
')
define(`logging_modify_system_logs_depend',`
-type var_log_t;
-class dir { getattr search read };
-class file { getattr read write append };
+ type var_log_t;
+
+ class dir { getattr search read };
+ class file { getattr read write append };
')
## </module>
diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
index e6caf7560..fdbb76c77 100644
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@@ -157,28 +157,28 @@ allow syslogd_t self:capability net_admin;
allow syslogd_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read };
ifdef(`klogd.te', `', `
-# Allow access to /proc/kmsg for syslog-ng
-kernel_read_messages(syslogd_t)
-kernel_clear_ring_buffer(syslogd_t)
-kernel_change_ring_buffer_level(syslogd_t)
+ # Allow access to /proc/kmsg for syslog-ng
+ kernel_read_messages(syslogd_t)
+ kernel_clear_ring_buffer(syslogd_t)
+ kernel_change_ring_buffer_level(syslogd_t)
')
tunable_policy(`targeted_policy', `
-terminal_ignore_use_general_physical_terminal(syslogd_t)
-terminal_ignore_use_general_pseudoterminal(syslogd_t)
-files_ignore_read_rootfs_file(syslogd_t)
+ terminal_ignore_use_general_physical_terminal(syslogd_t)
+ terminal_ignore_use_general_pseudoterminal(syslogd_t)
+ files_ignore_read_rootfs_file(syslogd_t)
')
optional_policy(`selinux.te',`
-selinux_newrole_sigchld(syslogd_t)
+ selinux_newrole_sigchld(syslogd_t)
')
optional_policy(`udev.te', `
-udev_read_database(syslogd_t)
+ udev_read_database(syslogd_t)
')
optional_policy(`cron.te',`
-cron_modify_log(syslogd_t)
+ cron_modify_log(syslogd_t)
')
ifdef(`TODO',`
@@ -186,17 +186,17 @@ allow syslogd_t proc_t:lnk_file read;
allow syslogd_t autofs_t:dir { search getattr };
dontaudit syslogd_t sysadm_home_dir_t:dir search;
optional_policy(`rhgb.te', `
-allow syslogd_t rhgb_t:process sigchld;
-allow syslogd_t rhgb_t:fd use;
-allow syslogd_t rhgb_t:fifo_file { read write };
+ allow syslogd_t rhgb_t:process sigchld;
+ allow syslogd_t rhgb_t:fd use;
+ allow syslogd_t rhgb_t:fifo_file { read write };
')
tunable_policy(`direct_sysadm_daemon',`
-dontaudit syslogd_t admin_tty_type:chr_file rw_file_perms;
+ dontaudit syslogd_t admin_tty_type:chr_file rw_file_perms;
')
tunable_policy(`distro_suse', `
-# suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel
-file_type_auto_trans(syslogd_t, var_lib_t, devlog_t, sock_file)
+ # suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel
+ file_type_auto_trans(syslogd_t, var_lib_t, devlog_t, sock_file)
')
# can_network is for the UDP socket
@@ -206,12 +206,12 @@ can_ypbind(syslogd_t)
allow syslogd_t xconsole_device_t:fifo_file { ioctl read write };
ifdef(`crond.te', `
-# for daemon re-start
-allow system_crond_t syslogd_t:lnk_file read;
+ # for daemon re-start
+ allow system_crond_t syslogd_t:lnk_file read;
')
ifdef(`logrotate.te', `
-allow logrotate_t syslogd_exec_t:file r_file_perms;
+ allow logrotate_t syslogd_exec_t:file r_file_perms;
')
#
diff --git a/refpolicy/policy/modules/system/lvm.if b/refpolicy/policy/modules/system/lvm.if
index 109a167d3..1c7c822e1 100644
--- a/refpolicy/policy/modules/system/lvm.if
+++ b/refpolicy/policy/modules/system/lvm.if
@@ -13,23 +13,26 @@
## </interface>
#
define(`lvm_transition',`
-requires_block_template(`$0'_depend)
-allow $1 lvm_exec_t:file { getattr read execute };
-allow $1 lvm_t:process transition;
-type_transition $1 lvm_exec_t:process lvm_t;
-dontaudit $1 lvm_t:process { noatsecure siginh rlimitinh };
-allow $1 lvm_t:fd use;
-allow lvm_t $1:fd use;
-allow lvm_t $1:fifo_file rw_file_perms;
-allow lvm_t $1:process sigchld;
+ requires_block_template(`$0'_depend)
+
+ allow $1 lvm_exec_t:file { getattr read execute };
+ allow $1 lvm_t:process transition;
+ type_transition $1 lvm_exec_t:process lvm_t;
+ dontaudit $1 lvm_t:process { noatsecure siginh rlimitinh };
+
+ allow $1 lvm_t:fd use;
+ allow lvm_t $1:fd use;
+ allow lvm_t $1:fifo_file rw_file_perms;
+ allow lvm_t $1:process sigchld;
')
define(`lvm_transition_depend',`
-type lvm_t, lvm_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+ type lvm_t, lvm_exec_t;
+
+ class file { getattr read execute };
+ class process { transition noatsecure siginh rlimitinh sigchld };
+ class fd use;
+ class fifo_file rw_file_perms;
')
########################################
@@ -50,15 +53,17 @@ class fifo_file rw_file_perms;
## </interface>
#
define(`lvm_transition_add_role_use_terminal',`
-requires_block_template(`$0'_depend)
-lvm_transition($1)
-role $2 types lvm_t;
-allow lvm_t $3:chr_file { getattr read write ioctl };
+ requires_block_template(`$0'_depend)
+
+ lvm_transition($1)
+ role $2 types lvm_t;
+ allow lvm_t $3:chr_file { getattr read write ioctl };
')
define(`lvm_transition_add_role_use_terminal_depend',`
-type lvm_t;
-class chr_file { getattr read write ioctl };
+ type lvm_t;
+
+ class chr_file { getattr read write ioctl };
')
########################################
@@ -73,14 +78,16 @@ class chr_file { getattr read write ioctl };
## </interface>
#
define(`lvm_read_config',`
-requires_block_template(`$0'_depend)
-allow $1 lvm_etc_t:dir { getattr search read };
-allow $1 lvm_etc_t:file { getattr read };
+ requires_block_template(`$0'_depend)
+
+ allow $1 lvm_etc_t:dir { getattr search read };
+ allow $1 lvm_etc_t:file { getattr read };
')
define(`lvm_read_config_depend',`
-type lvm_t, lvm_exec_t;
-class file { getattr read };
+ type lvm_t, lvm_exec_t;
+
+ class file { getattr read };
')
## </module>
diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te
index da45c58c9..00e3ac961 100644
--- a/refpolicy/policy/modules/system/lvm.te
+++ b/refpolicy/policy/modules/system/lvm.te
@@ -169,17 +169,17 @@ allow lvm_t device_t:lnk_file { relabelfrom relabelto };
dontaudit lvm_t var_run_t:dir getattr;
optional_policy(`gnome-pty-helper.te', `
-allow lvm_t sysadm_gph_t:fd use;
+ allow lvm_t sysadm_gph_t:fd use;
')
optional_policy(`gpm.te', `
-dontaudit lvm_t gpmctl_t:sock_file getattr;
+ dontaudit lvm_t gpmctl_t:sock_file getattr;
')
optional_policy(`rhgb.te', `
-allow $1_t rhgb_t:process sigchld;
-allow $1_t rhgb_t:fd use;
-allow $1_t rhgb_t:fifo_file { read write };
+ allow $1_t rhgb_t:process sigchld;
+ allow $1_t rhgb_t:fd use;
+ allow $1_t rhgb_t:fifo_file { read write };
')
') dnl end TODO
diff --git a/refpolicy/policy/modules/system/miscfiles.if b/refpolicy/policy/modules/system/miscfiles.if
index 668c50722..63c6501ff 100644
--- a/refpolicy/policy/modules/system/miscfiles.if
+++ b/refpolicy/policy/modules/system/miscfiles.if
@@ -4,16 +4,18 @@
# miscfiles_manage_man_page_cache(domain)
#
define(`miscfiles_manage_man_page_cache',`
-requires_block_template(`$0'_depend)
-# FIXME: search var_t dir
-allow $1 catman_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
-allow $1 catman_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+ requires_block_template(`$0'_depend)
+
+ # FIXME: search var_t dir
+ allow $1 catman_t:dir create_dir_perms;
+ allow $1 catman_t:file create_file_perms;
')
define(`miscfiles_manage_man_page_cache_depend',`
-type catman_t;
-class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
-class file { create ioctl read getattr lock write setattr append link unlink rename };
+ type catman_t;
+
+ class dir create_dir_perms;
+ class file create_file_perms;
')
########################################
@@ -21,18 +23,20 @@ class file { create ioctl read getattr lock write setattr append link unlink ren
# miscfiles_read_fonts(domain)
#
define(`miscfiles_read_fonts',`
-requires_block_template(`$0'_depend)
-# FIXME: search usr_t dir
-# FIXME: search lib_t dir
-# cjp: fonts can be in either of the above dirs
-allow $1 fonts_t:dir { getattr read search };
-allow $1 fonts_t:file { getattr read };
+ requires_block_template(`$0'_depend)
+
+ # FIXME: search usr_t dir
+ # FIXME: search lib_t dir
+ # cjp: fonts can be in either of the above dirs
+ allow $1 fonts_t:dir { getattr read search };
+ allow $1 fonts_t:file { getattr read };
')
define(`miscfiles_read_fonts_depend',`
-type fonts_t;
-class dir { getattr read search };
-class file { getattr read };
+ type fonts_t;
+
+ class dir { getattr read search };
+ class file { getattr read };
')
########################################
@@ -40,23 +44,24 @@ class file { getattr read };
# miscfiles_read_localization(domain)
#
define(`miscfiles_read_localization',`
-requires_block_template(`$0'_depend)
-# FIXME: $1 read etc_t:lnk_file here
-# FIXME: $1 search usr_t:dir here
+ requires_block_template(`$0'_depend)
-# why?
-libraries_read_library_resources($1)
+ # FIXME: $1 read etc_t:lnk_file here
+ # FIXME: $1 search usr_t:dir here
+ allow $1 locale_t:dir { getattr read search };
+ allow $1 locale_t:lnk_file { getattr read };
+ allow $1 locale_t:file { getattr read };
-allow $1 locale_t:dir { getattr read search };
-allow $1 locale_t:lnk_file { getattr read };
-allow $1 locale_t:file { getattr read };
+ # why?
+ libraries_read_library_resources($1)
')
define(`miscfiles_read_localization_depend',`
-type locale_t;
-class dir { getattr read search };
-class lnk_file { getattr read };
-class file { getattr read };
+ type locale_t;
+
+ class dir { getattr read search };
+ class lnk_file { getattr read };
+ class file { getattr read };
')
########################################
@@ -64,14 +69,16 @@ class file { getattr read };
# miscfiles_legacy_read_localization(domain)
#
define(`miscfiles_legacy_read_localization',`
-requires_block_template(`$0'_depend)
-miscfiles_read_localization($1)
-allow $1 locale_t:file execute;
+ requires_block_template(`$0'_depend)
+
+ miscfiles_read_localization($1)
+ allow $1 locale_t:file execute;
')
define(`miscfiles_read_localization_depend',`
-type locale_t;
-class file execute;
+ type locale_t;
+
+ class file execute;
')
########################################
@@ -79,16 +86,18 @@ class file execute;
# miscfiles_read_man_pages(domain)
#
define(`miscfiles_read_man_pages',`
-requires_block_template(`$0'_depend)
-# FIXME: search usr_t dir
-allow $1 man_t:dir { getattr read search };
-allow $1 man_t:file { getattr read };
-allow $1 man_t:lnk_file { getattr read };
+ requires_block_template(`$0'_depend)
+
+ # FIXME: search usr_t dir
+ allow $1 man_t:dir { getattr read search };
+ allow $1 man_t:file { getattr read };
+ allow $1 man_t:lnk_file { getattr read };
')
define(`miscfiles_read_man_pages_depend',`
-type man_t;
-class dir { getattr read search };
-class file { getattr read };
-class lnk_file { getattr read };
+ type man_t;
+
+ class dir { getattr read search };
+ class file { getattr read };
+ class lnk_file { getattr read };
')
diff --git a/refpolicy/policy/modules/system/modutils.if b/refpolicy/policy/modules/system/modutils.if
index f806b880b..d33871f01 100644
--- a/refpolicy/policy/modules/system/modutils.if
+++ b/refpolicy/policy/modules/system/modutils.if
@@ -13,15 +13,17 @@
## </interface>
#
define(`modutils_read_kernel_module_dependencies',`
-requires_block_template(`$0'_depend)
-bootloader_list_kernel_modules($1)
-allow $1 modules_dep_t:file { getattr read };
+ requires_block_template(`$0'_depend)
+
+ bootloader_list_kernel_modules($1)
+ allow $1 modules_dep_t:file { getattr read };
')
define(`modutils_read_kernel_module_dependencies_depend',`
-type modules_dep_t;
-class file { getattr create read write setattr unlink };
-class dir { search read write add_name remove_name };
+ type modules_dep_t;
+
+ class file { getattr create read write setattr unlink };
+ class dir { search read write add_name remove_name };
')
########################################
@@ -37,13 +39,15 @@ class dir { search read write add_name remove_name };
## </interface>
#
define(`modutils_read_kernel_module_loading_config',`
-requires_block_template(`$0'_depend)
-allow $1 modules_conf_t:file { getattr read };
+ requires_block_template(`$0'_depend)
+
+ allow $1 modules_conf_t:file { getattr read };
')
define(`modutils_read_kernel_module_loading_config_depend',`
-type modules_conf_t;
-class file { getattr create read write setattr unlink };
+ type modules_conf_t;
+
+ class file { getattr create read write setattr unlink };
')
########################################
@@ -59,23 +63,26 @@ class file { getattr create read write setattr unlink };
## </interface>
#
define(`modutils_insmod_transition',`
-requires_block_template(`$0'_depend)
-allow $1 insmod_exec_t:file { getattr read execute };
-allow $1 insmod_t:process transition;
-type_transition $1 insmod_exec_t:process insmod_t;
-dontaudit $1 insmod_t:process { noatsecure siginh rlimitinh };
-allow $1 insmod_t:fd use;
-allow insmod_t $1:fd use;
-allow insmod_t $1:fifo_file rw_file_perms;
-allow insmod_t $1:process sigchld;
+ requires_block_template(`$0'_depend)
+
+ allow $1 insmod_exec_t:file { getattr read execute };
+ allow $1 insmod_t:process transition;
+ type_transition $1 insmod_exec_t:process insmod_t;
+ dontaudit $1 insmod_t:process { noatsecure siginh rlimitinh };
+
+ allow $1 insmod_t:fd use;
+ allow insmod_t $1:fd use;
+ allow insmod_t $1:fifo_file rw_file_perms;
+ allow insmod_t $1:process sigchld;
')
define(`modutils_insmod_transition_depend',`
-type insmod_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+ type insmod_t;
+
+ class file { getattr read execute };
+ class process { transition noatsecure siginh rlimitinh sigchld };
+ class fd use;
+ class fifo_file rw_file_perms;
')
########################################
@@ -99,15 +106,17 @@ class fifo_file rw_file_perms;
## </interface>
#
define(`modutils_insmod_transition_add_role_use_terminal',`
-requires_block_template(`$0'_depend)
-modutils_insmod_transition($1)
-role $2 types insmod_t;
-allow insmod_t $3:chr_file { getattr read write ioctl };
+ requires_block_template(`$0'_depend)
+
+ modutils_insmod_transition($1)
+ role $2 types insmod_t;
+ allow insmod_t $3:chr_file { getattr read write ioctl };
')
define(`modutils_insmod_transition_add_role_use_terminal_depend',`
-type insmod_t;
-class chr_file { getattr read write ioctl };
+ type insmod_t;
+
+ class chr_file { getattr read write ioctl };
')
########################################
@@ -115,13 +124,15 @@ class chr_file { getattr read write ioctl };
# modutils_insmod_execute(domain)
#
define(`modutils_insmod_execute',`
-requires_block_template(`$0'_depend)
-allow $1 insmod_exec_t:file { getattr read execute execute_no_trans };
+ requires_block_template(`$0'_depend)
+
+ allow $1 insmod_exec_t:file { getattr read execute execute_no_trans };
')
define(`modutils_insmod_execute_depend',`
-type insmod_t;
-class file { getattr read execute execute_no_trans };
+ type insmod_t;
+
+ class file { getattr read execute execute_no_trans };
')
########################################
@@ -136,23 +147,26 @@ class file { getattr read execute execute_no_trans };
## </interface>
#
define(`modutils_depmod_transition',`
-requires_block_template(`$0'_depend)
-allow $1 depmod_exec_t:file { getattr read execute };
-allow $1 depmod_t:process transition;
-type_transition $1 depmod_exec_t:process depmod_t;
-dontaudit $1 depmod_t:process { noatsecure siginh rlimitinh };
-allow $1 depmod_t:fd use;
-allow depmod_t $1:fd use;
-allow depmod_t $1:fifo_file rw_file_perms;
-allow depmod_t $1:process sigchld;
+ requires_block_template(`$0'_depend)
+
+ allow $1 depmod_exec_t:file { getattr read execute };
+ allow $1 depmod_t:process transition;
+ type_transition $1 depmod_exec_t:process depmod_t;
+ dontaudit $1 depmod_t:process { noatsecure siginh rlimitinh };
+
+ allow $1 depmod_t:fd use;
+ allow depmod_t $1:fd use;
+ allow depmod_t $1:fifo_file rw_file_perms;
+ allow depmod_t $1:process sigchld;
')
define(`modutils_depmod_transition_depend',`
-type depmod_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+ type depmod_t;
+
+ class file { getattr read execute };
+ class process { transition noatsecure siginh rlimitinh sigchld };
+ class fd use;
+ class fifo_file rw_file_perms;
')
########################################
@@ -173,15 +187,17 @@ class fifo_file rw_file_perms;
## </interface>
#
define(`modutils_depmod_transition_add_role_use_terminal',`
-requires_block_template(`$0'_depend)
-modutils_depmod_transition($1)
-role $2 types insmod_t;
-allow insmod_t $3:chr_file { getattr read write ioctl };
+ requires_block_template(`$0'_depend)
+
+ modutils_depmod_transition($1)
+ role $2 types insmod_t;
+ allow insmod_t $3:chr_file { getattr read write ioctl };
')
define(`modutils_depmod_transition_add_role_use_terminal_depend',`
-type depmod_t;
-class chr_file { getattr read write ioctl };
+ type depmod_t;
+
+ class chr_file { getattr read write ioctl };
')
########################################
@@ -189,13 +205,15 @@ class chr_file { getattr read write ioctl };
# modutils_depmod_execute(domain)
#
define(`modutils_depmod_execute',`
-requires_block_template(`$0'_depend)
-allow $1 depmod_exec_t:file { getattr read execute execute_no_trans };
+ requires_block_template(`$0'_depend)
+
+ allow $1 depmod_exec_t:file { getattr read execute execute_no_trans };
')
define(`modutils_depmod_execute_depend',`
-type depmod_t;
-class file { getattr read execute execute_no_trans };
+ type depmod_t;
+
+ class file { getattr read execute execute_no_trans };
')
########################################
@@ -210,23 +228,26 @@ class file { getattr read execute execute_no_trans };
## </interface>
#
define(`modutils_update_modules_transition',`
-requires_block_template(`$0'_depend)
-allow $1 update_modules_exec_t:file { getattr read execute };
-allow $1 update_modules_t:process transition;
-type_transition $1 update_modules_exec_t:process update_modules_t;
-dontaudit $1 update_modules_t:process { noatsecure siginh rlimitinh };
-allow $1 update_modules_t:fd use;
-allow update_modules_t $1:fd use;
-allow update_modules_t $1:fifo_file rw_file_perms;
-allow update_modules_t $1:process sigchld;
+ requires_block_template(`$0'_depend)
+
+ allow $1 update_modules_exec_t:file { getattr read execute };
+ allow $1 update_modules_t:process transition;
+ type_transition $1 update_modules_exec_t:process update_modules_t;
+ dontaudit $1 update_modules_t:process { noatsecure siginh rlimitinh };
+
+ allow $1 update_modules_t:fd use;
+ allow update_modules_t $1:fd use;
+ allow update_modules_t $1:fifo_file rw_file_perms;
+ allow update_modules_t $1:process sigchld;
')
define(`modutils_update_modules_transition_depend',`
-type update_modules_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh signal };
-class fd use;
-class fifo_file rw_file_perms;
+ type update_modules_t;
+
+ class file { getattr read execute };
+ class process { transition noatsecure siginh rlimitinh signal };
+ class fd use;
+ class fifo_file rw_file_perms;
')
########################################
@@ -247,15 +268,17 @@ class fifo_file rw_file_perms;
## </interface>
#
define(`modutils_update_modules_transition_add_role_use_terminal',`
-requires_block_template(`$0'_depend)
-modutils_update_modules_transition($1)
-role $2 types update_modules_t;
-allow update_modules_t $3:chr_file { getattr read write ioctl };
+ requires_block_template(`$0'_depend)
+
+ modutils_update_modules_transition($1)
+ role $2 types update_modules_t;
+ allow update_modules_t $3:chr_file { getattr read write ioctl };
')
define(`modutils_update_modules_transition_add_role_use_terminal_depend',`
-type update_modules_t;
-class chr_file { getattr read write ioctl };
+ type update_modules_t;
+
+ class chr_file { getattr read write ioctl };
