start breaking up support_macros into macros dir
This commit is contained in:
parent
44cda51b4f
commit
ca83afe7e6
|
@ -33,7 +33,7 @@ override M4PARAM += -D distro_redhat
|
||||||
# Uncomment this to disable command echoing
|
# Uncomment this to disable command echoing
|
||||||
#QUIET:=@
|
#QUIET:=@
|
||||||
|
|
||||||
# Policy type (strict, targeted, etc)
|
# Policy type (strict, mls)
|
||||||
TYPE := strict
|
TYPE := strict
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
@ -89,7 +89,7 @@ HOMEDIRPATH = $(CONTEXTPATH)/files/homedir_template
|
||||||
BASE_MODULE = kernel
|
BASE_MODULE = kernel
|
||||||
FLASKDIR = flask
|
FLASKDIR = flask
|
||||||
APPCONF = appconfig
|
APPCONF = appconfig
|
||||||
M4SUPPORT = support_macros
|
M4SUPPORT = support_macros $(wildcard macros/*.spt)
|
||||||
|
|
||||||
APPDIR := $(CONTEXTPATH)
|
APPDIR := $(CONTEXTPATH)
|
||||||
APPFILES := $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types) $(CONTEXTPATH)/files/media
|
APPFILES := $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types) $(CONTEXTPATH)/files/media
|
||||||
|
|
|
@ -0,0 +1,60 @@
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# Macros for switching between source policy
|
||||||
|
# and loadable policy module support
|
||||||
|
#
|
||||||
|
|
||||||
|
##############################
|
||||||
|
#
|
||||||
|
# For adding the module statement
|
||||||
|
#
|
||||||
|
define(`policy_module',`
|
||||||
|
ifdef(`monolithic_policy',`',`
|
||||||
|
module $1 $2;
|
||||||
|
')
|
||||||
|
')
|
||||||
|
|
||||||
|
##############################
|
||||||
|
#
|
||||||
|
# For use in interfaces, to optionally insert a requires block
|
||||||
|
#
|
||||||
|
define(`requires_block_template',`
|
||||||
|
ifdef(`monolithic_policy',`',`
|
||||||
|
require {
|
||||||
|
$1
|
||||||
|
}
|
||||||
|
') dnl end ifdef monolithic_policy
|
||||||
|
') dnl end requires_block_template
|
||||||
|
|
||||||
|
##############################
|
||||||
|
#
|
||||||
|
# Optional policy handling
|
||||||
|
#
|
||||||
|
define(`optional_policy',`
|
||||||
|
ifdef(`monolithic_policy',`
|
||||||
|
ifdef(`$1',$2,$3)
|
||||||
|
',`
|
||||||
|
optional {
|
||||||
|
$2
|
||||||
|
} else {
|
||||||
|
$3
|
||||||
|
}
|
||||||
|
') dnl end ifdef monolithic_policy
|
||||||
|
') dnl end optional_policy
|
||||||
|
|
||||||
|
##############################
|
||||||
|
#
|
||||||
|
# Tunable policy handling
|
||||||
|
#
|
||||||
|
define(`tunable_policy',`
|
||||||
|
ifdef(`monolithic_policy',`
|
||||||
|
ifdef(`$1',$2,$3)
|
||||||
|
',`
|
||||||
|
optional {
|
||||||
|
require { $1 }
|
||||||
|
$2
|
||||||
|
} else {
|
||||||
|
$3
|
||||||
|
}
|
||||||
|
') dnl end ifdef monolithic_policy
|
||||||
|
') dnl end tunable_policy
|
|
@ -0,0 +1,190 @@
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# Macros for sets of object classes
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# All directory and file classes
|
||||||
|
#
|
||||||
|
define(`dir_file_class_set', `{ dir file lnk_file sock_file fifo_file chr_file blk_file }')
|
||||||
|
|
||||||
|
#
|
||||||
|
# All non-directory file classes.
|
||||||
|
#
|
||||||
|
define(`file_class_set', `{ file lnk_file sock_file fifo_file chr_file blk_file }')
|
||||||
|
|
||||||
|
#
|
||||||
|
# Non-device file classes.
|
||||||
|
#
|
||||||
|
define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }')
|
||||||
|
|
||||||
|
#
|
||||||
|
# Device file classes.
|
||||||
|
#
|
||||||
|
define(`devfile_class_set', `{ chr_file blk_file }')
|
||||||
|
|
||||||
|
#
|
||||||
|
# All socket classes.
|
||||||
|
#
|
||||||
|
define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket }')
|
||||||
|
|
||||||
|
|
||||||
|
#
|
||||||
|
# Datagram socket classes.
|
||||||
|
#
|
||||||
|
define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
|
||||||
|
|
||||||
|
#
|
||||||
|
# Stream socket classes.
|
||||||
|
#
|
||||||
|
define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }')
|
||||||
|
|
||||||
|
#
|
||||||
|
# Unprivileged socket classes (exclude rawip, netlink, packet).
|
||||||
|
#
|
||||||
|
define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# Macros for sets of permissions
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# Permissions for getting file attributes.