')
########################################
@@ -263,13 +286,15 @@ class chr_file { getattr read write ioctl };
# modutils_update_modules_execute(domain)
#
define(`modutils_update_modules_execute',`
-requires_block_template(`$0'_depend)
-allow $1 update_modules_exec_t:file { getattr read execute execute_no_trans };
+ requires_block_template(`$0'_depend)
+
+ allow $1 update_modules_exec_t:file { getattr read execute execute_no_trans };
')
define(`modutils_update_modules_execute_depend',`
-type update_modules_t;
-class file { getattr read execute execute_no_trans };
+ type update_modules_t;
+
+ class file { getattr read execute execute_no_trans };
')
## </module>
diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te
index 514f9f084..1c63c5bc3 100644
--- a/refpolicy/policy/modules/system/modutils.te
+++ b/refpolicy/policy/modules/system/modutils.te
@@ -98,7 +98,7 @@ logging_search_system_log_directory(insmod_t)
miscfiles_read_localization(insmod_t)
optional_policy(`mount.te',`
-mount_transition(insmod_t)
+ mount_transition(insmod_t)
')
ifdef(`TODO',`
@@ -108,7 +108,7 @@ allow insmod_t apm_bios_t:chr_file { read write };
allow insmod_t sound_device_t:chr_file { read ioctl write };
ifdef(`xserver.te', `
-allow insmod_t xserver_log_t:file getattr;
+ allow insmod_t xserver_log_t:file getattr;
')
# why is this needed? insmod cannot mounton any dir
diff --git a/refpolicy/policy/modules/system/mount.if b/refpolicy/policy/modules/system/mount.if
index cff5537eb..413bc8b34 100644
--- a/refpolicy/policy/modules/system/mount.if
+++ b/refpolicy/policy/modules/system/mount.if
@@ -13,23 +13,26 @@
## </interface>
#
define(`mount_transition',`
-requires_block_template(`$0'_depend)
-allow $1 mount_exec_t:file { getattr read execute };
-allow $1 mount_t:process transition;
-type_transition $1 mount_exec_t:process mount_t;
-dontaudit $1 mount_t:process { noatsecure siginh rlimitinh };
-allow $1 mount_t:fd use;
-allow mount_t $1:fd use;
-allow mount_t $1:fifo_file rw_file_perms;
-allow mount_t $1:process sigchld;
+ requires_block_template(`$0'_depend)
+
+ allow $1 mount_exec_t:file { getattr read execute };
+ allow $1 mount_t:process transition;
+ type_transition $1 mount_exec_t:process mount_t;
+ dontaudit $1 mount_t:process { noatsecure siginh rlimitinh };
+
+ allow $1 mount_t:fd use;
+ allow mount_t $1:fd use;
+ allow mount_t $1:fifo_file rw_file_perms;
+ allow mount_t $1:process sigchld;
')
define(`mount_transition_depend',`
-type mount_t, mount_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+ type mount_t, mount_exec_t;
+
+ class file { getattr read execute };
+ class process { transition noatsecure siginh rlimitinh sigchld };
+ class fd use;
+ class fifo_file rw_file_perms;
')
########################################
@@ -52,15 +55,17 @@ class fifo_file rw_file_perms;
## </interface>
#
define(`mount_transition_add_role_use_terminal',`
-requires_block_template(`$0'_depend)
-mount_transition($1)
-role $2 types mount_t;
-allow mount_t $3:chr_file { getattr read write ioctl };
+ requires_block_template(`$0'_depend)
+
+ mount_transition($1)
+ role $2 types mount_t;
+ allow mount_t $3:chr_file { getattr read write ioctl };
')
define(`mount_transition_add_role_use_terminal_depend',`
-type mount_t;
-class chr_file { getattr read write ioctl };
+ type mount_t;
+
+ class chr_file { getattr read write ioctl };
')
#######################################
@@ -68,13 +73,15 @@ class chr_file { getattr read write ioctl };
# mount_use_file_descriptors(domain)
#
define(`mount_use_file_descriptors',`
-requires_block_template(`$0'_depend)
-allow $1 mount_t:fd use;
+ requires_block_template(`$0'_depend)
+
+ allow $1 mount_t:fd use;
')
define(`mount_use_file_descriptors_depend',`
-type mount_t;
-class fd use;
+ type mount_t;
+
+ class fd use;
')
#######################################
@@ -82,13 +89,15 @@ class fd use;
# mount_send_nfs_client_request(domain)
#
define(`mount_send_nfs_client_request',`
-requires_block_template(`$0'_depend)
-allow $1 mount_t:udp_socket ioctl read getattr write setattr append bind connect getopt setopt shutdown;
+ requires_block_template(`$0'_depend)
+
+ allow $1 mount_t:udp_socket ioctl read getattr write setattr append bind connect getopt setopt shutdown;
')
define(`mount_send_nfs_client_request_depend',`
-type mount_t;
-class udp_socket { ioctl read getattr write setattr append bind connect getopt setopt shutdown };
+ type mount_t;
+
+ class udp_socket { ioctl read getattr write setattr append bind connect getopt setopt shutdown };
')
## </module>
diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te
index b9a36f608..7cf53908e 100644
--- a/refpolicy/policy/modules/system/mount.te
+++ b/refpolicy/policy/modules/system/mount.te
@@ -69,37 +69,36 @@ miscfiles_read_localization(mount_t)
userdomain_use_all_users_file_descriptors(mount_t)
tunable_policy(`distro_redhat',`
-filesystem_use_tmpfs_character_devices(mount_t)
-allow mount_t tmpfs_t:dir mounton;
+ filesystem_use_tmpfs_character_devices(mount_t)
+ allow mount_t tmpfs_t:dir mounton;
-optional_policy(`authlogin.te',`
-authlogin_pam_console_read_runtime_data(mount_t)
-# mount config by default sets fscontext=removable_t
-filesystem_relabelfrom_dos_filesystem(mount_t)
-') dnl end authlogin
-
-') dnl end distro_redhat
+ optional_policy(`authlogin.te',`
+ authlogin_pam_console_read_runtime_data(mount_t)
+ # mount config by default sets fscontext=removable_t
+ filesystem_relabelfrom_dos_filesystem(mount_t)
+ ')
+')
optional_policy(`portmap.te', `
-# for nfs
-#can_ypbind(mount_t)
-#allow portmap_t mount_t:udp_socket { sendto recvfrom };
-#allow mount_t portmap_t:udp_socket { sendto recvfrom };
-#allow mount_t rpc_pipefs_t:dir search;
-corenetwork_sendrecv_tcp_on_all_interfaces(mount_t)
-corenetwork_sendrecv_raw_on_all_interfaces(mount_t)
-corenetwork_sendrecv_udp_on_all_interfaces(mount_t)
-corenetwork_sendrecv_tcp_on_all_nodes(mount_t)
-corenetwork_sendrecv_raw_on_all_nodes(mount_t)
-corenetwork_sendrecv_udp_on_all_nodes(mount_t)
-corenetwork_sendrecv_tcp_on_all_ports(mount_t)
-corenetwork_sendrecv_udp_on_all_ports(mount_t)
-corenetwork_bind_tcp_on_all_nodes(mount_t)
-corenetwork_bind_udp_on_all_nodes(mount_t)
-corenetwork_bind_tcp_on_general_port(mount_t)
-corenetwork_bind_udp_on_general_port(mount_t)
-corenetwork_bind_tcp_on_reserved_port(mount_t)
-corenetwork_bind_udp_on_reserved_port(mount_t)
+ # for nfs
+ #can_ypbind(mount_t)
+ #allow portmap_t mount_t:udp_socket { sendto recvfrom };
+ #allow mount_t portmap_t:udp_socket { sendto recvfrom };
+ #allow mount_t rpc_pipefs_t:dir search;
+ corenetwork_sendrecv_tcp_on_all_interfaces(mount_t)
+ corenetwork_sendrecv_raw_on_all_interfaces(mount_t)
+ corenetwork_sendrecv_udp_on_all_interfaces(mount_t)
+ corenetwork_sendrecv_tcp_on_all_nodes(mount_t)
+ corenetwork_sendrecv_raw_on_all_nodes(mount_t)
+ corenetwork_sendrecv_udp_on_all_nodes(mount_t)
+ corenetwork_sendrecv_tcp_on_all_ports(mount_t)
+ corenetwork_sendrecv_udp_on_all_ports(mount_t)
+ corenetwork_bind_tcp_on_all_nodes(mount_t)
+ corenetwork_bind_udp_on_all_nodes(mount_t)
+ corenetwork_bind_tcp_on_general_port(mount_t)
+ corenetwork_bind_udp_on_general_port(mount_t)
+ corenetwork_bind_tcp_on_reserved_port(mount_t)
+ corenetwork_bind_udp_on_reserved_port(mount_t)
')
ifdef(`TODO',`
diff --git a/refpolicy/policy/modules/system/selinux.if b/refpolicy/policy/modules/system/selinux.if
index 39d93d251..50f71e8a6 100644
--- a/refpolicy/policy/modules/system/selinux.if
+++ b/refpolicy/policy/modules/system/selinux.if
@@ -13,23 +13,26 @@
## </interface>
#
define(`selinux_checkpolicy_transition',`
-requires_block_template(`$0'_depend)
-allow $1 checkpolicy_exec_t:file { getattr read execute };
-allow $1 checkpolicy_t:process transition;
-type_transition $1 checkpolicy_exec_t:process checkpolicy_t;
-dontaudit $1 checkpolicy_t:process { noatsecure siginh rlimitinh };
-allow $1 checkpolicy_t:fd use;
-allow checkpolicy_t $1:fd use;
-allow checkpolicy_t $1:fifo_file rw_file_perms;
-allow checkpolicy_t $1:process sigchld;
+ requires_block_template(`$0'_depend)
+
+ allow $1 checkpolicy_exec_t:file { getattr read execute };
+ allow $1 checkpolicy_t:process transition;
+ type_transition $1 checkpolicy_exec_t:process checkpolicy_t;
+ dontaudit $1 checkpolicy_t:process { noatsecure siginh rlimitinh };
+
+ allow $1 checkpolicy_t:fd use;
+ allow checkpolicy_t $1:fd use;
+ allow checkpolicy_t $1:fifo_file rw_file_perms;
+ allow checkpolicy_t $1:process sigchld;
')
define(`selinux_checkpolicy_transition_depend',`
-type checkpolicy_t, checkpolicy_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+ type checkpolicy_t, checkpolicy_exec_t;
+
+ class file { getattr read execute };
+ class process { transition noatsecure siginh rlimitinh sigchld sigchld };
+ class fd use;
+ class fifo_file rw_file_perms;
')
########################################
@@ -53,15 +56,17 @@ class fifo_file rw_file_perms;
## </interface>
#
define(`selinux_checkpolicy_transition_add_role_use_terminal',`
-requires_block_template(`$0'_depend)
-selinux_checkpolicy_transition($1)
-role $2 types checkpolicy_t;
-allow checkpolicy_t $3:chr_file { getattr read write ioctl };
+ requires_block_template(`$0'_depend)
+
+ selinux_checkpolicy_transition($1)
+ role $2 types checkpolicy_t;
+ allow checkpolicy_t $3:chr_file { getattr read write ioctl };
')
define(`selinux_checkpolicy_transition_add_role_use_terminal_depend',`
-type checkpolicy_t;
-class chr_file { getattr read write ioctl };
+ type checkpolicy_t;
+
+ class chr_file { getattr read write ioctl };
')
#######################################
@@ -69,13 +74,15 @@ class chr_file { getattr read write ioctl };
# selinux_checkpolicy_execute(domain)
#
define(`selinux_checkpolicy_execute',`
-requires_block_template(`$0'_depend)
-allow $1 checkpolicy_exec_t:file { getattr read execute execute_no_trans };
+ requires_block_template(`$0'_depend)
+
+ allow $1 checkpolicy_exec_t:file { getattr read execute execute_no_trans };
')
define(`selinux_checkpolicy_execute_depend',`
-type checkpolicy_exec_t;
-class file { getattr read execute execute_no_trans };
+ type checkpolicy_exec_t;
+
+ class file { getattr read execute execute_no_trans };
')
#######################################
@@ -90,23 +97,26 @@ class file { getattr read execute execute_no_trans };
## </interface>
#
define(`selinux_load_policy_transition',`
-requires_block_template(`$0'_depend)
-allow $1 load_policy_exec_t:file { getattr read execute };
-allow $1 load_policy_t:process transition;
-type_transition $1 load_policy_exec_t:process load_policy_t;
-dontaudit $1 load_policy_t:process { noatsecure siginh rlimitinh };
-allow $1 load_policy_t:fd use;
-allow load_policy_t $1:fd use;
-allow load_policy_t $1:fifo_file rw_file_perms;
-allow load_policy_t $1:process sigchld;
+ requires_block_template(`$0'_depend)
+
+ allow $1 load_policy_exec_t:file { getattr read execute };
+ allow $1 load_policy_t:process transition;
+ type_transition $1 load_policy_exec_t:process load_policy_t;
+ dontaudit $1 load_policy_t:process { noatsecure siginh rlimitinh };
+
+ allow $1 load_policy_t:fd use;
+ allow load_policy_t $1:fd use;
+ allow load_policy_t $1:fifo_file rw_file_perms;
+ allow load_policy_t $1:process sigchld;
')
define(`selinux_load_policy_transition_depend',`
-type load_policy_t, load_policy_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+ type load_policy_t, load_policy_exec_t;
+
+ class file { getattr read execute };
+ class process { transition noatsecure siginh rlimitinh sigchld };
+ class fd use;
+ class fifo_file rw_file_perms;
')
########################################
@@ -130,15 +140,17 @@ class fifo_file rw_file_perms;
## </interface>
#
define(`selinux_load_policy_transition_add_role_use_terminal',`
-requires_block_template(`$0'_depend)
-selinux_load_policy_transition($1)
-role $2 types load_policy_t;
-allow load_policy_t $3:chr_file { getattr read write ioctl };
+ requires_block_template(`$0'_depend)
+
+ selinux_load_policy_transition($1)
+ role $2 types load_policy_t;
+ allow load_policy_t $3:chr_file { getattr read write ioctl };
')
define(`selinux_load_policy_transition_add_role_use_terminal_depend',`
-type load_policy_t;
-class chr_file { getattr read write ioctl };
+ type load_policy_t;
+
+ class chr_file { getattr read write ioctl };
')
#######################################
@@ -146,13 +158,15 @@ class chr_file { getattr read write ioctl };
# selinux_load_policy_execute(domain)
#
define(`selinux_load_policy_execute',`
-requires_block_template(`$0'_depend)
-allow $1 load_policy_exec_t:file { getattr read execute execute_no_trans };
+ requires_block_template(`$0'_depend)
+
+ allow $1 load_policy_exec_t:file { getattr read execute execute_no_trans };
')
define(`selinux_load_policy_execute_depend',`
-type load_policy_exec_t;
-class file { getattr read execute execute_no_trans };
+ type load_policy_exec_t;
+
+ class file { getattr read execute execute_no_trans };
')
#######################################
@@ -160,13 +174,15 @@ class file { getattr read execute execute_no_trans };
# selinux_read_load_policy_binary(domain)
#
define(`selinux_read_load_policy_binary',`
-requires_block_template(`$0'_depend)
-allow $1 load_policy_exec_t:file { getattr read };
+ requires_block_template(`$0'_depend)
+
+ allow $1 load_policy_exec_t:file { getattr read };
')
define(`selinux_read_load_policy_binary_depend',`
-type load_policy_exec_t;
-class file { getattr read };
+ type load_policy_exec_t;
+
+ class file { getattr read };
')
#######################################
@@ -181,23 +197,26 @@ class file { getattr read };
## </interface>
#
define(`selinux_newrole_transition',`
-requires_block_template(`$0'_depend)
-allow $1 newrole_exec_t:file { getattr read execute };
-allow $1 newrole_t:process transition;
-type_transition $1 newrole_exec_t:process newrole_t;
-dontaudit $1 newrole_t:process { noatsecure siginh rlimitinh };
-allow $1 newrole_t:fd use;
-allow newrole_t $1:fd use;
-allow newrole_t $1:fifo_file rw_file_perms;
-allow newrole_t $1:process sigchld;
+ requires_block_template(`$0'_depend)
+
+ allow $1 newrole_exec_t:file { getattr read execute };
+ allow $1 newrole_t:process transition;
+ type_transition $1 newrole_exec_t:process newrole_t;
+ dontaudit $1 newrole_t:process { noatsecure siginh rlimitinh };
+
+ allow $1 newrole_t:fd use;
+ allow newrole_t $1:fd use;
+ allow newrole_t $1:fifo_file rw_file_perms;
+ allow newrole_t $1:process sigchld;
')
define(`selinux_newrole_transition_depend',`
-type newrole_t, newrole_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+ type newrole_t, newrole_exec_t;
+
+ class file { getattr read execute };
+ class process { transition noatsecure siginh rlimitinh sigchld };
+ class fd use;
+ class fifo_file rw_file_perms;
')
########################################
@@ -220,15 +239,17 @@ class fifo_file rw_file_perms;
## </interface>
#
define(`selinux_newrole_transition_add_role_use_terminal',`
-requires_block_template(`$0'_depend)
-selinux_newrole_transition($1)
-role $2 types newrole_t;
-allow newrole_t $3:chr_file { getattr read write ioctl };
+ requires_block_template(`$0'_depend)
+
+ selinux_newrole_transition($1)
+ role $2 types newrole_t;
+ allow newrole_t $3:chr_file { getattr read write ioctl };
')
define(`selinux_newrole_transition_add_role_use_terminal_depend',`
-type newrole_t;
-class chr_file { getattr read write ioctl };
+ type newrole_t;
+
+ class chr_file { getattr read write ioctl };
')
#######################################
@@ -236,13 +257,15 @@ class chr_file { getattr read write ioctl };
# selinux_newrole_execute(domain)
#
define(`selinux_newrole_execute',`
-requires_block_template(`$0'_depend)
-allow $1 newrole_exec_t:file { getattr read execute execute_no_trans };
+ requires_block_template(`$0'_depend)
+
+ allow $1 newrole_exec_t:file { getattr read execute execute_no_trans };
')
define(`selinux_newrole_execute_depend',`
-type newrole_t, newrole_exec_t;
-class file { getattr read execute execute_no_trans };
+ type newrole_t, newrole_exec_t;
+
+ class file { getattr read execute execute_no_trans };
')
########################################
@@ -258,13 +281,15 @@ class file { getattr read execute execute_no_trans };
## </interface>
#
define(`selinux_newrole_ignore_signal',`
-requires_block_template(`$0'_depend)
-dontaudit $1 newrole_t:process signal;
+ requires_block_template(`$0'_depend)
+
+ dontaudit $1 newrole_t:process signal;
')
define(`selinux_newrole_ignore_signal_depend',`
-type newrole_t;
-class process signal;
+ type newrole_t;
+
+ class process signal;
')
#######################################
@@ -272,13 +297,15 @@ class process signal;
# selinux_newrole_sigchld(domain)
#
define(`selinux_newrole_sigchld',`
-requires_block_template(`$0'_depend)
-allow $1 newrole_t:process sigchld;
+ requires_block_template(`$0'_depend)
+
+ allow $1 newrole_t:process sigchld;
')
define(`selinux_newrole_sigchld_depend',`
-type newrole_t;
-class process sigchld;
+ type newrole_t;
+
+ class process sigchld;
')
#######################################
@@ -286,13 +313,15 @@ class process sigchld;
# selinux_newrole_use_file_descriptors(domain)
#
define(`selinux_newrole_use_file_descriptors',`
-requires_block_template(`$0'_depend)
-allow $1 newrole_t:fd use;
+ requires_block_template(`$0'_depend)
+
+ allow $1 newrole_t:fd use;
')
define(`selinux_newrole_use_file_descriptors_depend',`
-type newrole_t;
-class fd use;
+ type newrole_t;
+
+ class fd use;
')
#######################################
@@ -307,23 +336,26 @@ class fd use;
## </interface>
#
define(`selinux_restorecon_transition',`
-requires_block_template(`$0'_depend)
-allow $1 restorecon_exec_t:file { getattr read execute };
-allow $1 restorecon_t:process transition;
-type_transition $1 restorecon_exec_t:process restorecon_t;
-dontaudit $1 restorecon_t:process { noatsecure siginh rlimitinh };
-allow $1 restorecon_t:fd use;
-allow restorecon_t $1:fd use;
-allow restorecon_t $1:fifo_file rw_file_perms;
-allow restorecon_t $1:process sigchld;
+ requires_block_template(`$0'_depend)
+
+ allow $1 restorecon_exec_t:file { getattr read execute };
+ allow $1 restorecon_t:process transition;
+ type_transition $1 restorecon_exec_t:process restorecon_t;
+ dontaudit $1 restorecon_t:process { noatsecure siginh rlimitinh };
+
+ allow $1 restorecon_t:fd use;
+ allow restorecon_t $1:fd use;
+ allow restorecon_t $1:fifo_file rw_file_perms;
+ allow restorecon_t $1:process sigchld;
')
define(`selinux_restorecon_transition_depend',`
-type restorecon_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+ type restorecon_t, restorecon_exec_t;
+
+ class file { getattr read execute };
+ class process { transition noatsecure siginh rlimitinh sigchld };
+ class fd use;
+ class fifo_file rw_file_perms;
')
########################################
@@ -346,15 +378,17 @@ class fifo_file rw_file_perms;
## </interface>
#
define(`selinux_restorecon_transition_add_role_use_terminal',`
-requires_block_template(`$0'_depend)
-selinux_restorecon_transition($1)
-role $2 types restorecon_t;
-allow restorecon_t $3:chr_file { getattr read write ioctl };
+ requires_block_template(`$0'_depend)
+
+ selinux_restorecon_transition($1)
+ role $2 types restorecon_t;
+ allow restorecon_t $3:chr_file { getattr read write ioctl };
')
define(`selinux_restorecon_transition_add_role_use_terminal_depend',`
-type restorecon_t;
-class chr_file { getattr read write ioctl };
+ type restorecon_t;
+
+ class chr_file { getattr read write ioctl };
')
#######################################
@@ -367,8 +401,9 @@ allow $1 restorecon_exec_t:file { getattr read execute execute_no_trans };
')
define(`selinux_restorecon_execute_depend',`
-type restorecon_t, restorecon_exec_t;
-class file { getattr read execute execute_no_trans };
+ type restorecon_t, restorecon_exec_t;
+
+ class file { getattr read execute execute_no_trans };
')
########################################
@@ -383,23 +418,26 @@ class file { getattr read execute execute_no_trans };
## </interface>
#
define(`selinux_run_init_transition',`
-requires_block_template(`$0'_depend)
-allow $1 run_init_exec_t:file { getattr read execute };
-allow $1 run_init_t:process transition;
-type_transition $1 run_init_exec_t:process run_init_t;
-dontaudit $1 run_init_t:process { noatsecure siginh rlimitinh };
-allow $1 run_init_t:fd use;
-allow run_init_t $1:fd use;
-allow run_init_t $1:fifo_file rw_file_perms;
-allow run_init_t $1:process sigchld;
+ requires_block_template(`$0'_depend)
+
+ allow $1 run_init_exec_t:file { getattr read execute };
+ allow $1 run_init_t:process transition;
+ type_transition $1 run_init_exec_t:process run_init_t;
+ dontaudit $1 run_init_t:process { noatsecure siginh rlimitinh };
+
+ allow $1 run_init_t:fd use;
+ allow run_init_t $1:fd use;
+ allow run_init_t $1:fifo_file rw_file_perms;
+ allow run_init_t $1:process sigchld;
')
define(`selinux_run_init_transition_depend',`
-type run_init_t, run_init_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+ type run_init_t, run_init_exec_t;
+
+ class file { getattr read execute };
+ class process { transition noatsecure siginh rlimitinh sigchld };
+ class fd use;
+ class fifo_file rw_file_perms;
')
########################################
@@ -422,15 +460,17 @@ class fifo_file rw_file_perms;
## </interface>
#
define(`selinux_run_init_transition_add_role_use_terminal',`
-requires_block_template(`$0'_depend)
-selinux_run_init_transition($1)
-role $2 types run_init_t;
-allow run_init_t $3:chr_file { getattr read write ioctl };
+ requires_block_template(`$0'_depend)
+
+ selinux_run_init_transition($1)
+ role $2 types run_init_t;
+ allow run_init_t $3:chr_file { getattr read write ioctl };
')
define(`selinux_run_init_transition_add_role_use_terminal_depend',`
-type run_init_t;
-class chr_file { getattr read write ioctl };
+ type run_init_t;
+
+ class chr_file { getattr read write ioctl };
')
########################################
@@ -438,13 +478,15 @@ class chr_file { getattr read write ioctl };
# selinux_run_init_use_file_descriptors(domain)
#
define(`selinux_run_init_use_file_descriptors',`
-requires_block_template(`$0'_depend)
-allow $1 run_init_t:fd use;
+ requires_block_template(`$0'_depend)
+
+ allow $1 run_init_t:fd use;
')
define(`selinux_run_init_use_file_descriptors_depend',`
-type run_init_t;
-class fd use;
+ type run_init_t;
+
+ class fd use;
')
########################################
@@ -459,23 +501,26 @@ class fd use;
## </interface>
#
define(`selinux_setfiles_transition',`
-requires_block_template(`$0'_depend)
-allow $1 setfiles_exec_t:file { getattr read execute };
-allow $1 setfiles_t:process transition;
-type_transition $1 setfiles_exec_t:process setfiles_t;
-dontaudit $1 setfiles_t:process { noatsecure siginh rlimitinh };
-allow $1 setfiles_t:fd use;
-allow setfiles_t $1:fd use;
-allow setfiles_t $1:fifo_file rw_file_perms;
-allow setfiles_t $1:process sigchld;
+ requires_block_template(`$0'_depend)
+
+ allow $1 setfiles_exec_t:file { getattr read execute };
+ allow $1 setfiles_t:process transition;
+ type_transition $1 setfiles_exec_t:process setfiles_t;
+ dontaudit $1 setfiles_t:process { noatsecure siginh rlimitinh };
+
+ allow $1 setfiles_t:fd use;
+ allow setfiles_t $1:fd use;
+ allow setfiles_t $1:fifo_file rw_file_perms;
+ allow setfiles_t $1:process sigchld;
')
define(`selinux_setfiles_transition_depend',`
-type setfiles_t, setfiles_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+ type setfiles_t, setfiles_exec_t;
+
+ class file { getattr read execute };
+ class process { transition noatsecure siginh rlimitinh sigchld };
+ class fd use;
+ class fifo_file rw_file_perms;
')
########################################
@@ -498,15 +543,17 @@ class fifo_file rw_file_perms;
## </interface>
#
define(`selinux_setfiles_transition_add_role_use_terminal',`
-requires_block_template(`$0'_depend)
-selinux_setfiles_transition($1)
-role $2 types setfiles_t;
-allow setfiles_t $3:chr_file { getattr read write ioctl };
+ requires_block_template(`$0'_depend)
+
+ selinux_setfiles_transition($1)
+ role $2 types setfiles_t;
+ allow setfiles_t $3:chr_file { getattr read write ioctl };
')
define(`selinux_setfiles_transition_add_role_use_terminal_depend',`
-type setfiles_t;
-class chr_file { getattr read write ioctl };
+ type setfiles_t;
+
+ class chr_file { getattr read write ioctl };
')
#######################################
@@ -514,13 +561,15 @@ class chr_file { getattr read write ioctl };
# selinux_setfiles_execute(domain)
#
define(`selinux_setfiles_execute',`
-requires_block_template(`$0'_depend)
-allow $1 setfiles_exec_t:file { getattr read execute execute_no_trans };
+ requires_block_template(`$0'_depend)
+
+ allow $1 setfiles_exec_t:file { getattr read execute execute_no_trans };
')
define(`selinux_setfiles_execute_depend',`
-type setfiles_exec_t;
-class file { getattr read execute execute_no_trans };
+ type setfiles_exec_t;
+
+ class file { getattr read execute execute_no_trans };
')
########################################
@@ -528,15 +577,17 @@ class file { getattr read execute execute_no_trans };
# selinux_read_config(domain)
#
define(`selinux_read_config',`
-requires_block_template(`$0'_depend)
-allow $1 selinux_config_t:dir { getattr search read };
-allow $1 selinux_config_t:file { getattr read };
+ requires_block_template(`$0'_depend)
+
+ allow $1 selinux_config_t:dir { getattr search read };
+ allow $1 selinux_config_t:file { getattr read };
')
define(`selinux_read_config_depend',`
-type selinux_config_t;
-class dir { getattr search read };
-class file { getattr read };
+ type selinux_config_t;
+
+ class dir { getattr search read };
+ class file { getattr read };
')
########################################
@@ -544,16 +595,18 @@ class file { getattr read };
# selinux_read_default_contexts(domain)
#
define(`selinux_read_default_contexts',`
-requires_block_template(`$0'_depend)
-allow $1 selinux_config_t:dir search;
-allow $1 default_context_t:dir { getattr search read };
-allow $1 default_context_t:file { getattr read };
+ requires_block_template(`$0'_depend)
+
+ allow $1 selinux_config_t:dir search;
+ allow $1 default_context_t:dir { getattr search read };
+ allow $1 default_context_t:file { getattr read };
')
define(`selinux_read_default_contexts_depend',`
-type selinux_config_t, default_context_t;
-class dir { getattr search read };
-class file { getattr read };
+ type selinux_config_t, default_context_t;
+
+ class dir { getattr search read };
+ class file { getattr read };
')
########################################
@@ -561,16 +614,18 @@ class file { getattr read };
# selinux_read_file_contexts(domain)
#
define(`selinux_read_file_contexts',`
-requires_block_template(`$0'_depend)
-allow $1 selinux_config_t:dir search;
-allow $1 file_context_t:dir { getattr search read };
-allow $1 file_context_t:file { getattr read };
+ requires_block_template(`$0'_depend)
+
+ allow $1 selinux_config_t:dir search;
+ allow $1 file_context_t:dir { getattr search read };
+ allow $1 file_context_t:file { getattr read };
')
define(`selinux_read_file_contexts_depend',`
-type selinux_config_t, file_context_t;
-class dir { getattr search read };
-class file { getattr read };
+ type selinux_config_t, file_context_t;
+
+ class dir { getattr search read };
+ class file { getattr read };
')
########################################
@@ -578,15 +633,17 @@ class file { getattr read };
# selinux_read_binary_policy(domain)
#
define(`selinux_read_binary_policy',`
-requires_block_template(`$0'_depend)
-allow $1 policy_config_t:dir { getattr search read };
-allow $1 policy_config_t:file { getattr read };
+ requires_block_template(`$0'_depend)
+
+ allow $1 policy_config_t:dir { getattr search read };
+ allow $1 policy_config_t:file { getattr read };
')
define(`selinux_read_binary_policy_depend',`
-type policy_config_t;
-class dir { getattr search read };
-class file { getattr read };
+ type policy_config_t;
+
+ class dir { getattr search read };
+ class file { getattr read };
')
########################################
@@ -594,17 +651,20 @@ class file { getattr read };
# selinux_write_binary_policy(domain)
#
define(`selinux_write_binary_policy',`
-requires_block_template(`$0'_depend)
-allow $1 policy_config_t:dir { getattr search read write add_name remove_name };
-allow $1 policy_config_t:file { getattr create write unlink };
-typeattribute $1 can_write_binary_policy;
+ requires_block_template(`$0'_depend)
+
+ allow $1 policy_config_t:dir { getattr search read write add_name remove_name };
+ allow $1 policy_config_t:file { getattr create write unlink };
+ typeattribute $1 can_write_binary_policy;
')
define(`selinux_write_binary_policy_depend',`
-attribute can_write_binary_policy;
-type policy_config_t;
-class dir { getattr search read write add_name remove_name };
-class file { getattr create write unlink };
+ attribute can_write_binary_policy;
+
+ type policy_config_t;
+
+ class dir { getattr search read write add_name remove_name };
+ class file { getattr create write unlink };
')
########################################
@@ -619,15 +679,18 @@ class file { getattr create write unlink };
## </interface>
#
define(`selinux_relabelto_binary_policy',`
-requires_block_template(`$0'_depend)
-allow $1 policy_config_t:file relabelto;
-typeattribute $1 can_relabelto_binary_policy;
+ requires_block_template(`$0'_depend)
+
+ allow $1 policy_config_t:file relabelto;
+ typeattribute $1 can_relabelto_binary_policy;
')
define(`selinux_relabelto_binary_policy_depend',`
-attribute can_relabelto_binary_policy;
-type policy_config_t;
-class file relabelto;
+ attribute can_relabelto_binary_policy;
+
+ type policy_config_t;
+
+ class file relabelto;
')
########################################
@@ -635,19 +698,21 @@ class file relabelto;
# selinux_manage_binary_policy(domain)
#
define(`selinux_manage_binary_policy',`
-requires_block_template(`$0'_depend)
-# FIXME: search etc_t:dir
-allow $1 selinux_config_t:dir search;
-allow $1 policy_config_t:dir { getattr search read };
-allow $1 policy_config_t:file { create ioctl read getattr lock write setattr append link unlink rename };
-typeattribute $1 can_write_binary_policy;
+ requires_block_template(`$0'_depend)
+
+ # FIXME: search etc_t:dir
+ allow $1 selinux_config_t:dir search;
+ allow $1 policy_config_t:dir { getattr search read };
+ allow $1 policy_config_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+ typeattribute $1 can_write_binary_policy;
')
define(`selinux_manage_binary_policy_depend',`
-attribute can_write_binary_policy;
-type selinux_config_t, policy_config_t;
-class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
-class file { create ioctl read getattr lock write setattr append link unlink rename };
+ attribute can_write_binary_policy;
+
+ type selinux_config_t, policy_config_t;
+ class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
+ class file { create ioctl read getattr lock write setattr append link unlink rename };
')
########################################
@@ -655,17 +720,19 @@ class file { create ioctl read getattr lock write setattr append link unlink ren
# selinux_read_source_policy(domain)
#
define(`selinux_read_source_policy',`
-requires_block_template(`$0'_depend)
-# FIXME: search etc_t:dir
-allow $1 selinux_config_t:dir search;
-allow $1 policy_src_t:dir { getattr search read };
-allow $1 policy_src_t:file { getattr read };
+ requires_block_template(`$0'_depend)
+
+ # FIXME: search etc_t:dir
+ allow $1 selinux_config_t:dir search;
+ allow $1 policy_src_t:dir { getattr search read };
+ allow $1 policy_src_t:file { getattr read };
')
define(`selinux_read_source_policy_depend',`
-type selinux_config_t, policy_src_t;
-class dir { getattr search read };
-class file { getattr read };
+ type selinux_config_t, policy_src_t;
+
+ class dir { getattr search read };
+ class file { getattr read };
')
########################################
@@ -673,17 +740,19 @@ class file { getattr read };
# selinux_manage_source_policy(domain)
#
define(`selinux_manage_source_policy',`
-requires_block_template(`$0'_depend)
-# FIXME: search etc_t:dir
-allow $1 selinux_config_t:dir search;
-allow $1 policy_src_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
-allow $1 policy_src_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+ requires_block_template(`$0'_depend)
+
+ # FIXME: search etc_t:dir
+ allow $1 selinux_config_t:dir search;
+ allow $1 policy_src_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
+ allow $1 policy_src_t:file { create ioctl read getattr lock write setattr append link unlink rename };
')
define(`selinux_manage_source_policy_depend',`
-type selinux_config_t, policy_src_t;
-class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
-class file { create ioctl read getattr lock write setattr append link unlink rename };
+ type selinux_config_t, policy_src_t;
+
+ class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
+ class file { create ioctl read getattr lock write setattr append link unlink rename };
')
## </module>
diff --git a/refpolicy/policy/modules/system/selinux.te b/refpolicy/policy/modules/system/selinux.te
index f97e7c183..4c84ad7c1 100644
--- a/refpolicy/policy/modules/system/selinux.te
+++ b/refpolicy/policy/modules/system/selinux.te
@@ -307,7 +307,7 @@ logging_send_system_log_message(restorecon_t)
userdomain_use_all_users_file_descriptors(restorecon_t)
optional_policy(`hotplug.te',`
-hotplug_use_file_descriptors(restorecon_t)
+ hotplug_use_file_descriptors(restorecon_t)
')
# relabeling rules
@@ -350,54 +350,54 @@ kernel_compute_selinux_relabel_context(run_init_t)
kernel_compute_selinux_reachable_user_contexts(run_init_t)
tunable_policy(`targeted_policy',`',`
-allow run_init_t self:process setexec;
-allow run_init_t self:capability setuid;
+ allow run_init_t self:process setexec;
+ allow run_init_t self:capability setuid;
-allow run_init_t self:fifo_file { getattr read write };
+ allow run_init_t self:fifo_file { getattr read write };
-# often the administrator runs such programs from a directory that is owned
-# by a different user or has restrictive SE permissions, do not want to audit
-# the failed access to the current directory
-dontaudit run_init_t self:capability { dac_override dac_read_search };
+ # often the administrator runs such programs from a directory that is owned
+ # by a different user or has restrictive SE permissions, do not want to audit
+ # the failed access to the current directory
+ dontaudit run_init_t self:capability { dac_override dac_read_search };
-filesystem_get_persistent_filesystem_attributes(run_init_t)
+ filesystem_get_persistent_filesystem_attributes(run_init_t)
-devices_ignore_list_device_nodes(run_init_t)
+ devices_ignore_list_device_nodes(run_init_t)
-terminal_ignore_list_pseudoterminals(run_init_t)
+ terminal_ignore_list_pseudoterminals(run_init_t)
-authlogin_check_password_transition(run_init_t)
-authlogin_ignore_read_shadow_passwords(run_init_t)
+ authlogin_check_password_transition(run_init_t)
+ authlogin_ignore_read_shadow_passwords(run_init_t)
-corecommands_execute_general_programs(run_init_t)
-corecommands_execute_shell(run_init_t)
+ corecommands_execute_general_programs(run_init_t)
+ corecommands_execute_shell(run_init_t)
-domain_use_widely_inheritable_file_descriptors(run_init_t)
+ domain_use_widely_inheritable_file_descriptors(run_init_t)
-files_read_general_system_config(run_init_t)
-files_ignore_search_all_directories(run_init_t)
+ files_read_general_system_config(run_init_t)
+ files_ignore_search_all_directories(run_init_t)
-init_script_transition(run_init_t)
-# for utmp
-init_script_modify_runtime_data(run_init_t)
+ init_script_transition(run_init_t)
+ # for utmp
+ init_script_modify_runtime_data(run_init_t)
-libraries_use_dynamic_loader(run_init_t)
-libraries_use_shared_libraries(run_init_t)
+ libraries_use_dynamic_loader(run_init_t)
+ libraries_use_shared_libraries(run_init_t)
-selinux_read_config(run_init_t)
-selinux_read_default_contexts(run_init_t)
+ selinux_read_config(run_init_t)
+ selinux_read_default_contexts(run_init_t)
-miscfiles_read_localization(run_init_t)
+ miscfiles_read_localization(run_init_t)
-logging_send_system_log_message(run_init_t)
+ logging_send_system_log_message(run_init_t)
') dnl end ifdef targeted policy
ifdef(`TODO',`
tunable_policy(`distro_gentoo', `
-# Gentoo integrated run_init+open_init_pty-runscript:
-domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
-domain_make_entrypoint_file(run_init_t,initrc_exec_t)
+ # Gentoo integrated run_init+open_init_pty-runscript:
+ domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
+ domain_make_entrypoint_file(run_init_t,initrc_exec_t)
')
') dnl end TODO
diff --git a/refpolicy/policy/modules/system/selinuxutil.if b/refpolicy/policy/modules/system/selinuxutil.if
index 39d93d251..50f71e8a6 100644
--- a/refpolicy/policy/modules/system/selinuxutil.if
+++ b/refpolicy/policy/modules/system/selinuxutil.if
@@ -13,23 +13,26 @@
## </interface>
#
define(`selinux_checkpolicy_transition',`
-requires_block_template(`$0'_depend)
-allow $1 checkpolicy_exec_t:file { getattr read execute };
-allow $1 checkpolicy_t:process transition;
-type_transition $1 checkpolicy_exec_t:process checkpolicy_t;
-dontaudit $1 checkpolicy_t:process { noatsecure siginh rlimitinh };
-allow $1 checkpolicy_t:fd use;
-allow checkpolicy_t $1:fd use;
-allow checkpolicy_t $1:fifo_file rw_file_perms;
-allow checkpolicy_t $1:process sigchld;
+ requires_block_template(`$0'_depend)
+
+ allow $1 checkpolicy_exec_t:file { getattr read execute };
+ allow $1 checkpolicy_t:process transition;
+ type_transition $1 checkpolicy_exec_t:process checkpolicy_t;
+ dontaudit $1 checkpolicy_t:process { noatsecure siginh rlimitinh };
+
+ allow $1 checkpolicy_t:fd use;
+ allow checkpolicy_t $1:fd use;
+ allow checkpolicy_t $1:fifo_file rw_file_perms;
+ allow checkpolicy_t $1:process sigchld;
')
define(`selinux_checkpolicy_transition_depend',`
-type checkpolicy_t, checkpolicy_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+ type checkpolicy_t, checkpolicy_exec_t;
+
+ class file { getattr read execute };
+ class process { transition noatsecure siginh rlimitinh sigchld sigchld };
+ class fd use;
+ class fifo_file rw_file_perms;
')
########################################
@@ -53,15 +56,17 @@ class fifo_file rw_file_perms;
## </interface>
#
define(`selinux_checkpolicy_transition_add_role_use_terminal',`
-requires_block_template(`$0'_depend)
-selinux_checkpolicy_transition($1)
-role $2 types checkpolicy_t;
-allow checkpolicy_t $3:chr_file { getattr read write ioctl };
+ requires_block_template(`$0'_depend)
+