|
||||||
|
#
|
||||||
|
define(`stat_file_perms', `{ getattr }')
|
||||||
|
|
||||||
|
#
|
||||||
|
# Permissions for executing files.
|
||||||
|
#
|
||||||
|
define(`x_file_perms', `{ getattr execute }')
|
||||||
|
|
||||||
|
#
|
||||||
|
# Permissions for reading files and their attributes.
|
||||||
|
#
|
||||||
|
define(`r_file_perms', `{ read getattr lock ioctl }')
|
||||||
|
|
||||||
|
#
|
||||||
|
# Permissions for reading and executing files.
|
||||||
|
#
|
||||||
|
define(`rx_file_perms', `{ read getattr lock execute ioctl }')
|
||||||
|
|
||||||
|
#
|
||||||
|
# Permissions for reading and writing files and their attributes.
|
||||||
|
#
|
||||||
|
define(`rw_file_perms', `{ ioctl read getattr lock write append }')
|
||||||
|
|
||||||
|
#
|
||||||
|
# Permissions for reading and appending to files.
|
||||||
|
#
|
||||||
|
define(`ra_file_perms', `{ ioctl read getattr lock append }')
|
||||||
|
|
||||||
|
#
|
||||||
|
# Permissions for linking, unlinking and renaming files.
|
||||||
|
#
|
||||||
|
define(`link_file_perms', `{ getattr link unlink rename }')
|
||||||
|
|
||||||
|
#
|
||||||
|
# Permissions for creating lnk_files.
|
||||||
|
#
|
||||||
|
define(`create_lnk_perms', `{ create read getattr setattr link unlink rename }')
|
||||||
|
|
||||||
|
#
|
||||||
|
# Permissions for creating and using files.
|
||||||
|
#
|
||||||
|
define(`create_file_perms', `{ create ioctl read getattr lock write setattr append link unlink rename }')
|
||||||
|
|
||||||
|
#
|
||||||
|
# Permissions for reading directories and their attributes.
|
||||||
|
#
|
||||||
|
define(`r_dir_perms', `{ read getattr lock search ioctl }')
|
||||||
|
|
||||||
|
#
|
||||||
|
# Permissions for reading and writing directories and their attributes.
|
||||||
|
#
|
||||||
|
define(`rw_dir_perms', `{ read getattr lock search ioctl add_name remove_name write }')
|
||||||
|
|
||||||
|
#
|
||||||
|
# Permissions for reading and adding names to directories.
|
||||||
|
#
|
||||||
|
define(`ra_dir_perms', `{ read getattr lock search ioctl add_name write }')
|
||||||
|
|
||||||
|
|
||||||
|
#
|
||||||
|
# Permissions for creating and using directories.
|
||||||
|
#
|
||||||
|
define(`create_dir_perms', `{ create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }')
|
||||||
|
|
||||||
|
#
|
||||||
|
# Permissions to mount and unmount file systems.
|
||||||
|
#
|
||||||
|
define(`mount_fs_perms', `{ mount remount unmount getattr }')
|
||||||
|
|
||||||
|
#
|
||||||
|
# Permissions for using sockets.
|
||||||
|
#
|
||||||
|
define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }')
|
||||||
|
|
||||||
|
#
|
||||||
|
# Permissions for creating and using sockets.
|
||||||
|
#
|
||||||
|
define(`create_socket_perms', `{ create rw_socket_perms }')
|
||||||
|
|
||||||
|
#
|
||||||
|
# Permissions for using stream sockets.
|
||||||
|
#
|
||||||
|
define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }')
|
||||||
|
|
||||||
|
#
|
||||||
|
# Permissions for creating and using stream sockets.
|
||||||
|
#
|
||||||
|
define(`create_stream_socket_perms', `{ create_socket_perms listen accept }')