+ selinux_checkpolicy_transition($1)
+ role $2 types checkpolicy_t;
+ allow checkpolicy_t $3:chr_file { getattr read write ioctl };
')
define(`selinux_checkpolicy_transition_add_role_use_terminal_depend',`
-type checkpolicy_t;
-class chr_file { getattr read write ioctl };
+ type checkpolicy_t;
+
+ class chr_file { getattr read write ioctl };
')
#######################################
@@ -69,13 +74,15 @@ class chr_file { getattr read write ioctl };
# selinux_checkpolicy_execute(domain)
#
define(`selinux_checkpolicy_execute',`
-requires_block_template(`$0'_depend)
-allow $1 checkpolicy_exec_t:file { getattr read execute execute_no_trans };
+ requires_block_template(`$0'_depend)
+
+ allow $1 checkpolicy_exec_t:file { getattr read execute execute_no_trans };
')
define(`selinux_checkpolicy_execute_depend',`
-type checkpolicy_exec_t;
-class file { getattr read execute execute_no_trans };
+ type checkpolicy_exec_t;
+
+ class file { getattr read execute execute_no_trans };
')
#######################################
@@ -90,23 +97,26 @@ class file { getattr read execute execute_no_trans };
## </interface>
#
define(`selinux_load_policy_transition',`
-requires_block_template(`$0'_depend)
-allow $1 load_policy_exec_t:file { getattr read execute };
-allow $1 load_policy_t:process transition;
-type_transition $1 load_policy_exec_t:process load_policy_t;
-dontaudit $1 load_policy_t:process { noatsecure siginh rlimitinh };
-allow $1 load_policy_t:fd use;
-allow load_policy_t $1:fd use;
-allow load_policy_t $1:fifo_file rw_file_perms;
-allow load_policy_t $1:process sigchld;
+ requires_block_template(`$0'_depend)
+
+ allow $1 load_policy_exec_t:file { getattr read execute };
+ allow $1 load_policy_t:process transition;
+ type_transition $1 load_policy_exec_t:process load_policy_t;
+ dontaudit $1 load_policy_t:process { noatsecure siginh rlimitinh };
+
+ allow $1 load_policy_t:fd use;
+ allow load_policy_t $1:fd use;
+ allow load_policy_t $1:fifo_file rw_file_perms;
+ allow load_policy_t $1:process sigchld;
')
define(`selinux_load_policy_transition_depend',`
-type load_policy_t, load_policy_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+ type load_policy_t, load_policy_exec_t;
+
+ class file { getattr read execute };
+ class process { transition noatsecure siginh rlimitinh sigchld };
+ class fd use;
+ class fifo_file rw_file_perms;
')
########################################
@@ -130,15 +140,17 @@ class fifo_file rw_file_perms;
## </interface>
#
define(`selinux_load_policy_transition_add_role_use_terminal',`
-requires_block_template(`$0'_depend)
-selinux_load_policy_transition($1)
-role $2 types load_policy_t;
-allow load_policy_t $3:chr_file { getattr read write ioctl };
+ requires_block_template(`$0'_depend)
+
+ selinux_load_policy_transition($1)
+ role $2 types load_policy_t;
+ allow load_policy_t $3:chr_file { getattr read write ioctl };
')
define(`selinux_load_policy_transition_add_role_use_terminal_depend',`
-type load_policy_t;
-class chr_file { getattr read write ioctl };
+ type load_policy_t;
+
+ class chr_file { getattr read write ioctl };
')
#######################################
@@ -146,13 +158,15 @@ class chr_file { getattr read write ioctl };
# selinux_load_policy_execute(domain)
#
define(`selinux_load_policy_execute',`
-requires_block_template(`$0'_depend)
-allow $1 load_policy_exec_t:file { getattr read execute execute_no_trans };
+ requires_block_template(`$0'_depend)
+
+ allow $1 load_policy_exec_t:file { getattr read execute execute_no_trans };
')
define(`selinux_load_policy_execute_depend',`
-type load_policy_exec_t;
-class file { getattr read execute execute_no_trans };
+ type load_policy_exec_t;
+
+ class file { getattr read execute execute_no_trans };
')
#######################################
@@ -160,13 +174,15 @@ class file { getattr read execute execute_no_trans };
# selinux_read_load_policy_binary(domain)
#
define(`selinux_read_load_policy_binary',`
-requires_block_template(`$0'_depend)
-allow $1 load_policy_exec_t:file { getattr read };
+ requires_block_template(`$0'_depend)
+
+ allow $1 load_policy_exec_t:file { getattr read };
')
define(`selinux_read_load_policy_binary_depend',`
-type load_policy_exec_t;
-class file { getattr read };
+ type load_policy_exec_t;
+
+ class file { getattr read };
')
#######################################
@@ -181,23 +197,26 @@ class file { getattr read };
## </interface>
#
define(`selinux_newrole_transition',`
-requires_block_template(`$0'_depend)
-allow $1 newrole_exec_t:file { getattr read execute };
-allow $1 newrole_t:process transition;
-type_transition $1 newrole_exec_t:process newrole_t;
-dontaudit $1 newrole_t:process { noatsecure siginh rlimitinh };
-allow $1 newrole_t:fd use;
-allow newrole_t $1:fd use;
-allow newrole_t $1:fifo_file rw_file_perms;
-allow newrole_t $1:process sigchld;
+ requires_block_template(`$0'_depend)
+
+ allow $1 newrole_exec_t:file { getattr read execute };
+ allow $1 newrole_t:process transition;
+ type_transition $1 newrole_exec_t:process newrole_t;
+ dontaudit $1 newrole_t:process { noatsecure siginh rlimitinh };
+
+ allow $1 newrole_t:fd use;
+ allow newrole_t $1:fd use;
+ allow newrole_t $1:fifo_file rw_file_perms;
+ allow newrole_t $1:process sigchld;
')
define(`selinux_newrole_transition_depend',`
-type newrole_t, newrole_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+ type newrole_t, newrole_exec_t;
+
+ class file { getattr read execute };
+ class process { transition noatsecure siginh rlimitinh sigchld };
+ class fd use;
+ class fifo_file rw_file_perms;
')
########################################
@@ -220,15 +239,17 @@ class fifo_file rw_file_perms;
## </interface>
#
define(`selinux_newrole_transition_add_role_use_terminal',`
-requires_block_template(`$0'_depend)
-selinux_newrole_transition($1)
-role $2 types newrole_t;
-allow newrole_t $3:chr_file { getattr read write ioctl };
+ requires_block_template(`$0'_depend)
+
+ selinux_newrole_transition($1)
+ role $2 types newrole_t;
+ allow newrole_t $3:chr_file { getattr read write ioctl };
')
define(`selinux_newrole_transition_add_role_use_terminal_depend',`
-type newrole_t;
-class chr_file { getattr read write ioctl };
+ type newrole_t;
+
+ class chr_file { getattr read write ioctl };
')
#######################################
@@ -236,13 +257,15 @@ class chr_file { getattr read write ioctl };
# selinux_newrole_execute(domain)
#
define(`selinux_newrole_execute',`
-requires_block_template(`$0'_depend)
-allow $1 newrole_exec_t:file { getattr read execute execute_no_trans };
+ requires_block_template(`$0'_depend)
+
+ allow $1 newrole_exec_t:file { getattr read execute execute_no_trans };
')
define(`selinux_newrole_execute_depend',`
-type newrole_t, newrole_exec_t;
-class file { getattr read execute execute_no_trans };
+ type newrole_t, newrole_exec_t;
+
+ class file { getattr read execute execute_no_trans };
')
########################################
@@ -258,13 +281,15 @@ class file { getattr read execute execute_no_trans };
## </interface>
#
define(`selinux_newrole_ignore_signal',`
-requires_block_template(`$0'_depend)
-dontaudit $1 newrole_t:process signal;
+ requires_block_template(`$0'_depend)
+
+ dontaudit $1 newrole_t:process signal;
')
define(`selinux_newrole_ignore_signal_depend',`
-type newrole_t;
-class process signal;
+ type newrole_t;
+
+ class process signal;
')
#######################################
@@ -272,13 +297,15 @@ class process signal;
# selinux_newrole_sigchld(domain)
#
define(`selinux_newrole_sigchld',`
-requires_block_template(`$0'_depend)
-allow $1 newrole_t:process sigchld;
+ requires_block_template(`$0'_depend)
+
+ allow $1 newrole_t:process sigchld;
')
define(`selinux_newrole_sigchld_depend',`
-type newrole_t;
-class process sigchld;
+ type newrole_t;
+
+ class process sigchld;
')
#######################################
@@ -286,13 +313,15 @@ class process sigchld;
# selinux_newrole_use_file_descriptors(domain)
#
define(`selinux_newrole_use_file_descriptors',`
-requires_block_template(`$0'_depend)
-allow $1 newrole_t:fd use;
+ requires_block_template(`$0'_depend)
+
+ allow $1 newrole_t:fd use;
')
define(`selinux_newrole_use_file_descriptors_depend',`
-type newrole_t;
-class fd use;
+ type newrole_t;
+
+ class fd use;
')
#######################################
@@ -307,23 +336,26 @@ class fd use;
## </interface>
#
define(`selinux_restorecon_transition',`
-requires_block_template(`$0'_depend)
-allow $1 restorecon_exec_t:file { getattr read execute };
-allow $1 restorecon_t:process transition;
-type_transition $1 restorecon_exec_t:process restorecon_t;
-dontaudit $1 restorecon_t:process { noatsecure siginh rlimitinh };
-allow $1 restorecon_t:fd use;
-allow restorecon_t $1:fd use;
-allow restorecon_t $1:fifo_file rw_file_perms;
-allow restorecon_t $1:process sigchld;
+ requires_block_template(`$0'_depend)
+
+ allow $1 restorecon_exec_t:file { getattr read execute };
+ allow $1 restorecon_t:process transition;
+ type_transition $1 restorecon_exec_t:process restorecon_t;
+ dontaudit $1 restorecon_t:process { noatsecure siginh rlimitinh };
+
+ allow $1 restorecon_t:fd use;
+ allow restorecon_t $1:fd use;
+ allow restorecon_t $1:fifo_file rw_file_perms;
+ allow restorecon_t $1:process sigchld;
')
define(`selinux_restorecon_transition_depend',`
-type restorecon_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+ type restorecon_t, restorecon_exec_t;
+
+ class file { getattr read execute };
+ class process { transition noatsecure siginh rlimitinh sigchld };
+ class fd use;
+ class fifo_file rw_file_perms;
')
########################################
@@ -346,15 +378,17 @@ class fifo_file rw_file_perms;
## </interface>
#
define(`selinux_restorecon_transition_add_role_use_terminal',`
-requires_block_template(`$0'_depend)
-selinux_restorecon_transition($1)
-role $2 types restorecon_t;
-allow restorecon_t $3:chr_file { getattr read write ioctl };
+ requires_block_template(`$0'_depend)
+
+ selinux_restorecon_transition($1)
+ role $2 types restorecon_t;
+ allow restorecon_t $3:chr_file { getattr read write ioctl };
')
define(`selinux_restorecon_transition_add_role_use_terminal_depend',`
-type restorecon_t;
-class chr_file { getattr read write ioctl };
+ type restorecon_t;
+
+ class chr_file { getattr read write ioctl };
')
#######################################
@@ -367,8 +401,9 @@ allow $1 restorecon_exec_t:file { getattr read execute execute_no_trans };
')
define(`selinux_restorecon_execute_depend',`
-type restorecon_t, restorecon_exec_t;
-class file { getattr read execute execute_no_trans };
+ type restorecon_t, restorecon_exec_t;
+
+ class file { getattr read execute execute_no_trans };
')
########################################
@@ -383,23 +418,26 @@ class file { getattr read execute execute_no_trans };
## </interface>
#
define(`selinux_run_init_transition',`
-requires_block_template(`$0'_depend)
-allow $1 run_init_exec_t:file { getattr read execute };
-allow $1 run_init_t:process transition;
-type_transition $1 run_init_exec_t:process run_init_t;
-dontaudit $1 run_init_t:process { noatsecure siginh rlimitinh };
-allow $1 run_init_t:fd use;
-allow run_init_t $1:fd use;
-allow run_init_t $1:fifo_file rw_file_perms;
-allow run_init_t $1:process sigchld;
+ requires_block_template(`$0'_depend)
+
+ allow $1 run_init_exec_t:file { getattr read execute };
+ allow $1 run_init_t:process transition;
+ type_transition $1 run_init_exec_t:process run_init_t;
+ dontaudit $1 run_init_t:process { noatsecure siginh rlimitinh };
+
+ allow $1 run_init_t:fd use;
+ allow run_init_t $1:fd use;
+ allow run_init_t $1:fifo_file rw_file_perms;
+ allow run_init_t $1:process sigchld;
')
define(`selinux_run_init_transition_depend',`
-type run_init_t, run_init_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+ type run_init_t, run_init_exec_t;
+
+ class file { getattr read execute };
+ class process { transition noatsecure siginh rlimitinh sigchld };
+ class fd use;
+ class fifo_file rw_file_perms;
')
########################################
@@ -422,15 +460,17 @@ class fifo_file rw_file_perms;
## </interface>
#
define(`selinux_run_init_transition_add_role_use_terminal',`
-requires_block_template(`$0'_depend)
-selinux_run_init_transition($1)
-role $2 types run_init_t;
-allow run_init_t $3:chr_file { getattr read write ioctl };
+ requires_block_template(`$0'_depend)
+
+ selinux_run_init_transition($1)
+ role $2 types run_init_t;
+ allow run_init_t $3:chr_file { getattr read write ioctl };
')
define(`selinux_run_init_transition_add_role_use_terminal_depend',`
-type run_init_t;
-class chr_file { getattr read write ioctl };
+ type run_init_t;
+
+ class chr_file { getattr read write ioctl };
')
########################################
@@ -438,13 +478,15 @@ class chr_file { getattr read write ioctl };
# selinux_run_init_use_file_descriptors(domain)
#
define(`selinux_run_init_use_file_descriptors',`
-requires_block_template(`$0'_depend)
-allow $1 run_init_t:fd use;
+ requires_block_template(`$0'_depend)
+
+ allow $1 run_init_t:fd use;
')
define(`selinux_run_init_use_file_descriptors_depend',`
-type run_init_t;
-class fd use;
+ type run_init_t;
+
+ class fd use;
')
########################################
@@ -459,23 +501,26 @@ class fd use;
## </interface>
#
define(`selinux_setfiles_transition',`
-requires_block_template(`$0'_depend)
-allow $1 setfiles_exec_t:file { getattr read execute };
-allow $1 setfiles_t:process transition;
-type_transition $1 setfiles_exec_t:process setfiles_t;
-dontaudit $1 setfiles_t:process { noatsecure siginh rlimitinh };
-allow $1 setfiles_t:fd use;
-allow setfiles_t $1:fd use;
-allow setfiles_t $1:fifo_file rw_file_perms;
-allow setfiles_t $1:process sigchld;
+ requires_block_template(`$0'_depend)
+
+ allow $1 setfiles_exec_t:file { getattr read execute };
+ allow $1 setfiles_t:process transition;
+ type_transition $1 setfiles_exec_t:process setfiles_t;
+ dontaudit $1 setfiles_t:process { noatsecure siginh rlimitinh };
+
+ allow $1 setfiles_t:fd use;
+ allow setfiles_t $1:fd use;
+ allow setfiles_t $1:fifo_file rw_file_perms;
+ allow setfiles_t $1:process sigchld;
')
define(`selinux_setfiles_transition_depend',`
-type setfiles_t, setfiles_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+ type setfiles_t, setfiles_exec_t;
+
+ class file { getattr read execute };
+ class process { transition noatsecure siginh rlimitinh sigchld };
+ class fd use;
+ class fifo_file rw_file_perms;
')
########################################
@@ -498,15 +543,17 @@ class fifo_file rw_file_perms;
## </interface>
#
define(`selinux_setfiles_transition_add_role_use_terminal',`
-requires_block_template(`$0'_depend)
-selinux_setfiles_transition($1)
-role $2 types setfiles_t;
-allow setfiles_t $3:chr_file { getattr read write ioctl };
+ requires_block_template(`$0'_depend)
+
+ selinux_setfiles_transition($1)
+ role $2 types setfiles_t;
+ allow setfiles_t $3:chr_file { getattr read write ioctl };
')
define(`selinux_setfiles_transition_add_role_use_terminal_depend',`
-type setfiles_t;
-class chr_file { getattr read write ioctl };
+ type setfiles_t;
+
+ class chr_file { getattr read write ioctl };
')
#######################################
@@ -514,13 +561,15 @@ class chr_file { getattr read write ioctl };
# selinux_setfiles_execute(domain)
#
define(`selinux_setfiles_execute',`
-requires_block_template(`$0'_depend)
-allow $1 setfiles_exec_t:file { getattr read execute execute_no_trans };
+ requires_block_template(`$0'_depend)
+
+ allow $1 setfiles_exec_t:file { getattr read execute execute_no_trans };
')
define(`selinux_setfiles_execute_depend',`
-type setfiles_exec_t;
-class file { getattr read execute execute_no_trans };
+ type setfiles_exec_t;
+
+ class file { getattr read execute execute_no_trans };
')
########################################
@@ -528,15 +577,17 @@ class file { getattr read execute execute_no_trans };
# selinux_read_config(domain)
#
define(`selinux_read_config',`
-requires_block_template(`$0'_depend)
-allow $1 selinux_config_t:dir { getattr search read };
-allow $1 selinux_config_t:file { getattr read };
+ requires_block_template(`$0'_depend)
+
+ allow $1 selinux_config_t:dir { getattr search read };
+ allow $1 selinux_config_t:file { getattr read };
')
define(`selinux_read_config_depend',`
-type selinux_config_t;
-class dir { getattr search read };
-class file { getattr read };
+ type selinux_config_t;
+
+ class dir { getattr search read };
+ class file { getattr read };
')
########################################
@@ -544,16 +595,18 @@ class file { getattr read };
# selinux_read_default_contexts(domain)
#
define(`selinux_read_default_contexts',`
-requires_block_template(`$0'_depend)
-allow $1 selinux_config_t:dir search;
-allow $1 default_context_t:dir { getattr search read };
-allow $1 default_context_t:file { getattr read };
+ requires_block_template(`$0'_depend)
+
+ allow $1 selinux_config_t:dir search;
+ allow $1 default_context_t:dir { getattr search read };
+ allow $1 default_context_t:file { getattr read };
')
define(`selinux_read_default_contexts_depend',`
-type selinux_config_t, default_context_t;
-class dir { getattr search read };
-class file { getattr read };
+ type selinux_config_t, default_context_t;
+
+ class dir { getattr search read };
+ class file { getattr read };
')
########################################
@@ -561,16 +614,18 @@ class file { getattr read };
# selinux_read_file_contexts(domain)
#
define(`selinux_read_file_contexts',`
-requires_block_template(`$0'_depend)
-allow $1 selinux_config_t:dir search;
-allow $1 file_context_t:dir { getattr search read };
-allow $1 file_context_t:file { getattr read };
+ requires_block_template(`$0'_depend)
+
+ allow $1 selinux_config_t:dir search;
+ allow $1 file_context_t:dir { getattr search read };
+ allow $1 file_context_t:file { getattr read };
')
define(`selinux_read_file_contexts_depend',`
-type selinux_config_t, file_context_t;
-class dir { getattr search read };
-class file { getattr read };
+ type selinux_config_t, file_context_t;
+
+ class dir { getattr search read };
+ class file { getattr read };
')
########################################
@@ -578,15 +633,17 @@ class file { getattr read };
# selinux_read_binary_policy(domain)
#
define(`selinux_read_binary_policy',`
-requires_block_template(`$0'_depend)
-allow $1 policy_config_t:dir { getattr search read };
-allow $1 policy_config_t:file { getattr read };
+ requires_block_template(`$0'_depend)
+
+ allow $1 policy_config_t:dir { getattr search read };
+ allow $1 policy_config_t:file { getattr read };
')
define(`selinux_read_binary_policy_depend',`
-type policy_config_t;
-class dir { getattr search read };
-class file { getattr read };
+ type policy_config_t;
+
+ class dir { getattr search read };
+ class file { getattr read };
')
########################################
@@ -594,17 +651,20 @@ class file { getattr read };
# selinux_write_binary_policy(domain)
#
define(`selinux_write_binary_policy',`
-requires_block_template(`$0'_depend)
-allow $1 policy_config_t:dir { getattr search read write add_name remove_name };
-allow $1 policy_config_t:file { getattr create write unlink };
-typeattribute $1 can_write_binary_policy;
+ requires_block_template(`$0'_depend)
+
+ allow $1 policy_config_t:dir { getattr search read write add_name remove_name };
+ allow $1 policy_config_t:file { getattr create write unlink };
+ typeattribute $1 can_write_binary_policy;
')
define(`selinux_write_binary_policy_depend',`
-attribute can_write_binary_policy;
-type policy_config_t;
-class dir { getattr search read write add_name remove_name };
-class file { getattr create write unlink };
+ attribute can_write_binary_policy;
+
+ type policy_config_t;
+
+ class dir { getattr search read write add_name remove_name };
+ class file { getattr create write unlink };
')
########################################
@@ -619,15 +679,18 @@ class file { getattr create write unlink };
## </interface>
#
define(`selinux_relabelto_binary_policy',`
-requires_block_template(`$0'_depend)
-allow $1 policy_config_t:file relabelto;
-typeattribute $1 can_relabelto_binary_policy;
+ requires_block_template(`$0'_depend)
+
+ allow $1 policy_config_t:file relabelto;
+ typeattribute $1 can_relabelto_binary_policy;
')
define(`selinux_relabelto_binary_policy_depend',`
-attribute can_relabelto_binary_policy;
-type policy_config_t;
-class file relabelto;
+ attribute can_relabelto_binary_policy;
+
+ type policy_config_t;
+
+ class file relabelto;
')
########################################
@@ -635,19 +698,21 @@ class file relabelto;
# selinux_manage_binary_policy(domain)
#
define(`selinux_manage_binary_policy',`
-requires_block_template(`$0'_depend)
-# FIXME: search etc_t:dir
-allow $1 selinux_config_t:dir search;
-allow $1 policy_config_t:dir { getattr search read };
-allow $1 policy_config_t:file { create ioctl read getattr lock write setattr append link unlink rename };
-typeattribute $1 can_write_binary_policy;
+ requires_block_template(`$0'_depend)
+
+ # FIXME: search etc_t:dir
+ allow $1 selinux_config_t:dir search;
+ allow $1 policy_config_t:dir { getattr search read };
+ allow $1 policy_config_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+ typeattribute $1 can_write_binary_policy;
')
define(`selinux_manage_binary_policy_depend',`
-attribute can_write_binary_policy;
-type selinux_config_t, policy_config_t;
-class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
-class file { create ioctl read getattr lock write setattr append link unlink rename };
+ attribute can_write_binary_policy;
+
+ type selinux_config_t, policy_config_t;
+ class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
+ class file { create ioctl read getattr lock write setattr append link unlink rename };
')
########################################
@@ -655,17 +720,19 @@ class file { create ioctl read getattr lock write setattr append link unlink ren
# selinux_read_source_policy(domain)
#
define(`selinux_read_source_policy',`
-requires_block_template(`$0'_depend)
-# FIXME: search etc_t:dir
-allow $1 selinux_config_t:dir search;
-allow $1 policy_src_t:dir { getattr search read };
-allow $1 policy_src_t:file { getattr read };
+ requires_block_template(`$0'_depend)
+
+ # FIXME: search etc_t:dir
+ allow $1 selinux_config_t:dir search;
+ allow $1 policy_src_t:dir { getattr search read };
+ allow $1 policy_src_t:file { getattr read };
')
define(`selinux_read_source_policy_depend',`
-type selinux_config_t, policy_src_t;
-class dir { getattr search read };
-class file { getattr read };
+ type selinux_config_t, policy_src_t;
+
+ class dir { getattr search read };
+ class file { getattr read };
')
########################################
@@ -673,17 +740,19 @@ class file { getattr read };
# selinux_manage_source_policy(domain)
#
define(`selinux_manage_source_policy',`
-requires_block_template(`$0'_depend)
-# FIXME: search etc_t:dir
-allow $1 selinux_config_t:dir search;
-allow $1 policy_src_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
-allow $1 policy_src_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+ requires_block_template(`$0'_depend)
+
+ # FIXME: search etc_t:dir
+ allow $1 selinux_config_t:dir search;
+ allow $1 policy_src_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
+ allow $1 policy_src_t:file { create ioctl read getattr lock write setattr append link unlink rename };
')
define(`selinux_manage_source_policy_depend',`
-type selinux_config_t, policy_src_t;
-class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
-class file { create ioctl read getattr lock write setattr append link unlink rename };
+ type selinux_config_t, policy_src_t;
+
+ class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
+ class file { create ioctl read getattr lock write setattr append link unlink rename };
')
## </module>
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index f97e7c183..4c84ad7c1 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -307,7 +307,7 @@ logging_send_system_log_message(restorecon_t)
userdomain_use_all_users_file_descriptors(restorecon_t)
optional_policy(`hotplug.te',`
-hotplug_use_file_descriptors(restorecon_t)
+ hotplug_use_file_descriptors(restorecon_t)
')
# relabeling rules
@@ -350,54 +350,54 @@ kernel_compute_selinux_relabel_context(run_init_t)
kernel_compute_selinux_reachable_user_contexts(run_init_t)
tunable_policy(`targeted_policy',`',`
-allow run_init_t self:process setexec;
-allow run_init_t self:capability setuid;
+ allow run_init_t self:process setexec;
+ allow run_init_t self:capability setuid;
-allow run_init_t self:fifo_file { getattr read write };
+ allow run_init_t self:fifo_file { getattr read write };
-# often the administrator runs such programs from a directory that is owned
-# by a different user or has restrictive SE permissions, do not want to audit
-# the failed access to the current directory
-dontaudit run_init_t self:capability { dac_override dac_read_search };
+ # often the administrator runs such programs from a directory that is owned
+ # by a different user or has restrictive SE permissions, do not want to audit
+ # the failed access to the current directory
+ dontaudit run_init_t self:capability { dac_override dac_read_search };
-filesystem_get_persistent_filesystem_attributes(run_init_t)
+ filesystem_get_persistent_filesystem_attributes(run_init_t)
-devices_ignore_list_device_nodes(run_init_t)
+ devices_ignore_list_device_nodes(run_init_t)
-terminal_ignore_list_pseudoterminals(run_init_t)
+ terminal_ignore_list_pseudoterminals(run_init_t)
-authlogin_check_password_transition(run_init_t)
-authlogin_ignore_read_shadow_passwords(run_init_t)
+ authlogin_check_password_transition(run_init_t)
+ authlogin_ignore_read_shadow_passwords(run_init_t)
-corecommands_execute_general_programs(run_init_t)
-corecommands_execute_shell(run_init_t)
+ corecommands_execute_general_programs(run_init_t)
+ corecommands_execute_shell(run_init_t)
-domain_use_widely_inheritable_file_descriptors(run_init_t)
+ domain_use_widely_inheritable_file_descriptors(run_init_t)
-files_read_general_system_config(run_init_t)
-files_ignore_search_all_directories(run_init_t)
+ files_read_general_system_config(run_init_t)
+ files_ignore_search_all_directories(run_init_t)
-init_script_transition(run_init_t)
-# for utmp
-init_script_modify_runtime_data(run_init_t)
+ init_script_transition(run_init_t)
+ # for utmp
+ init_script_modify_runtime_data(run_init_t)
-libraries_use_dynamic_loader(run_init_t)
-libraries_use_shared_libraries(run_init_t)
+ libraries_use_dynamic_loader(run_init_t)
+ libraries_use_shared_libraries(run_init_t)
-selinux_read_config(run_init_t)
-selinux_read_default_contexts(run_init_t)
+ selinux_read_config(run_init_t)
+ selinux_read_default_contexts(run_init_t)
-miscfiles_read_localization(run_init_t)
+ miscfiles_read_localization(run_init_t)
-logging_send_system_log_message(run_init_t)
+ logging_send_system_log_message(run_init_t)
') dnl end ifdef targeted policy
ifdef(`TODO',`
tunable_policy(`distro_gentoo', `
-# Gentoo integrated run_init+open_init_pty-runscript:
-domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
-domain_make_entrypoint_file(run_init_t,initrc_exec_t)
+ # Gentoo integrated run_init+open_init_pty-runscript:
+ domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
+ domain_make_entrypoint_file(run_init_t,initrc_exec_t)
')
') dnl end TODO
diff --git a/refpolicy/policy/modules/system/sysnetwork.if b/refpolicy/policy/modules/system/sysnetwork.if
index d0647affd..ad35f94e9 100644
--- a/refpolicy/policy/modules/system/sysnetwork.if
+++ b/refpolicy/policy/modules/system/sysnetwork.if
@@ -6,23 +6,26 @@
# sysnetwork_dhcpc_transition(domain)
#
define(`sysnetwork_dhcpc_transition',`
-requires_block_template(`$0'_depend)
-allow $1 dhcpc_exec_t:file { getattr read execute };
-allow $1 dhcpc_t:process transition;
-type_transition $1 dhcpc_exec_t:process dhcpc_t;
-dontaudit $1 dhcpc_t:process { noatsecure siginh rlimitinh };
-allow $1 dhcpc_t:fd use;
-allow dhcpc_t $1:fd use;
-allow dhcpc_t $1:fifo_file rw_file_perms;
-allow dhcpc_t $1:process sigchld;
+ requires_block_template(`$0'_depend)
+
+ allow $1 dhcpc_exec_t:file { getattr read execute };
+ allow $1 dhcpc_t:process transition;
+ type_transition $1 dhcpc_exec_t:process dhcpc_t;
+ dontaudit $1 dhcpc_t:process { noatsecure siginh rlimitinh };
+
+ allow $1 dhcpc_t:fd use;
+ allow dhcpc_t $1:fd use;
+ allow dhcpc_t $1:fifo_file rw_file_perms;
+ allow dhcpc_t $1:process sigchld;
')
define(`sysnetwork_dhcpc_transition_depend',`
-type dhcpc_t, dhcpc_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+ type dhcpc_t, dhcpc_exec_t;
+
+ class file { getattr read execute };
+ class process { transition noatsecure siginh rlimitinh sigchld };
+ class fd use;
+ class fifo_file rw_file_perms;
')
#######################################
@@ -37,23 +40,26 @@ class fifo_file rw_file_perms;
## </interface>
#
define(`sysnetwork_ifconfig_transition',`
-requires_block_template(`$0'_depend)
-allow $1 ifconfig_exec_t:file { getattr read execute };
-allow $1 ifconfig_t:process transition;
-type_transition $1 ifconfig_exec_t:process ifconfig_t;
-dontaudit $1 ifconfig_t:process { noatsecure siginh rlimitinh };
-allow $1 ifconfig_t:fd use;
-allow ifconfig_t $1:fd use;
-allow ifconfig_t $1:fifo_file rw_file_perms;
-allow ifconfig_t $1:process sigchld;
+ requires_block_template(`$0'_depend)
+
+ allow $1 ifconfig_exec_t:file { getattr read execute };
+ allow $1 ifconfig_t:process transition;
+ type_transition $1 ifconfig_exec_t:process ifconfig_t;
+ dontaudit $1 ifconfig_t:process { noatsecure siginh rlimitinh };
+
+ allow $1 ifconfig_t:fd use;
+ allow ifconfig_t $1:fd use;
+ allow ifconfig_t $1:fifo_file rw_file_perms;
+ allow ifconfig_t $1:process sigchld;
')
define(`sysnetwork_ifconfig_transition_depend',`
-type ifconfig_t, ifconfig_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+ type ifconfig_t, ifconfig_exec_t;
+
+ class file { getattr read execute };
+ class process { transition noatsecure siginh rlimitinh sigchld };
+ class fd use;
+ class fifo_file rw_file_perms;
')
########################################
@@ -76,15 +82,17 @@ class fifo_file rw_file_perms;
## </interface>
#
define(`sysnetwork_ifconfig_transition_add_role_use_terminal',`
-requires_block_template(`$0'_depend)
-sysnetwork_ifconfig_transition($1)
-role $2 types ifconfig_t;
-allow ifconfig_t $3:chr_file { getattr read write ioctl };
+ requires_block_template(`$0'_depend)
+
+ sysnetwork_ifconfig_transition($1)
+ role $2 types ifconfig_t;
+ allow ifconfig_t $3:chr_file { getattr read write ioctl };
')
define(`sysnetwork_ifconfig_transition_add_role_use_terminal_depend',`
-type ifconfig_t;
-class chr_file { getattr read write ioctl };
+ type ifconfig_t;
+
+ class chr_file { getattr read write ioctl };
')
########################################
@@ -92,14 +100,16 @@ class chr_file { getattr read write ioctl };
# sysnetwork_read_network_config(domain)
#
define(`sysnetwork_read_network_config',`
-requires_block_template(`$0'_depend)
-files_search_general_system_config_directory($1)
-allow $1 net_conf_t:file { getattr read };
+ requires_block_template(`$0'_depend)
+
+ files_search_general_system_config_directory($1)
+ allow $1 net_conf_t:file { getattr read };
')
define(`sysnetwork_read_network_config_depend',`
-type net_conf_t;
-class file { getattr read };
+ type net_conf_t;
+
+ class file { getattr read };
')
## </module>
diff --git a/refpolicy/policy/modules/system/udev.if b/refpolicy/policy/modules/system/udev.if
index 490b1d6f8..2beaa000d 100644
--- a/refpolicy/policy/modules/system/udev.if
+++ b/refpolicy/policy/modules/system/udev.if
@@ -4,23 +4,26 @@
# udev_transition(domain)
#
define(`udev_transition',`
-requires_block_template(`$0'_depend)
-allow $1 udev_exec_t:file { getattr read execute };
-allow $1 udev_t:process transition;
-type_transition $1 udev_exec_t:process udev_t;
-dontaudit $1 udev_t:process { noatsecure siginh rlimitinh };
-allow $1 udev_t:fd use;
-allow udev_t $1:fd use;
-allow udev_t $1:fifo_file rw_file_perms;
-allow udev_t $1:process sigchld;
+ requires_block_template(`$0'_depend)
+
+ allow $1 udev_exec_t:file { getattr read execute };
+ allow $1 udev_t:process transition;
+ type_transition $1 udev_exec_t:process udev_t;
+ dontaudit $1 udev_t:process { noatsecure siginh rlimitinh };
+
+ allow $1 udev_t:fd use;
+ allow udev_t $1:fd use;
+ allow udev_t $1:fifo_file rw_file_perms;
+ allow udev_t $1:process sigchld;
')
define(`udev_transition_depend',`
-type udev_t, udev_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+ type udev_t, udev_exec_t;
+
+ class file { getattr read execute };
+ class process { transition noatsecure siginh rlimitinh sigchld };
+ class fd use;
+ class fifo_file rw_file_perms;
')
########################################
@@ -28,13 +31,15 @@ class fifo_file rw_file_perms;
# udev_read_database(domain)
#
define(`udev_read_database',`
-requires_block_template(`$0'_depend)
-allow $1 udev_tdb_t:file { getattr read };
+ requires_block_template(`$0'_depend)
+
+ allow $1 udev_tdb_t:file { getattr read };
')
define(`udev_read_database_depend',`
-type udev_tdb_t;
-class file { getattr read };
+ type udev_tdb_t;
+
+ class file { getattr read };
')
########################################
@@ -42,11 +47,13 @@ class file { getattr read };
# udev_modify_database(domain)
#
define(`udev_modify_database',`
-requires_block_template(`$0'_depend)
-allow $1 udev_tdb_t:file { getattr read write append };
+ requires_block_template(`$0'_depend)
+
+ allow $1 udev_tdb_t:file { getattr read write append };
')
define(`udev_modify_database_depend',`
-type udev_tdb_t;
-class file { getattr read write append };
+ type udev_tdb_t;
+
+ class file { getattr read write append };
')
diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te
index 296e03cdd..b12a55668 100644
--- a/refpolicy/policy/modules/system/udev.te
+++ b/refpolicy/policy/modules/system/udev.te
@@ -114,28 +114,28 @@ selinux_restorecon_transition(udev_t)
sysnetwork_ifconfig_transition(udev_t)
tunable_policy(`distro_redhat',`
-filesystem_manage_tmpfs_block_devices(udev_t)
-filesystem_manage_tmpfs_character_devices(udev_t)
+ filesystem_manage_tmpfs_block_devices(udev_t)
+ filesystem_manage_tmpfs_character_devices(udev_t)
-# for arping used for static IP addresses on PCMCIA ethernet
-netutils_transition(udev_t)
+ # for arping used for static IP addresses on PCMCIA ethernet
+ netutils_transition(udev_t)
') dnl end ifdef distro_redhat
optional_policy(`authlogin.te',`
-authlogin_pam_console_read_runtime_data(udev_t)
-authlogin_pam_console_transition(udev_t)
+ authlogin_pam_console_read_runtime_data(udev_t)
+ authlogin_pam_console_transition(udev_t)
')
optional_policy(`consoletype.te',`
-consoletype_execute(udev_t)
+ consoletype_execute(udev_t)
')
optional_policy(`hotplug.te',`
-hotplug_read_config(udev_t)
+ hotplug_read_config(udev_t)
')
optional_policy(`sysnetwork.te',`
-sysnetwork_dhcpc_transition(udev_t)
+ sysnetwork_dhcpc_transition(udev_t)
')
ifdef(`TODO',`
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index a0568abb2..549520a49 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -9,390 +9,390 @@
define(`base_user_domain',`
-attribute $1_file_type;
-
-type $1_t, userdomain;
-domain_make_domain($1_t)
-corecommands_make_shell_entrypoint($1_t)
-role $1_r types $1_t;
-allow system_r $1_r;
-
-# user pseudoterminal
-type $1_devpts_t;
-terminal_make_user_pseudoterminal($1_t,$1_devpts_t)
-
-# type for contents of home directory
-type $1_home_t, $1_file_type, home_type;
-files_make_file($1_home_t)
-
-# type of home directory
-type $1_home_dir_t, home_dir_type, home_type;
-files_make_file($1_home_t)
-
-type $1_tmp_t, $1_file_type;
-files_make_temporary_file($1_tmp_t)
-
-type $1_tmpfs_t;
-files_make_tmpfs_file($1_tmpfs_t)
-
-type $1_tty_device_t;
-terminal_make_physical_terminal($1_t,$1_tty_device_t)
-
-##############################
-#
-# Local policy
-#
-
-allow $1_t self:capability { setgid chown fowner };
-dontaudit $1_t self:capability { sys_nice fsetid };
-allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
-allow $1_t self:process { ptrace setfscreate };
-allow $1_t self:fd use;
-allow $1_t self:fifo_file { read getattr lock ioctl write append };
-allow $1_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
-allow $1_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
-allow $1_t self:unix_dgram_socket sendto;
-allow $1_t self:unix_stream_socket connectto;
-allow $1_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
-allow $1_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
-allow $1_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
-allow $1_t self:msg { send receive };
-dontaudit $1_t self:socket create;
-# Irrelevant until we have labeled networking.
-#allow $1_t self:udp_socket { sendto recvfrom };
-
-# evolution and gnome-session try to create a netlink socket
-dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
-dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
-
-# execute files in the home directory
-allow $1_t $1_home_t:file { getattr read execute execute_no_trans };
-
-# full control of the home directory
-allow $1_t $1_home_t:file { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto };
-allow $1_t $1_home_t:lnk_file { create read getattr setattr link unlink rename relabelfrom relabelto };
-allow $1_t $1_home_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto };
-allow $1_t $1_home_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto };
-allow $1_t $1_home_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto };
-allow $1_t $1_home_dir_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
-type_transition $1_t $1_home_dir_t:{ file lnk_file dir sock_file fifo_file } $1_home_t;
-
-allow $1_t $1_tmp_t:file { getattr read execute execute_no_trans };
-
-# Bind to a Unix domain socket in /tmp.
-# cjp: this is combination is not checked and should be removed
-allow $1_t $1_tmp_t:unix_stream_socket name_bind;
-
-allow $1_t $1_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
-allow $1_t $1_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
-allow $1_t $1_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
-allow $1_t $1_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
-allow $1_t $1_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
-filesystem_create_private_tmpfs_data($1_t,$1_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
-
-allow $1_t $1_tty_device_t:chr_file { setattr getattr read write append ioctl lock };
-
-allow $1_t unpriv_userdomain:fd use;
-
-# Instantiate derived domains for a number of programs.