|
||||||
|
|
||||||
|
#
|
||||||
|
# Permissions for creating and using sockets.
|
||||||
|
#
|
||||||
|
define(`connected_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')
|
||||||
|
|
||||||
|
#
|
||||||
|
# Permissions for creating and using sockets.
|
||||||
|
#
|
||||||
|
define(`connected_stream_socket_perms', `{ connected_socket_perms listen accept }')
|
||||||
|
|
||||||
|
|
||||||
|
#
|
||||||
|
# Permissions for creating and using netlink sockets.
|
||||||
|
#
|
||||||
|
define(`create_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }')
|
||||||
|
|
||||||
|
#
|
||||||
|
# Permissions for using netlink sockets for operations that modify state.
|
||||||
|
#
|
||||||
|
define(`rw_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }')
|
||||||
|
|
||||||
|
#
|
||||||
|
# Permissions for using netlink sockets for operations that observe state.
|
||||||
|
#
|
||||||
|
define(`r_netlink_socket_perms', `{ create_socket_perms nlmsg_read }')
|
||||||
|
|
||||||
|
#
|
||||||
|
# Permissions for sending all signals.
|
||||||
|
#
|
||||||
|
define(`signal_perms', `{ sigchld sigkill sigstop signull signal }')
|
||||||
|
|
||||||
|
#
|
||||||
|
# Permissions for sending and receiving network packets.
|
||||||
|
#
|
||||||
|
define(`packet_perms', `{ tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send }')
|
||||||
|
|
||||||
|
#
|
||||||
|
# Permissions for using System V IPC
|
||||||
|
#
|
||||||
|
define(`r_sem_perms', `{ associate getattr read unix_read }')
|
||||||
|
define(`rw_sem_perms', `{ associate getattr read write unix_read unix_write }')
|
||||||
|
define(`create_sem_perms', `{ associate getattr setattr create destroy read write unix_read unix_write }')
|
||||||
|
define(`r_msgq_perms', `{ associate getattr read unix_read }')
|
||||||
|
define(`rw_msgq_perms', `{ associate getattr read write enqueue unix_read unix_write }')
|
||||||
|
define(`create_msgq_perms', `{ associate getattr setattr create destroy read write enqueue unix_read unix_write }')
|
||||||
|
define(`r_shm_perms', `{ associate getattr read unix_read }')
|
||||||
|
define(`rw_shm_perms', `{ associate getattr read write lock unix_read unix_write }')
|
||||||
|
define(`create_shm_perms', `{ associate getattr setattr create destroy read write lock unix_read unix_write }')
|
|
@ -1,65 +1,4 @@
|
||||||
|
|
||||||
########################################
|
|
||||||
#
|
|
||||||
# Macros for switching between source policy
|
|
||||||
# and loadable policy module support
|
|
||||||
#
|
|
||||||
|
|
||||||
##############################
|
|
||||||
#
|
|
||||||
# For adding the module statement
|
|
||||||
#
|
|
||||||
define(`policy_module',`
|
|
||||||
ifdef(`monolithic_policy',`',`
|
|
||||||
module $1 $2;
|
|
||||||
')
|
|
||||||
')
|
|
||||||
|
|
||||||
##############################
|
|
||||||
#
|
|
||||||
# For use in interfaces, to optionally insert a requires block
|
|
||||||
#
|
|
||||||
define(`requires_block_template',`
|
|
||||||
ifdef(`monolithic_policy',`',`
|
|
||||||
require {
|
|
||||||
$1
|
|
||||||
}
|
|
||||||
') dnl end ifdef monolithic_policy
|
|
||||||
') dnl end requires_block_template
|
|
||||||
|
|
||||||
##############################
|
|
||||||
#
|
|
||||||
# Optional policy handling
|
|
||||||
#
|
|
||||||
define(`optional_policy',`
|
|
||||||
ifdef(`monolithic_policy',`
|
|
||||||
ifdef(`$1',$2,$3)
|
|
||||||
',`
|
|
||||||
optional {
|
|
||||||
$2
|
|
||||||
} else {
|
|
||||||
$3
|
|
||||||
}
|
|
||||||
') dnl end ifdef monolithic_policy
|
|
||||||
') dnl end optional_policy
|
|
||||||
|
|
||||||
##############################
|
|
||||||
#
|
|
||||||
# Tunable policy handling
|
|
||||||
#
|
|
||||||
define(`tunable_policy',`
|
|
||||||
ifdef(`monolithic_policy',`
|
|
||||||
ifdef(`$1',$2,$3)
|
|
||||||
',`
|
|
||||||
optional {
|
|
||||||
require { $1 }
|
|
||||||
$2
|
|
||||||
} else {
|
|
||||||
$3
|
|
||||||
}
|
|
||||||
') dnl end ifdef monolithic_policy
|
|
||||||
') dnl end tunable_policy
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Helper macros
|
# Helper macros
|
||||||
|
@ -86,189 +25,3 @@ define(`context_template',`ifdef(`enable_mls',`$1:$2',`$1')') dnl