-# These derived domains encode both information about the calling
-# user domain and the program, and allow us to maintain separation
-# between different instances of the program being run by different
-# user domains.
-per_userdomain_templates($1)
-
-kernel_read_kernel_sysctl($1_t)
-kernel_get_selinuxfs_mount_point($1_t)
-# Very permissive allowing every domain to see every type:
-kernel_get_sysvipc_info($1_t)
-# Find CDROM devices:
-kernel_read_device_sysctl($1_t)
-# GNOME checks for usb and other devices:
-kernel_modify_usb_hardware_config_option($1_t)
-
-corenetwork_sendrecv_tcp_on_all_interfaces($1_t)
-corenetwork_sendrecv_raw_on_all_interfaces($1_t)
-corenetwork_sendrecv_udp_on_all_interfaces($1_t)
-corenetwork_sendrecv_tcp_on_all_nodes($1_t)
-corenetwork_sendrecv_raw_on_all_nodes($1_t)
-corenetwork_sendrecv_udp_on_all_nodes($1_t)
-corenetwork_sendrecv_tcp_on_all_ports($1_t)
-corenetwork_sendrecv_udp_on_all_ports($1_t)
-corenetwork_bind_tcp_on_all_nodes($1_t)
-corenetwork_bind_udp_on_all_nodes($1_t)
-# allow port_t name binding for UDP because it is not very usable otherwise
-corenetwork_bind_udp_on_general_port($1_t)
-
-devices_get_input_event($1_t)
-devices_read_misc($1_t)
-devices_write_misc($1_t)
-devices_play_sound($1_t)
-devices_record_sound_input($1_t)
-devices_read_sound_mixer_levels($1_t)
-devices_write_sound_mixer_levels($1_t)
-devices_get_random_data($1_t)
-devices_get_pseudorandom_data($1_t)
-# open office is looking for the following
-devices_get_direct_rendering_interface_attributes($1_t)
-devices_ignore_use_direct_rendering_interface($1_t)
-
-filesystem_get_all_filesystems_quotas($1_t)
-filesystem_get_all_filesystems_attributes($1_t)
-
-# for eject
-storage_get_fixed_disk_attributes($1_t)
-
-authlogin_read_login_records($1_t)
-authlogin_ignore_write_login_records($1_t)
-authlogin_pam_transition_add_role_use_terminal($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
-authlogin_utempter_transition_add_role_use_terminal($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
-
-corecommands_execute_general_programs($1_t)
-corecommands_execute_system_programs($1_t)
-corecommands_execute_ls($1_t)
-
-domain_execute_all_entrypoint_programs($1_t)
-domain_use_widely_inheritable_file_descriptors($1_t)
-
-files_execute_system_config_script($1_t)
-files_read_system_source_code($1_t)
-
-# Caused by su - init scripts
-init_script_ignore_use_pseudoterminal($1_t)
-
-libraries_use_dynamic_loader($1_t)
-libraries_use_shared_libraries($1_t)
-libraries_execute_dynamic_loader($1_t)
-libraries_execute_library_scripts($1_t)
-
-logging_ignore_get_all_logs_attributes($1_t)
-
-miscfiles_read_localization($1_t)
-miscfiles_manage_man_page_cache($1_t)
-
-selinux_newrole_transition_add_role_use_terminal($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
-
-mta_modify_mail_spool($1_t)
-
-if (allow_execmem) {
-# Allow loading DSOs that require executable stack.
-allow $1_t self:process execmem;
-}
-
-if (use_nfs_home_dirs) {
-filesystem_manage_nfs_directories($1_t)
-filesystem_manage_nfs_files($1_t)
-filesystem_manage_nfs_symbolic_links($1_t)
-filesystem_manage_nfs_named_sockets($1_t)
-filesystem_manage_nfs_named_pipes($1_t)
-filesystem_execute_nfs_files($1_t)
-}
-
-if (use_samba_home_dirs) {
-filesystem_manage_windows_network_directories($1_t)
-filesystem_manage_windows_network_files($1_t)
-filesystem_manage_windows_network_symbolic_links($1_t)
-filesystem_manage_windows_network_named_sockets($1_t)
-filesystem_manage_windows_network_named_pipes($1_t)
-filesystem_execute_windows_network_files($1_t)
-}
-
-if (user_direct_mouse) {
-devices_get_mouse_input($1_t)
-}
-
-if (user_ttyfile_stat) {
-terminal_get_all_private_physical_terminal_attributes($1_t)
-}
-
-optional_policy(`usermanage.te',`
-usermanage_chfn_transition_add_role_use_terminal($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
-usermanage_passwd_transition_add_role_use_terminal($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
-')
-
-ifdef(`TODO',`
-
-# When the user domain runs ps, there will be a number of access
-# denials when ps tries to search /proc. Do not audit these denials.
-dontaudit $1_t domain:dir r_dir_perms;
-dontaudit $1_t domain:notdevfile_class_set r_file_perms;
-dontaudit $1_t domain:process { getattr getsession };
-#
-# Cups daemon running as user tries to write /etc/printcap
-#
-dontaudit $1_t usr_t:file setattr;
-
-# Access the power device.
-allow $1_t power_device_t:chr_file { getattr read write ioctl };
-
-# Check to see if cdrom is mounted
-allow $1_t mnt_t:dir { getattr search };
-
-#
-# Added to allow reading of cdrom
-#
-allow $1_t rpc_pipefs_t:dir getattr;
-allow $1_t nfsd_fs_t:dir getattr;
-allow $1_t binfmt_misc_fs_t:dir getattr;
-
-# /initrd is left mounted, various programs try to look at it
-dontaudit $1_t ramfs_t:dir getattr;
-
-if (read_default_t) {
-allow $1_t default_t:dir r_dir_perms;
-allow $1_t default_t:notdevfile_class_set r_file_perms;
-}
-
-#
-# Running ifconfig as a user generates the following
-#
-dontaudit $1_t sysctl_net_t:dir search;
-
-dontaudit $1_t default_context_t:dir search;
-
-r_dir_file($1_t, usercanread)
-
-can_ypbind($1_t)
-
-if (allow_execmod) {
-# Allow text relocations on system shared libraries, e.g. libGL.
-allow $1_t texrel_shlib_t:file execmod;
-}
-
-allow $1_t fs_type:dir getattr;
-
-# old "file_browse_domain":
-# Regular files/directories that are not security sensitive
-dontaudit $1_t file_type - secure_file_type:dir_file_class_set getattr;
-dontaudit $1_t file_type - secure_file_type:dir { read search };
-# /dev
-dontaudit $1_t dev_fs:dir_file_class_set getattr;
-dontaudit $1_t dev_fs:dir { read search };
-# /proc
-dontaudit $1_t sysctl_t:dir_file_class_set getattr;
-dontaudit $1_t proc_fs:dir { read search };
-
-allow $1_t autofs_t:dir { search getattr };
-
-can_exec($1_t, { removable_t noexattrfile } )
-if (user_rw_noexattrfile) {
-create_dir_file($1_t, noexattrfile)
-create_dir_file($1_t, removable_t)
-# Write floppies
-allow $1_t removable_device_t:blk_file rw_file_perms;
-allow $1_t usbtty_device_t:chr_file write;
-} else {
-r_dir_file($1_t, noexattrfile)
-r_dir_file($1_t, removable_t)
-allow $1_t removable_device_t:blk_file r_file_perms;
-}
-allow $1_t usbtty_device_t:chr_file read;
-
-can_exec($1_t, noexattrfile)
-
-# for running TeX programs
-r_dir_file($1_t, tetex_data_t)
-can_exec($1_t, tetex_data_t)
-
-# Run programs developed by other users in the same domain.
-
-can_resmgrd_connect($1_t)
-
-can_ypbind($1_t)
-
-allow $1_t var_lock_t:dir search;
-
-# Grant permissions to access the system DBus
-ifdef(`dbusd.te', `
-dbusd_client(system, $1)
-can_network_server_tcp($1_dbusd_t)
-allow $1_dbusd_t reserved_port_t:tcp_socket name_bind;
-
-allow $1_t system_dbusd_t:dbus { send_msg acquire_svc };
-dbusd_client($1, $1)
-allow $1_t $1_dbusd_t:dbus { send_msg acquire_svc };
-dbusd_domain($1)
-ifdef(`hald.te', `
-allow $1_t hald_t:dbus send_msg;
-allow hald_t $1_t:dbus send_msg;
-') dnl end ifdef hald.te
-') dnl end ifdef dbus.te
-
-# Gnome pannel binds to the following
-ifdef(`cups.te', `
-allow $1_t { cupsd_etc_t cupsd_rw_etc_t }:file { read getattr };
-')
-
-# Connect to inetd.
-ifdef(`inetd.te', `
-can_tcp_connect($1_t, inetd_t)
-can_udp_send($1_t, inetd_t)
-can_udp_send(inetd_t, $1_t)
-')
-
-# Connect to portmap.
-ifdef(`portmap.te', `can_tcp_connect($1_t, portmap_t)')
-
-# Inherit and use sockets from inetd
-ifdef(`inetd.te', `
-allow $1_t inetd_t:fd use;
-allow $1_t inetd_t:tcp_socket rw_stream_socket_perms;
-')
-
-ifdef(`xserver.te', `
-# for /tmp/.ICE-unix
-file_type_auto_trans($1_t, xdm_xserver_tmp_t, $1_tmp_t, sock_file)
-allow $1_t xserver_misc_device_t:{ chr_file blk_file } rw_file_perms;
-')
-
-ifdef(`xdm.te', `
-# Connect to the X server run by the X Display Manager.
-can_unix_connect($1_t, xdm_t)
-allow $1_t xdm_tmp_t:sock_file rw_file_perms;
-allow $1_t xdm_tmp_t:dir r_dir_perms;
-allow $1_t xdm_tmp_t:file { getattr read };
-allow $1_t xdm_xserver_tmp_t:sock_file { read write };
-allow $1_t xdm_xserver_tmp_t:dir search;
-allow $1_t xdm_xserver_t:unix_stream_socket connectto;
-# certain apps want to read xdm.pid file
-r_dir_file($1_t, xdm_var_run_t)
-allow $1_t xdm_var_lib_t:file { getattr read };
-allow xdm_t $1_home_dir_t:dir getattr;
-ifdef(`xauth.te', `
-file_type_auto_trans(xdm_t, $1_home_dir_t, $1_xauth_home_t, file)
-')
-
-# for shared memory
-allow xdm_xserver_t $1_tmpfs_t:file { read write };
-
-')dnl end ifdef xdm.te
-
-ifdef(`rpcd.te', `
-create_dir_file($1_t, nfsd_rw_t)
-')
-
-ifdef(`cardmgr.te', `
-# to allow monitoring of pcmcia status
-allow $1_t cardmgr_var_run_t:file { getattr read };
-')
-
-#
-# Allow graphical boot to check battery lifespan
-#
-ifdef(`apmd.te', `
-allow $1_t apmd_t:unix_stream_socket connectto;
-allow $1_t apmd_var_run_t:sock_file write;
-')
-
-ifdef(`automount.te', `
-allow $1_t autofs_t:dir { search getattr };
-')
-
-ifdef(`pamconsole.te', `
-allow $1_t pam_var_console_t:dir search;
-')
-
-') dnl endif TODO
+ attribute $1_file_type;
+
+ type $1_t, userdomain;
+ domain_make_domain($1_t)
+ corecommands_make_shell_entrypoint($1_t)
+ role $1_r types $1_t;
+ allow system_r $1_r;
+
+ # user pseudoterminal
+ type $1_devpts_t;
+ terminal_make_user_pseudoterminal($1_t,$1_devpts_t)
+
+ # type for contents of home directory
+ type $1_home_t, $1_file_type, home_type;
+ files_make_file($1_home_t)
+
+ # type of home directory
+ type $1_home_dir_t, home_dir_type, home_type;
+ files_make_file($1_home_t)
+
+ type $1_tmp_t, $1_file_type;
+ files_make_temporary_file($1_tmp_t)
+
+ type $1_tmpfs_t;
+ files_make_tmpfs_file($1_tmpfs_t)
+
+ type $1_tty_device_t;
+ terminal_make_physical_terminal($1_t,$1_tty_device_t)
+
+ ##############################
+ #
+ # Local policy
+ #
+
+ allow $1_t self:capability { setgid chown fowner };
+ dontaudit $1_t self:capability { sys_nice fsetid };
+ allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
+ allow $1_t self:process { ptrace setfscreate };
+ allow $1_t self:fd use;
+ allow $1_t self:fifo_file { read getattr lock ioctl write append };
+ allow $1_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
+ allow $1_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
+ allow $1_t self:unix_dgram_socket sendto;
+ allow $1_t self:unix_stream_socket connectto;
+ allow $1_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
+ allow $1_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
+ allow $1_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
+ allow $1_t self:msg { send receive };
+ dontaudit $1_t self:socket create;
+ # Irrelevant until we have labeled networking.
+ #allow $1_t self:udp_socket { sendto recvfrom };
+
+ # evolution and gnome-session try to create a netlink socket
+ dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
+ dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
+
+ # execute files in the home directory
+ allow $1_t $1_home_t:file { getattr read execute execute_no_trans };
+
+ # full control of the home directory
+ allow $1_t $1_home_t:file { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto };
+ allow $1_t $1_home_t:lnk_file { create read getattr setattr link unlink rename relabelfrom relabelto };
+ allow $1_t $1_home_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto };
+ allow $1_t $1_home_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto };
+ allow $1_t $1_home_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto };
+ allow $1_t $1_home_dir_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
+ type_transition $1_t $1_home_dir_t:{ file lnk_file dir sock_file fifo_file } $1_home_t;
+
+ allow $1_t $1_tmp_t:file { getattr read execute execute_no_trans };
+
+ # Bind to a Unix domain socket in /tmp.
+ # cjp: this is combination is not checked and should be removed
+ allow $1_t $1_tmp_t:unix_stream_socket name_bind;
+
+ allow $1_t $1_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
+ allow $1_t $1_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+ allow $1_t $1_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
+ allow $1_t $1_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
+ allow $1_t $1_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
+ filesystem_create_private_tmpfs_data($1_t,$1_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+ allow $1_t $1_tty_device_t:chr_file { setattr getattr read write append ioctl lock };
+
+ allow $1_t unpriv_userdomain:fd use;
+
+ # Instantiate derived domains for a number of programs.
+ # These derived domains encode both information about the calling
+ # user domain and the program, and allow us to maintain separation
+ # between different instances of the program being run by different
+ # user domains.
+ per_userdomain_templates($1)
+
+ kernel_read_kernel_sysctl($1_t)
+ kernel_get_selinuxfs_mount_point($1_t)
+ # Very permissive allowing every domain to see every type:
+ kernel_get_sysvipc_info($1_t)
+ # Find CDROM devices:
+ kernel_read_device_sysctl($1_t)
+ # GNOME checks for usb and other devices:
+ kernel_modify_usb_hardware_config_option($1_t)
+
+ corenetwork_sendrecv_tcp_on_all_interfaces($1_t)
+ corenetwork_sendrecv_raw_on_all_interfaces($1_t)
+ corenetwork_sendrecv_udp_on_all_interfaces($1_t)
+ corenetwork_sendrecv_tcp_on_all_nodes($1_t)
+ corenetwork_sendrecv_raw_on_all_nodes($1_t)
+ corenetwork_sendrecv_udp_on_all_nodes($1_t)
+ corenetwork_sendrecv_tcp_on_all_ports($1_t)
+ corenetwork_sendrecv_udp_on_all_ports($1_t)
+ corenetwork_bind_tcp_on_all_nodes($1_t)
+ corenetwork_bind_udp_on_all_nodes($1_t)
+ # allow port_t name binding for UDP because it is not very usable otherwise
+ corenetwork_bind_udp_on_general_port($1_t)
+
+ devices_get_input_event($1_t)
+ devices_read_misc($1_t)
+ devices_write_misc($1_t)
+ devices_play_sound($1_t)
+ devices_record_sound_input($1_t)
+ devices_read_sound_mixer_levels($1_t)
+ devices_write_sound_mixer_levels($1_t)
+ devices_get_random_data($1_t)
+ devices_get_pseudorandom_data($1_t)
+ # open office is looking for the following
+ devices_get_direct_rendering_interface_attributes($1_t)
+ devices_ignore_use_direct_rendering_interface($1_t)
+
+ filesystem_get_all_filesystems_quotas($1_t)
+ filesystem_get_all_filesystems_attributes($1_t)
+
+ # for eject
+ storage_get_fixed_disk_attributes($1_t)
+
+ authlogin_read_login_records($1_t)
+ authlogin_ignore_write_login_records($1_t)
+ authlogin_pam_transition_add_role_use_terminal($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
+ authlogin_utempter_transition_add_role_use_terminal($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
+
+ corecommands_execute_general_programs($1_t)
+ corecommands_execute_system_programs($1_t)
+ corecommands_execute_ls($1_t)
+
+ domain_execute_all_entrypoint_programs($1_t)
+ domain_use_widely_inheritable_file_descriptors($1_t)
+
+ files_execute_system_config_script($1_t)
+ files_read_system_source_code($1_t)
+
+ # Caused by su - init scripts
+ init_script_ignore_use_pseudoterminal($1_t)
+
+ libraries_use_dynamic_loader($1_t)
+ libraries_use_shared_libraries($1_t)
+ libraries_execute_dynamic_loader($1_t)
+ libraries_execute_library_scripts($1_t)
+
+ logging_ignore_get_all_logs_attributes($1_t)
+
+ miscfiles_read_localization($1_t)
+ miscfiles_manage_man_page_cache($1_t)
+
+ selinux_newrole_transition_add_role_use_terminal($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
+
+ mta_modify_mail_spool($1_t)
+
+ if (allow_execmem) {
+ # Allow loading DSOs that require executable stack.
+ allow $1_t self:process execmem;
+ }
+
+ if (use_nfs_home_dirs) {
+ filesystem_manage_nfs_directories($1_t)
+ filesystem_manage_nfs_files($1_t)
+ filesystem_manage_nfs_symbolic_links($1_t)
+ filesystem_manage_nfs_named_sockets($1_t)
+ filesystem_manage_nfs_named_pipes($1_t)
+ filesystem_execute_nfs_files($1_t)
+ }
+
+ if (use_samba_home_dirs) {
+ filesystem_manage_windows_network_directories($1_t)
+ filesystem_manage_windows_network_files($1_t)
+ filesystem_manage_windows_network_symbolic_links($1_t)
+ filesystem_manage_windows_network_named_sockets($1_t)
+ filesystem_manage_windows_network_named_pipes($1_t)
+ filesystem_execute_windows_network_files($1_t)
+ }
+
+ if (user_direct_mouse) {
+ devices_get_mouse_input($1_t)
+ }
+
+ if (user_ttyfile_stat) {
+ terminal_get_all_private_physical_terminal_attributes($1_t)
+ }
+
+ optional_policy(`usermanage.te',`
+ usermanage_chfn_transition_add_role_use_terminal($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
+ usermanage_passwd_transition_add_role_use_terminal($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
+ ')
+
+ ifdef(`TODO',`
+
+ # When the user domain runs ps, there will be a number of access
+ # denials when ps tries to search /proc. Do not audit these denials.
+ dontaudit $1_t domain:dir r_dir_perms;
+ dontaudit $1_t domain:notdevfile_class_set r_file_perms;
+ dontaudit $1_t domain:process { getattr getsession };
+ #
+ # Cups daemon running as user tries to write /etc/printcap
+ #
+ dontaudit $1_t usr_t:file setattr;
+
+ # Access the power device.
+ allow $1_t power_device_t:chr_file { getattr read write ioctl };
+
+ # Check to see if cdrom is mounted
+ allow $1_t mnt_t:dir { getattr search };
+
+ #
+ # Added to allow reading of cdrom
+ #
+ allow $1_t rpc_pipefs_t:dir getattr;
+ allow $1_t nfsd_fs_t:dir getattr;
+ allow $1_t binfmt_misc_fs_t:dir getattr;
+
+ # /initrd is left mounted, various programs try to look at it
+ dontaudit $1_t ramfs_t:dir getattr;
+
+ if (read_default_t) {
+ allow $1_t default_t:dir r_dir_perms;
+ allow $1_t default_t:notdevfile_class_set r_file_perms;
+ }
+
+ #
+ # Running ifconfig as a user generates the following
+ #
+ dontaudit $1_t sysctl_net_t:dir search;
+
+ dontaudit $1_t default_context_t:dir search;
+
+ r_dir_file($1_t, usercanread)
+
+ can_ypbind($1_t)
+
+ if (allow_execmod) {
+ # Allow text relocations on system shared libraries, e.g. libGL.
+ allow $1_t texrel_shlib_t:file execmod;
+ }
+
+ allow $1_t fs_type:dir getattr;
+
+ # old "file_browse_domain":
+ # Regular files/directories that are not security sensitive
+ dontaudit $1_t file_type - secure_file_type:dir_file_class_set getattr;
+ dontaudit $1_t file_type - secure_file_type:dir { read search };
+ # /dev
+ dontaudit $1_t dev_fs:dir_file_class_set getattr;
+ dontaudit $1_t dev_fs:dir { read search };
+ # /proc
+ dontaudit $1_t sysctl_t:dir_file_class_set getattr;
+ dontaudit $1_t proc_fs:dir { read search };
+
+ allow $1_t autofs_t:dir { search getattr };
+
+ can_exec($1_t, { removable_t noexattrfile } )
+ if (user_rw_noexattrfile) {
+ create_dir_file($1_t, noexattrfile)
+ create_dir_file($1_t, removable_t)
+ # Write floppies
+ allow $1_t removable_device_t:blk_file rw_file_perms;
+ allow $1_t usbtty_device_t:chr_file write;
+ } else {
+ r_dir_file($1_t, noexattrfile)
+ r_dir_file($1_t, removable_t)
+ allow $1_t removable_device_t:blk_file r_file_perms;
+ }
+ allow $1_t usbtty_device_t:chr_file read;
+
+ can_exec($1_t, noexattrfile)
+
+ # for running TeX programs
+ r_dir_file($1_t, tetex_data_t)
+ can_exec($1_t, tetex_data_t)
+
+ # Run programs developed by other users in the same domain.
+
+ can_resmgrd_connect($1_t)
+
+ can_ypbind($1_t)
+
+ allow $1_t var_lock_t:dir search;
+
+ # Grant permissions to access the system DBus
+ ifdef(`dbusd.te', `
+ dbusd_client(system, $1)
+ can_network_server_tcp($1_dbusd_t)
+ allow $1_dbusd_t reserved_port_t:tcp_socket name_bind;
+
+ allow $1_t system_dbusd_t:dbus { send_msg acquire_svc };
+ dbusd_client($1, $1)
+ allow $1_t $1_dbusd_t:dbus { send_msg acquire_svc };
+ dbusd_domain($1)
+ ifdef(`hald.te', `
+ allow $1_t hald_t:dbus send_msg;
+ allow hald_t $1_t:dbus send_msg;
+ ')
+ ')
+
+ # Gnome pannel binds to the following
+ ifdef(`cups.te', `
+ allow $1_t { cupsd_etc_t cupsd_rw_etc_t }:file { read getattr };
+ ')
+
+ # Connect to inetd.
+ ifdef(`inetd.te', `
+ can_tcp_connect($1_t, inetd_t)
+ can_udp_send($1_t, inetd_t)
+ can_udp_send(inetd_t, $1_t)
+ ')
+
+ # Connect to portmap.
+ ifdef(`portmap.te', `can_tcp_connect($1_t, portmap_t)')
+
+ # Inherit and use sockets from inetd
+ ifdef(`inetd.te', `
+ allow $1_t inetd_t:fd use;
+ allow $1_t inetd_t:tcp_socket rw_stream_socket_perms;
+ ')
+
+ ifdef(`xserver.te', `
+ # for /tmp/.ICE-unix
+ file_type_auto_trans($1_t, xdm_xserver_tmp_t, $1_tmp_t, sock_file)
+ allow $1_t xserver_misc_device_t:{ chr_file blk_file } rw_file_perms;
+ ')
+
+ ifdef(`xdm.te', `
+ # Connect to the X server run by the X Display Manager.
+ can_unix_connect($1_t, xdm_t)
+ allow $1_t xdm_tmp_t:sock_file rw_file_perms;
+ allow $1_t xdm_tmp_t:dir r_dir_perms;
+ allow $1_t xdm_tmp_t:file { getattr read };
+ allow $1_t xdm_xserver_tmp_t:sock_file { read write };
+ allow $1_t xdm_xserver_tmp_t:dir search;
+ allow $1_t xdm_xserver_t:unix_stream_socket connectto;
+ # certain apps want to read xdm.pid file
+ r_dir_file($1_t, xdm_var_run_t)
+ allow $1_t xdm_var_lib_t:file { getattr read };
+ allow xdm_t $1_home_dir_t:dir getattr;
+ ifdef(`xauth.te', `
+ file_type_auto_trans(xdm_t, $1_home_dir_t, $1_xauth_home_t, file)
+ ')
+
+ # for shared memory
+ allow xdm_xserver_t $1_tmpfs_t:file { read write };
+
+ ')
+
+ ifdef(`rpcd.te', `
+ create_dir_file($1_t, nfsd_rw_t)
+ ')
+
+ ifdef(`cardmgr.te', `
+ # to allow monitoring of pcmcia status
+ allow $1_t cardmgr_var_run_t:file { getattr read };
+ ')
+
+ #
+ # Allow graphical boot to check battery lifespan
+ #
+ ifdef(`apmd.te', `
+ allow $1_t apmd_t:unix_stream_socket connectto;
+ allow $1_t apmd_var_run_t:sock_file write;
+ ')
+
+ ifdef(`automount.te', `
+ allow $1_t autofs_t:dir { search getattr };
+ ')
+
+ ifdef(`pamconsole.te', `
+ allow $1_t pam_var_console_t:dir search;
+ ')
+
+ ') dnl endif TODO
')dnl end base_user_domain macro
@@ -402,201 +402,200 @@ allow $1_t pam_var_console_t:dir search;
#
define(`user_domain_template', `
+ ##############################
+ #
+ # Declarations
+ #
-##############################
-#
-# Declarations
-#
+ # Inherit rules for ordinary users.
+ base_user_domain($1)
-# Inherit rules for ordinary users.
-base_user_domain($1)
+ typeattribute $1_t unpriv_userdomain; #, web_client_domain, nscd_client_domain;
+ domain_make_file_descriptors_widely_inheritable($1_t)
-typeattribute $1_t unpriv_userdomain; #, web_client_domain, nscd_client_domain;
-domain_make_file_descriptors_widely_inheritable($1_t)
+ #typeattribute $1_devpts_t userpty_type, user_tty_type;
+ #typeattribute $1_home_dir_t user_home_dir_type;
+ #typeattribute $1_home_t user_home_type;
-#typeattribute $1_devpts_t userpty_type, user_tty_type;
-#typeattribute $1_home_dir_t user_home_dir_type;
-#typeattribute $1_home_t user_home_type;
+ #typeattribute $1_tmp_t, user_tmpfile;
-#typeattribute $1_tmp_t, user_tmpfile;
-
-#typeattribute $1_tty_device_t user_tty_type;
+ #typeattribute $1_tty_device_t user_tty_type;
-##############################
-#
-# Local policy
-#
+ ##############################
+ #
+ # Local policy
+ #
-allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
-terminal_create_private_pseudoterminal($1_t,$1_devpts_t)
+ allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
+ terminal_create_private_pseudoterminal($1_t,$1_devpts_t)
-# Rules used to associate a homedir as a mountpoint
-allow $1_home_t self:filesystem associate;
-allow $1_file_type $1_home_t:filesystem associate;
+ # Rules used to associate a homedir as a mountpoint
+ allow $1_home_t self:filesystem associate;
+ allow $1_file_type $1_home_t:filesystem associate;
-# user temporary files
-allow $1_t $1_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
-allow $1_t $1_tmp_t:lnk_file { create read getattr setattr link unlink rename };
-allow $1_t $1_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
-allow $1_t $1_tmp_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
-allow $1_t $1_tmp_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
-files_create_private_tmp_data($1_t, $1_tmp_t, { file lnk_file dir sock_file fifo_file })
+ # user temporary files
+ allow $1_t $1_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+ allow $1_t $1_tmp_t:lnk_file { create read getattr setattr link unlink rename };
+ allow $1_t $1_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
+ allow $1_t $1_tmp_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
+ allow $1_t $1_tmp_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
+ files_create_private_tmp_data($1_t, $1_tmp_t, { file lnk_file dir sock_file fifo_file })
-# privileged home directory writers
-allow privhome $1_home_t:file { create ioctl read getattr lock write setattr append link unlink rename };
-allow privhome $1_home_t:lnk_file { create read getattr setattr link unlink rename };
-allow privhome $1_home_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
-allow privhome $1_home_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
-allow privhome $1_home_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
-type_transition privhome $1_home_dir_t:{ file lnk_file dir sock_file fifo_file } $1_home_t;
+ # privileged home directory writers
+ allow privhome $1_home_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+ allow privhome $1_home_t:lnk_file { create read getattr setattr link unlink rename };
+ allow privhome $1_home_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
+ allow privhome $1_home_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
+ allow privhome $1_home_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
+ type_transition privhome $1_home_dir_t:{ file lnk_file dir sock_file fifo_file } $1_home_t;
-kernel_read_system_state($1_t)
-kernel_read_network_state($1_t)
-kernel_read_hardware_state($1_t)
+ kernel_read_system_state($1_t)
+ kernel_read_network_state($1_t)
+ kernel_read_hardware_state($1_t)
-# cjp: why?
-bootloader_read_kernel_symbol_table($1_t)
+ # cjp: why?
+ bootloader_read_kernel_symbol_table($1_t)
-# port access is audited even if dac would not have allowed it, so dontaudit it here
-corenetwork_ignore_bind_tcp_on_all_reserved_ports($1_t)
+ # port access is audited even if dac would not have allowed it, so dontaudit it here
+ corenetwork_ignore_bind_tcp_on_all_reserved_ports($1_t)
-files_read_general_system_config($1_t)
-files_list_home_directories($1_t)
-files_read_general_application_resources($1_t)
+ files_read_general_system_config($1_t)
+ files_list_home_directories($1_t)
+ files_read_general_application_resources($1_t)
-init_script_read_runtime_data($1_t)
-# The library functions always try to open read-write first,
-# then fall back to read-only if it fails.
-init_script_ignore_write_runtime_data($1_t)
-# Stop warnings about access to /dev/console
-init_ignore_use_file_descriptors($1_t)
-init_script_ignore_use_file_descriptors($1_t)
+ init_script_read_runtime_data($1_t)
+ # The library functions always try to open read-write first,
+ # then fall back to read-only if it fails.
+ init_script_ignore_write_runtime_data($1_t)
+ # Stop warnings about access to /dev/console
+ init_ignore_use_file_descriptors($1_t)
+ init_script_ignore_use_file_descriptors($1_t)
-miscfiles_read_man_pages($1_t)
+ miscfiles_read_man_pages($1_t)
-selinux_read_config($1_t)
-# Allow users to execute checkpolicy without a domain transition
-# so it can be used without privilege to write real binary policy file
-selinux_checkpolicy_execute($1_t)
+ selinux_read_config($1_t)
+ # Allow users to execute checkpolicy without a domain transition
+ # so it can be used without privilege to write real binary policy file
+ selinux_checkpolicy_execute($1_t)
-if (user_dmesg) {
-kernel_read_ring_buffer($1_t)
-} else {
-kernel_ignore_read_ring_buffer($1_t)
-}
+ if (user_dmesg) {
+ kernel_read_ring_buffer($1_t)
+ } else {
+ kernel_ignore_read_ring_buffer($1_t)
+ }
-# Allow users to run TCP servers (bind to ports and accept connection from
-# the same domain and outside users) disabling this forces FTP passive mode
-# and may change other protocols
-if (user_tcp_server) {
-corenetwork_bind_tcp_on_general_port($1_t)
-}
+ # Allow users to run TCP servers (bind to ports and accept connection from
+ # the same domain and outside users) disabling this forces FTP passive mode
+ # and may change other protocols
+ if (user_tcp_server) {
+ corenetwork_bind_tcp_on_general_port($1_t)
+ }
-# for running depmod as part of the kernel packaging process
-optional_policy(`modutils.te',`
-modutils_read_kernel_module_loading_config($1_t)
-')
+ # for running depmod as part of the kernel packaging process
+ optional_policy(`modutils.te',`
+ modutils_read_kernel_module_loading_config($1_t)
+ ')
-optional_policy(`selinux.te',`
-# for when the network connection is killed
-selinux_newrole_ignore_signal($1_t)
-')
+ optional_policy(`selinux.te',`
+ # for when the network connection is killed
+ selinux_newrole_ignore_signal($1_t)
+ ')
-# Need the following rule to allow users to run vpnc
-optional_policy(`xserver.te', `
-corenetwork_bind_tcp_on_xserver_port($1_t)
-')
+ # Need the following rule to allow users to run vpnc
+ optional_policy(`xserver.te', `
+ corenetwork_bind_tcp_on_xserver_port($1_t)
+ ')
-ifdef(`TODO',`
+ ifdef(`TODO',`
-dontaudit $1_t boot_t:lnk_file read;
-dontaudit $1_t boot_t:file read;
+ dontaudit $1_t boot_t:lnk_file read;
+ dontaudit $1_t boot_t:file read;
-can_kerberos($1_t)
+ can_kerberos($1_t)
-# do not audit read on disk devices
-dontaudit $1_t { removable_device_t fixed_disk_device_t }:blk_file read;
+ # do not audit read on disk devices
+ dontaudit $1_t { removable_device_t fixed_disk_device_t }:blk_file read;
-ifdef(`xdm.te', `
-allow xdm_t $1_home_t:lnk_file read;
-allow xdm_t $1_home_t:dir search;
-#
-# Changing this to dontaudit should cause the .xsession-errors file to be written to /tmp
-#
-dontaudit xdm_t $1_home_t:file rw_file_perms;
-')dnl end ifdef xdm.te
+ ifdef(`xdm.te', `
+ allow xdm_t $1_home_t:lnk_file read;
+ allow xdm_t $1_home_t:dir search;
+ #
+ # Changing this to dontaudit should cause the .xsession-errors file to be written to /tmp
+ #
+ dontaudit xdm_t $1_home_t:file rw_file_perms;
+ ')
-ifdef(`ftpd.te', `
-if (ftp_home_dir) {
-file_type_auto_trans(ftpd_t, $1_home_dir_t, $1_home_t)
-}
-')dnl end ifdef ftpd
+ ifdef(`ftpd.te', `
+ if (ftp_home_dir) {
+ file_type_auto_trans(ftpd_t, $1_home_dir_t, $1_home_t)
+ }
+ ')
-if (read_default_t) {
-allow $1 default_t:dir r_dir_perms;
-allow $1 default_t:notdevfile_class_set r_file_perms;
-}
+ if (read_default_t) {
+ allow $1 default_t:dir r_dir_perms;
+ allow $1 default_t:notdevfile_class_set r_file_perms;
+ }
-can_exec($1_t, usr_t)
+ can_exec($1_t, usr_t)
-# Read directories and files with the readable_t type.
-# This type is a general type for "world"-readable files.
-allow $1_t readable_t:dir r_dir_perms;
-allow $1_t readable_t:notdevfile_class_set r_file_perms;
+ # Read directories and files with the readable_t type.
+ # This type is a general type for "world"-readable files.
+ allow $1_t readable_t:dir r_dir_perms;
+ allow $1_t readable_t:notdevfile_class_set r_file_perms;
-# Stat lost+found.
-allow $1_t lost_found_t:dir getattr;
+ # Stat lost+found.
+ allow $1_t lost_found_t:dir getattr;
-# Read /var, /var/spool, /var/run.
-allow $1_t var_t:dir r_dir_perms;
-allow $1_t var_t:notdevfile_class_set r_file_perms;
-allow $1_t var_spool_t:dir r_dir_perms;
-allow $1_t var_spool_t:notdevfile_class_set r_file_perms;
-allow $1_t var_run_t:dir r_dir_perms;
-allow $1_t var_run_t:{ file lnk_file } r_file_perms;
-allow $1_t var_lib_t:dir r_dir_perms;
-allow $1_t var_lib_t:file { getattr read };
+ # Read /var, /var/spool, /var/run.
+ allow $1_t var_t:dir r_dir_perms;
+ allow $1_t var_t:notdevfile_class_set r_file_perms;
+ allow $1_t var_spool_t:dir r_dir_perms;
+ allow $1_t var_spool_t:notdevfile_class_set r_file_perms;
+ allow $1_t var_run_t:dir r_dir_perms;
+ allow $1_t var_run_t:{ file lnk_file } r_file_perms;
+ allow $1_t var_lib_t:dir r_dir_perms;
+ allow $1_t var_lib_t:file { getattr read };
-# Allow users to rw usb devices
-if (user_rw_usb) {
-rw_dir_create_file($1_t,usbdevfs_t)
-} else {
-r_dir_file($1_t,usbdevfs_t)
-}
+ # Allow users to rw usb devices
+ if (user_rw_usb) {
+ rw_dir_create_file($1_t,usbdevfs_t)
+ } else {
+ r_dir_file($1_t,usbdevfs_t)
+ }
-# Do not audit write denials to /etc/ld.so.cache.
-dontaudit $1_t ld_so_cache_t:file write;
+ # Do not audit write denials to /etc/ld.so.cache.
+ dontaudit $1_t ld_so_cache_t:file write;
-dontaudit $1_t sysadm_home_t:file { read append };
+ dontaudit $1_t sysadm_home_t:file { read append };
-ifdef(`syslogd.te', `
-# Some programs that are left in $1_t will try to connect
-# to syslogd, but we do not want to let them generate log messages.
-# Do not audit.
-dontaudit $1_t devlog_t:sock_file { read write };
-dontaudit $1_t syslogd_t:unix_dgram_socket sendto;
-')
+ ifdef(`syslogd.te', `
+ # Some programs that are left in $1_t will try to connect
+ # to syslogd, but we do not want to let them generate log messages.
+ # Do not audit.
+ dontaudit $1_t devlog_t:sock_file { read write };
+ dontaudit $1_t syslogd_t:unix_dgram_socket sendto;
+ ')
-allow $1_t initrc_t:fifo_file write;
+ allow $1_t initrc_t:fifo_file write;
-ifdef(`user_can_mount', `
-#
-# Allow users to mount file systems like floppies and cdrom
-#
-mount_domain($1, $1_mount, `, fs_domain')
-r_dir_file($1_t, mnt_t)
-allow $1_mount_t device_t:lnk_file read;
-allow $1_mount_t removable_device_t:blk_file read;
-allow $1_mount_t iso9660_t:filesystem relabelfrom;
-allow $1_mount_t removable_t:filesystem { mount relabelto };
-allow $1_mount_t removable_t:dir mounton;
-ifdef(`xdm.te', `
-allow $1_mount_t xdm_t:fd use;
-allow $1_mount_t xdm_t:fifo_file { read write };
-')
-')
+ ifdef(`user_can_mount', `
+ #
+ # Allow users to mount file systems like floppies and cdrom
+ #
+ mount_domain($1, $1_mount, `, fs_domain')
+ r_dir_file($1_t, mnt_t)
+ allow $1_mount_t device_t:lnk_file read;
+ allow $1_mount_t removable_device_t:blk_file read;
+ allow $1_mount_t iso9660_t:filesystem relabelfrom;
+ allow $1_mount_t removable_t:filesystem { mount relabelto };
+ allow $1_mount_t removable_t:dir mounton;
+ ifdef(`xdm.te', `
+ allow $1_mount_t xdm_t:fd use;
+ allow $1_mount_t xdm_t:fifo_file { read write };
+ ')
+ ')
-') dnl end TODO
+ ') dnl end TODO
')
########################################
@@ -604,208 +603,207 @@ allow $1_mount_t xdm_t:fifo_file { read write };
# Admin domain template
#
define(`admin_domain_template',`
+ ##############################
+ #
+ # Declarations
+ #
-##############################
-#
-# Declarations
-#
+ # Inherit rules for ordinary users.
+ base_user_domain($1)
-# Inherit rules for ordinary users.
-base_user_domain($1)
+ typeattribute $1_t privhome; #, admin, web_client_domain, nscd_client_domain;
+ kernel_make_object_identity_change_constraint_exception($1_t)
+ role system_r types $1_t;
-typeattribute $1_t privhome; #, admin, web_client_domain, nscd_client_domain;
-kernel_make_object_identity_change_constraint_exception($1_t)
-role system_r types $1_t;
+ #ifdef(`direct_sysadm_daemon', `, priv_system_role')
+ #; dnl end of sysadm_t type declaration
-#ifdef(`direct_sysadm_daemon', `, priv_system_role')
-#; dnl end of sysadm_t type declaration
+ typeattribute $1_devpts_t admin_terminal;
-typeattribute $1_devpts_t admin_terminal;
+ typeattribute $1_tty_device_t admin_terminal;
-typeattribute $1_tty_device_t admin_terminal;
+ ##############################
+ #
+ # $1_t local policy
+ #
-##############################
-#
-# $1_t local policy
-#
+ allow $1_t self:capability ~sys_module;
+ allow $1_t self:process { setexec setfscreate };
-allow $1_t self:capability ~sys_module;
-allow $1_t self:process { setexec setfscreate };
+ # Set password information for other users.
+ allow $1_t self:passwd { passwd chfn chsh };
-# Set password information for other users.