|
||||||
#
|
#
|
||||||
define(`user_mls',`ifdef(`enable_mls',`level $1 range $2')') dnl
|
define(`user_mls',`ifdef(`enable_mls',`level $1 range $2')') dnl
|
||||||
|
|
||||||
########################################
|
|
||||||
#
|
|
||||||
# Macros for sets of classes and permissions.
|
|
||||||
#
|
|
||||||
|
|
||||||
#
|
|
||||||
# All directory and file classes
|
|
||||||
#
|
|
||||||
define(`dir_file_class_set', `{ dir file lnk_file sock_file fifo_file chr_file blk_file }')
|
|
||||||
|
|
||||||
#
|
|
||||||
# All non-directory file classes.
|
|
||||||
#
|
|
||||||
define(`file_class_set', `{ file lnk_file sock_file fifo_file chr_file blk_file }')
|
|
||||||
|
|
||||||
#
|
|
||||||
# Non-device file classes.
|
|
||||||
#
|
|
||||||
define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }')
|
|
||||||
|
|
||||||
#
|
|
||||||
# Device file classes.
|
|
||||||
#
|
|
||||||
define(`devfile_class_set', `{ chr_file blk_file }')
|
|
||||||
|
|
||||||
#
|
|
||||||
# All socket classes.
|
|
||||||
#
|
|
||||||
define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket }')
|
|
||||||
|
|
||||||
|
|
||||||
#
|
|
||||||
# Datagram socket classes.
|
|
||||||
#
|
|
||||||
define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
|
|
||||||
|
|
||||||
#
|
|
||||||
# Stream socket classes.
|
|
||||||
#
|
|
||||||
define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }')
|
|
||||||
|
|
||||||
#
|
|
||||||
# Unprivileged socket classes (exclude rawip, netlink, packet).
|
|
||||||
#
|
|
||||||
define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }')
|
|
||||||
|
|
||||||
|
|
||||||
#
|
|
||||||
# Permissions for getting file attributes.
|
|
||||||
#
|
|
||||||
define(`stat_file_perms', `{ getattr }')
|
|
||||||
|
|
||||||
#
|
|
||||||
# Permissions for executing files.
|
|
||||||
#
|
|
||||||
define(`x_file_perms', `{ getattr execute }')
|
|
||||||
|
|
||||||
#
|
|
||||||
# Permissions for reading files and their attributes.
|
|
||||||
#
|
|
||||||
define(`r_file_perms', `{ read getattr lock ioctl }')
|
|
||||||
|
|
||||||
#
|
|
||||||
# Permissions for reading and executing files.
|
|
||||||
#
|
|
||||||
define(`rx_file_perms', `{ read getattr lock execute ioctl }')
|
|
||||||
|
|
||||||
#
|
|
||||||
# Permissions for reading and writing files and their attributes.
|
|
||||||
#
|
|
||||||
define(`rw_file_perms', `{ ioctl read getattr lock write append }')
|
|
||||||
|
|
||||||
#
|
|
||||||
# Permissions for reading and appending to files.
|
|
||||||
#
|
|
||||||
define(`ra_file_perms', `{ ioctl read getattr lock append }')
|
|
||||||
|
|
||||||
#
|
|
||||||
# Permissions for linking, unlinking and renaming files.
|
|
||||||
#
|
|
||||||
define(`link_file_perms', `{ getattr link unlink rename }')
|
|
||||||
|
|
||||||
#
|
|
||||||
# Permissions for creating lnk_files.
|
|
||||||
#
|
|
||||||
define(`create_lnk_perms', `{ create read getattr setattr link unlink rename }')
|
|
||||||
|
|
||||||
#
|
|
||||||
# Permissions for creating and using files.
|
|
||||||
#
|
|
||||||
define(`create_file_perms', `{ create ioctl read getattr lock write setattr append link unlink rename }')
|
|
||||||
|
|
||||||
#
|
|
||||||
# Permissions for reading directories and their attributes.
|
|
||||||
#
|
|
||||||
define(`r_dir_perms', `{ read getattr lock search ioctl }')
|
|
||||||
|
|
||||||
#
|
|
||||||
# Permissions for reading and writing directories and their attributes.
|
|
||||||
#
|
|
||||||
define(`rw_dir_perms', `{ read getattr lock search ioctl add_name remove_name write }')
|
|
||||||
|
|
||||||
#
|
|
||||||
# Permissions for reading and adding names to directories.
|
|
||||||
#
|
|
||||||
define(`ra_dir_perms', `{ read getattr lock search ioctl add_name write }')
|
|
||||||
|
|
||||||
|
|
||||||
#
|
|
||||||
# Permissions for creating and using directories.
|
|
||||||
#
|
|
||||||
define(`create_dir_perms', `{ create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }')
|
|
||||||
|
|
||||||
#
|
|
||||||
# Permissions to mount and unmount file systems.
|
|
||||||
#
|
|
||||||
define(`mount_fs_perms', `{ mount remount unmount getattr }')
|
|
||||||
|
|
||||||
#
|
|
||||||
# Permissions for using sockets.
|
|
||||||
#
|
|
||||||
define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }')
|
|
||||||
|
|
||||||
#
|
|
||||||
# Permissions for creating and using sockets.
|
|
||||||
#
|
|
||||||
define(`create_socket_perms', `{ create rw_socket_perms }')
|
|
||||||
|
|
||||||
#
|
|
||||||
# Permissions for using stream sockets.
|
|
||||||
#
|
|
||||||
define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }')
|
|
||||||
|
|
||||||
#
|
|
||||||
# Permissions for creating and using stream sockets.
|
|
||||||
#
|
|
||||||
define(`create_stream_socket_perms', `{ create_socket_perms listen accept }')
|
|
||||||
|
|
||||||
#
|
|
||||||
# Permissions for creating and using sockets.
|
|
||||||
#
|
|
||||||
define(`connected_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')
|
|
||||||
|
|
||||||
#
|
|
||||||
# Permissions for creating and using sockets.
|
|
||||||
#
|
|
||||||
define(`connected_stream_socket_perms', `{ connected_socket_perms listen accept }')
|
|
||||||
|
|
||||||
|
|
||||||
#
|
|
||||||
# Permissions for creating and using netlink sockets.
|
|
||||||
#
|
|
||||||
define(`create_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }')
|
|
||||||
|
|
||||||
#
|
|
||||||
# Permissions for using netlink sockets for operations that modify state.
|
|
||||||
#
|
|
||||||
define(`rw_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }')
|
|
||||||
|
|
||||||
#
|
|
||||||
# Permissions for using netlink sockets for operations that observe state.
|
|
||||||
#
|
|
||||||
define(`r_netlink_socket_perms', `{ create_socket_perms nlmsg_read }')
|
|
||||||
|
|
||||||
#
|
|
||||||
# Permissions for sending all signals.
|
|
||||||
#
|
|
||||||
define(`signal_perms', `{ sigchld sigkill sigstop signull signal }')
|
|
||||||
|
|
||||||
#
|
|
||||||
# Permissions for sending and receiving network packets.
|
|
||||||
#
|
|
||||||
define(`packet_perms', `{ tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send }')
|
|
||||||
|
|
||||||
#
|
|
||||||
# Permissions for using System V IPC
|
|
||||||
#
|
|
||||||
define(`r_sem_perms', `{ associate getattr read unix_read }')
|
|
||||||
define(`rw_sem_perms', `{ associate getattr read write unix_read unix_write }')
|
|
||||||
define(`create_sem_perms', `{ associate getattr setattr create destroy read write unix_read unix_write }')
|
|
||||||
define(`r_msgq_perms', `{ associate getattr read unix_read }')
|
|
||||||
define(`rw_msgq_perms', `{ associate getattr read write enqueue unix_read unix_write }')
|
|
||||||
define(`create_msgq_perms', `{ associate getattr setattr create destroy read write enqueue unix_read unix_write }')
|
|
||||||
define(`r_shm_perms', `{ associate getattr read unix_read }')
|
|
||||||
define(`rw_shm_perms', `{ associate getattr read write lock unix_read unix_write }')
|
|
||||||
define(`create_shm_perms', `{ associate getattr setattr create destroy read write lock unix_read unix_write }')
|
|
||||||
|
|
Loading…
Reference in New Issue