-allow $1_t self:passwd { passwd chfn chsh };
+ # Skip authentication when pam_rootok is specified.
+ allow $1_t self:passwd rootok;
-# Skip authentication when pam_rootok is specified.
-allow $1_t self:passwd rootok;
+ # Manipulate other users crontab.
+ allow $1_t self:passwd crontab;
-# Manipulate other users crontab.
-allow $1_t self:passwd crontab;
+ # for the administrator to run TCP servers directly
+ allow $1_t self:tcp_socket { acceptfrom connectto recvfrom };
-# for the administrator to run TCP servers directly
-allow $1_t self:tcp_socket { acceptfrom connectto recvfrom };
+ allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
+ terminal_create_private_pseudoterminal($1_t,$1_devpts_t)
-allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
-terminal_create_private_pseudoterminal($1_t,$1_devpts_t)
+ allow $1_t $1_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
+ allow $1_t $1_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+ allow $1_t $1_tmp_t:lnk_file { create ioctl read getattr lock write setattr append link unlink rename };
+ allow $1_t $1_tmp_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
+ allow $1_t $1_tmp_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
+ files_create_private_tmp_data($1_t, $1_tmp_t, { file dir lnk_file sock_file fifo_file })
-allow $1_t $1_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
-allow $1_t $1_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
-allow $1_t $1_tmp_t:lnk_file { create ioctl read getattr lock write setattr append link unlink rename };
-allow $1_t $1_tmp_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
-allow $1_t $1_tmp_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
-files_create_private_tmp_data($1_t, $1_tmp_t, { file dir lnk_file sock_file fifo_file })
+ kernel_read_system_state($1_t)
+ kernel_read_network_state($1_t)
+ kernel_read_software_raid_state($1_t)
+ kernel_get_core_interface_attributes($1_t)
+ kernel_get_message_interface_attributes($1_t)
+ kernel_change_ring_buffer_level($1_t)
+ kernel_clear_ring_buffer($1_t)
+ kernel_read_ring_buffer($1_t)
+ kernel_get_sysvipc_info($1_t)
+ kernel_modify_all_sysctl($1_t)
+ kernel_set_selinux_enforcement_mode($1_t)
+ kernel_set_selinux_boolean($1_t)
+ kernel_set_selinux_security_parameters($1_t)
+ # Get security policy decisions:
+ kernel_get_selinuxfs_mount_point($1_t)
+ kernel_validate_selinux_context($1_t)
+ kernel_compute_selinux_access_vector($1_t)
+ kernel_compute_selinux_create_context($1_t)
+ kernel_compute_selinux_relabel_context($1_t)
+ kernel_compute_selinux_reachable_user_contexts($1_t)
+ # signal unlabeled processes:
+ kernel_kill_unlabeled_process($1_t)
+ kernel_signal_unlabeled_process($1_t)
+ kernel_sigstop_unlabeled_process($1_t)
+ kernel_signull_unlabeled_process($1_t)
+ kernel_sigchld_unlabeled_process($1_t)
-kernel_read_system_state($1_t)
-kernel_read_network_state($1_t)
-kernel_read_software_raid_state($1_t)
-kernel_get_core_interface_attributes($1_t)
-kernel_get_message_interface_attributes($1_t)
-kernel_change_ring_buffer_level($1_t)
-kernel_clear_ring_buffer($1_t)
-kernel_read_ring_buffer($1_t)
-kernel_get_sysvipc_info($1_t)
-kernel_modify_all_sysctl($1_t)
-kernel_set_selinux_enforcement_mode($1_t)
-kernel_set_selinux_boolean($1_t)
-kernel_set_selinux_security_parameters($1_t)
-# Get security policy decisions:
-kernel_get_selinuxfs_mount_point($1_t)
-kernel_validate_selinux_context($1_t)
-kernel_compute_selinux_access_vector($1_t)
-kernel_compute_selinux_create_context($1_t)
-kernel_compute_selinux_relabel_context($1_t)
-kernel_compute_selinux_reachable_user_contexts($1_t)
-# signal unlabeled processes:
-kernel_kill_unlabeled_process($1_t)
-kernel_signal_unlabeled_process($1_t)
-kernel_sigstop_unlabeled_process($1_t)
-kernel_signull_unlabeled_process($1_t)
-kernel_sigchld_unlabeled_process($1_t)
+ corenetwork_bind_tcp_on_general_port($1_t)
-corenetwork_bind_tcp_on_general_port($1_t)
+ devices_get_generic_block_device_attributes($1_t)
+ devices_get_generic_character_device_attributes($1_t)
+ devices_get_all_block_device_attributes($1_t)
+ devices_get_all_character_device_attributes($1_t)
-devices_get_generic_block_device_attributes($1_t)
-devices_get_generic_character_device_attributes($1_t)
-devices_get_all_block_device_attributes($1_t)
-devices_get_all_character_device_attributes($1_t)
+ filesystem_get_all_filesystems_attributes($1_t)
+ filesystem_set_all_filesystems_quotas($1_t)
-filesystem_get_all_filesystems_attributes($1_t)
-filesystem_set_all_filesystems_quotas($1_t)
+ storage_raw_read_removable_device($1_t)
+ storage_raw_write_removable_device($1_t)
-storage_raw_read_removable_device($1_t)
-storage_raw_write_removable_device($1_t)
+ terminal_use_console($1_t)
+ terminal_use_general_physical_terminal($1_t)
+ terminal_use_all_private_pseudoterminals($1_t)
+ terminal_use_all_private_physical_terminals($1_t)
-terminal_use_console($1_t)
-terminal_use_general_physical_terminal($1_t)
-terminal_use_all_private_pseudoterminals($1_t)
-terminal_use_all_private_physical_terminals($1_t)
+ # Manage almost all files
+ authlogin_manage_all_files_except_shadow($1_t)
+ # Relabel almost all files
+ authlogin_relabel_all_files_except_shadow($1_t)
-# Manage almost all files
-authlogin_manage_all_files_except_shadow($1_t)
-# Relabel almost all files
-authlogin_relabel_all_files_except_shadow($1_t)
+ domain_set_all_domains_priorities($1_t)
+ domain_read_all_domains_process_state($1_t)
+ # signal all domains:
+ domain_kill_all_domains($1_t)
+ domain_signal_all_domains($1_t)
+ domain_signull_all_domains($1_t)
+ domain_sigstop_all_domains($1_t)
+ domain_sigstop_all_domains($1_t)
+ domain_sigchld_all_domains($1_t)
-domain_set_all_domains_priorities($1_t)
-domain_read_all_domains_process_state($1_t)
-# signal all domains:
-domain_kill_all_domains($1_t)
-domain_signal_all_domains($1_t)
-domain_signull_all_domains($1_t)
-domain_sigstop_all_domains($1_t)
-domain_sigstop_all_domains($1_t)
-domain_sigchld_all_domains($1_t)
+ files_execute_system_source_code_scripts($1_t)
-files_execute_system_source_code_scripts($1_t)
+ init_use_control_channel($1_t)
-init_use_control_channel($1_t)
+ logging_send_system_log_message($1_t)
-logging_send_system_log_message($1_t)
+ modutils_insmod_transition($1_t)
-modutils_insmod_transition($1_t)
+ selinux_read_config($1_t)
+ # The following rule is temporary until such time that a complete
+ # policy management infrastructure is in place so that an administrator
+ # cannot directly manipulate policy files with arbitrary programs.
+ selinux_manage_source_policy($1_t)
+ # Violates the goal of limiting write access to checkpolicy.
+ # But presently necessary for installing the file_contexts file.
+ selinux_manage_binary_policy($1_t)
-selinux_read_config($1_t)
-# The following rule is temporary until such time that a complete
-# policy management infrastructure is in place so that an administrator
-# cannot directly manipulate policy files with arbitrary programs.
-selinux_manage_source_policy($1_t)
-# Violates the goal of limiting write access to checkpolicy.
-# But presently necessary for installing the file_contexts file.
-selinux_manage_binary_policy($1_t)
+ optional_policy(`cron.te',`
+ cron_admin_template($1)
+ ')
-optional_policy(`cron.te',`
-cron_admin_template($1)
-')
+ ifdef(`TODO',`
-ifdef(`TODO',`
+ # Let admin stat the shadow file.
+ allow $1_t shadow_t:file getattr;
-# Let admin stat the shadow file.
-allow $1_t shadow_t:file getattr;
+ # for lsof
+ allow $1_t mtrr_device_t:file getattr;
-# for lsof
-allow $1_t mtrr_device_t:file getattr;
+ allow $1_t serial_device:chr_file setattr;
-allow $1_t serial_device:chr_file setattr;
+ # allow setting up tunnels
+ allow $1_t tun_tap_device_t:chr_file rw_file_perms;
-# allow setting up tunnels
-allow $1_t tun_tap_device_t:chr_file rw_file_perms;
+ allow $1_t ptyfile:chr_file getattr;
-allow $1_t ptyfile:chr_file getattr;
+ # Run programs from staff home directories.
+ # Not ideal, but typical if users want to login as both sysadm_t or staff_t.
+ can_exec($1_t, staff_home_t)
-# Run programs from staff home directories.
-# Not ideal, but typical if users want to login as both sysadm_t or staff_t.
-can_exec($1_t, staff_home_t)
+ # Run admin programs that require different permissions in their own domain.
+ # These rules were moved into the appropriate program domain file.
-# Run admin programs that require different permissions in their own domain.
-# These rules were moved into the appropriate program domain file.
+ ifdef(`startx.te', `
+ ifdef(`xserver.te', `
+ # Create files in /tmp/.X11-unix with our X servers derived
+ # tmp type rather than user_xserver_tmp_t.
+ file_type_auto_trans($1_xserver_t, xserver_tmpfile, $1_xserver_tmp_t, sock_file)
+ ')
+ ')
-ifdef(`startx.te', `
-ifdef(`xserver.te', `
-# Create files in /tmp/.X11-unix with our X servers derived
-# tmp type rather than user_xserver_tmp_t.
-file_type_auto_trans($1_xserver_t, xserver_tmpfile, $1_xserver_tmp_t, sock_file)
-')dnl end xserver.te
-')dnl end startx.te
+ ifdef(`xdm.te', `
+ ifdef(`xauth.te', `
+ if (xdm_sysadm_login) {
+ allow xdm_t $1_home_t:lnk_file read;
+ allow xdm_t $1_home_t:dir search;
+ }
+ allow $1_t xdm_t:fifo_file rw_file_perms;
+ ')
+ ')
-ifdef(`xdm.te', `
-ifdef(`xauth.te', `
-if (xdm_sysadm_login) {
-allow xdm_t $1_home_t:lnk_file read;
-allow xdm_t $1_home_t:dir search;
-}
-allow $1_t xdm_t:fifo_file rw_file_perms;
-')dnl end ifdef xauth.te
-')dnl end ifdef xdm.te
+ #
+ # A user who is authorized for sysadm_t may nonetheless have
+ # a home directory labeled with user_home_t if the user is expected
+ # to login in either user_t or sysadm_t. Hence, the derived domains
+ # for programs need to be able to access user_home_t.
+ #
-#
-# A user who is authorized for sysadm_t may nonetheless have
-# a home directory labeled with user_home_t if the user is expected
-# to login in either user_t or sysadm_t. Hence, the derived domains
-# for programs need to be able to access user_home_t.
-#
+ # Allow our gph domain to write to .xsession-errors.
+ ifdef(`gnome-pty-helper.te', `
+ allow $1_gph_t user_home_dir_type:dir rw_dir_perms;
+ allow $1_gph_t user_home_type:file create_file_perms;
+ ')
-# Allow our gph domain to write to .xsession-errors.
-ifdef(`gnome-pty-helper.te', `
-allow $1_gph_t user_home_dir_type:dir rw_dir_perms;
-allow $1_gph_t user_home_type:file create_file_perms;
-')
+ # for the administrator to run TCP servers directly
+ allow $1_t kernel_t:tcp_socket recvfrom;
-# for the administrator to run TCP servers directly
-allow $1_t kernel_t:tcp_socket recvfrom;
+ # Connect data port to ftpd.
+ ifdef(`ftpd.te', `can_tcp_connect(ftpd_t, $1_t)')
-# Connect data port to ftpd.
-ifdef(`ftpd.te', `can_tcp_connect(ftpd_t, $1_t)')
+ # Connect second port to rshd.
+ ifdef(`rshd.te', `can_tcp_connect(rshd_t, $1_t)')
-# Connect second port to rshd.
-ifdef(`rshd.te', `can_tcp_connect(rshd_t, $1_t)')
+ # Allow MAKEDEV to work
+ allow $1_t device_t:dir rw_dir_perms;
+ allow $1_t device_type:{ blk_file chr_file } { create unlink rename };
+ allow $1_t device_t:lnk_file { create read };
-# Allow MAKEDEV to work
-allow $1_t device_t:dir rw_dir_perms;
-allow $1_t device_type:{ blk_file chr_file } { create unlink rename };
-allow $1_t device_t:lnk_file { create read };
-
-# for lsof
-allow $1_t domain:socket_class_set getattr;
-allow $1_t eventpollfs_t:file getattr;
-') dnl endif TODO
+ # for lsof
+ allow $1_t domain:socket_class_set getattr;
+ allow $1_t eventpollfs_t:file getattr;
+ ') dnl endif TODO
')
########################################
@@ -822,12 +820,12 @@ allow $1_t eventpollfs_t:file getattr;
## </interface>
#
define(`userdomain_all_users_explicit_transition',`
-requires_block_template(`$0'_depend)
-corecommands_shell_explicit_transition($1,userdomain)
+ requires_block_template(`$0'_depend)
+ corecommands_shell_explicit_transition($1,userdomain)
')
define(`userdomain_all_users_explicit_transition_depend',`
-type sysadm_t;
+ type sysadm_t;
')
########################################
@@ -842,12 +840,13 @@ type sysadm_t;
## </interface>
#
define(`userdomain_sysadm_shell_transition',`
-requires_block_template(`$0'_depend)
-corecommands_shell_transition($1,sysadm_t)
+ requires_block_template(`$0'_depend)
+
+ corecommands_shell_transition($1,sysadm_t)
')
define(`userdomain_sysadm_shell_transition_depend',`
-type sysadm_t;
+ type sysadm_t;
')
########################################
@@ -863,15 +862,17 @@ type sysadm_t;
## </interface>
#
define(`userdomain_use_admin_terminals',`
-requires_block_template(`$0'_depend)
-devices_list_device_nodes($1)
-terminal_list_pseudoterminals($1)
-allow $1 admin_terminal:chr_file { getattr read write ioctl };
+ requires_block_template(`$0'_depend)
+
+ devices_list_device_nodes($1)
+ terminal_list_pseudoterminals($1)
+ allow $1 admin_terminal:chr_file { getattr read write ioctl };
')
define(`userdomain_use_admin_terminals_depend',`
-attribute admin_terminal;
-class chr_file { getattr read write ioctl };
+ attribute admin_terminal;
+
+ class chr_file { getattr read write ioctl };
')
########################################
@@ -886,14 +887,16 @@ class chr_file { getattr read write ioctl };
## </interface>
#
define(`userdomain_search_all_users_home_dirs',`
-requires_block_template(`$0'_depend)
-files_list_home_directories($1)
-allow $1 { home_dir_type home_type }:dir search;
+ requires_block_template(`$0'_depend)
+
+ files_list_home_directories($1)
+ allow $1 { home_dir_type home_type }:dir search;
')
define(`userdomain_search_all_users_home_dirs_depend',`
-attribute home_dir_type, home_type;
-class dir search;
+ attribute home_dir_type, home_type;
+
+ class dir search;
')
########################################
@@ -908,16 +911,18 @@ class dir search;
## </interface>
#
define(`userdomain_read_all_users_data',`
-requires_block_template(`$0'_depend)
-files_list_home_directories($1)
-allow $1 home_type:dir { getattr search read };
-allow $1 home_type:file { getattr read };
+ requires_block_template(`$0'_depend)
+
+ files_list_home_directories($1)
+ allow $1 home_type:dir { getattr search read };
+ allow $1 home_type:file { getattr read };
')
define(`userdomain_read_all_users_data_depend',`
-attribute home_type;
-class dir { getattr search read };
-class file { getattr read };
+ attribute home_type;
+
+ class dir { getattr search read };
+ class file { getattr read };
')
########################################
@@ -932,13 +937,15 @@ class file { getattr read };
## </interface>
#
define(`userdomain_use_all_users_file_descriptors',`
-requires_block_template(`$0'_depend)
-allow $1 userdomain:fd use;
+ requires_block_template(`$0'_depend)
+
+ allow $1 userdomain:fd use;
')
define(`userdomain_use_all_users_file_descriptors_depend',`
-attribute userdomain;
-class fd use;
+ attribute userdomain;
+
+ class fd use;
')
########################################
@@ -953,13 +960,15 @@ class fd use;
## </interface>
#
define(`userdomain_signal_all_userdomains',`
-requires_block_template(`$0'_depend)
-allow $1 userdomain:process signal;
+ requires_block_template(`$0'_depend)
+
+ allow $1 userdomain:process signal;
')
define(`userdomain_signal_all_userdomains_depend',`
-attribute userdomain;
-class process signal;
+ attribute userdomain;
+
+ class process signal;
')
########################################
@@ -974,13 +983,15 @@ class process signal;
## </interface>
#
define(`userdomain_use_all_unprivileged_users_file_descriptors',`
-requires_block_template(`$0'_depend)
-allow $1 unpriv_userdomain:fd use;
+ requires_block_template(`$0'_depend)
+
+ allow $1 unpriv_userdomain:fd use;
')
define(`userdomain_use_all_unprivileged_users_file_descriptors_depend',`
-attribute unpriv_userdomain;
-class fd use;
+ attribute unpriv_userdomain;
+
+ class fd use;
')
########################################
@@ -996,13 +1007,15 @@ class fd use;
## </interface>
#
define(`userdomain_ignore_use_all_unprivileged_users_file_descriptors',`
-requires_block_template(`$0'_depend)
-dontaudit $1 unpriv_userdomain:fd use;
+ requires_block_template(`$0'_depend)
+
+ dontaudit $1 unpriv_userdomain:fd use;
')
define(`userdomain_ignore_use_all_unprivileged_users_file_descriptors_depend',`
-attribute unpriv_userdomain;
-class fd use;
+ attribute unpriv_userdomain;
+
+ class fd use;
')
## </module>
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index 52b9c73e2..9aae29ce6 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -85,11 +85,11 @@ user_domain_template(user)
# user role change rules:
define(`role_change',`
-allow $1_r $2_r;
-type_change $2_t $1_devpts_t:chr_file $2_devpts_t;
-type_change $2_t $1_tty_device_t:chr_file $2_tty_device_t;
-# avoid annoying messages on terminal hangup
-dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl;
+ allow $1_r $2_r;
+ type_change $2_t $1_devpts_t:chr_file $2_devpts_t;
+ type_change $2_t $1_tty_device_t:chr_file $2_tty_device_t;
+ # avoid annoying messages on terminal hangup
+ dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl;
')
# sysadm_r can change to user roles
@@ -100,7 +100,7 @@ role_change(sysadm, staff)
role_change(staff, sysadm)
tunable_policy(`user_canbe_sysadm',`
-role_change(user,sysadm)
+ role_change(user,sysadm)
')
ifdef(`TODO',`
@@ -119,58 +119,58 @@ file_type_auto_trans(sysadm_t, home_root_t, user_home_dir_t, dir)
allow sysadm_t userdomain:fd use;
optional_policy(`bootloader.te',`
-bootloader_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+ bootloader_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`clock.te',`
-clock_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+ clock_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`hostname.te',`
-hostname_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+ hostname_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`iptables.te',`
-iptables_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+ iptables_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`libraries.te',`
-libraries_ldconfig_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+ libraries_ldconfig_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`lvm.te',`
-lvm_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+ lvm_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`modutils.te',`
-modutils_depmod_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
-modutils_insmod_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
-modutils_update_modules_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+ modutils_depmod_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+ modutils_insmod_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+ modutils_update_modules_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`mount.te',`
-mount_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+ mount_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`rpm.te',`
-rpm_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+ rpm_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`selinux.te',`
-selinux_checkpolicy_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
-selinux_load_policy_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
-selinux_restorecon_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
-selinux_setfiles_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
-optional_policy(`targeted_policy',`',`
-selinux_run_init_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
-')
+ selinux_checkpolicy_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+ selinux_load_policy_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+ selinux_restorecon_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+ selinux_setfiles_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+ optional_policy(`targeted_policy',`',`
+ selinux_run_init_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+ ')
')
optional_policy(`sysnetwork.te',`
-sysnetwork_ifconfig_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+ sysnetwork_ifconfig_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`usermanage.te',`
-usermanage_groupadd_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
-usermanage_useradd_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+ usermanage_groupadd_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+ usermanage_useradd_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
')