add source policy interfaces

refpolicy/policy/modules/system/selinux.if

@@ -280,8 +280,64 @@ typeattribute $1 can_write_binary_policy;
 ')
 
 define(`selinux_write_binary_policy_depend',`
-type policy_config_t;
 attribute can_write_binary_policy;
+type policy_config_t;
 class dir { getattr search read write add_name remove_name };
 class file { getattr create write unlink };
 ')
+
+########################################
+#
+# selinux_manage_binary_policy(domain)
+#
+define(`selinux_manage_binary_policy',`
+requires_block_template(`$0'_depend)
+# FIXME: search etc_t:dir
+allow $1 selinux_config_t:dir search;
+allow $1 policy_config_t:dir { getattr search read };
+allow $1 policy_config_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+typeattribute $1 can_write_binary_policy;
+')
+
+define(`selinux_manage_binary_policy_depend',`
+attribute can_write_binary_policy;
+type selinux_config_t, policy_config_t;
+class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
+class file { create ioctl read getattr lock write setattr append link unlink rename };
+')
+
+########################################
+#
+# selinux_read_source_policy(domain)
+#
+define(`selinux_read_source_policy',`
+requires_block_template(`$0'_depend)
+# FIXME: search etc_t:dir
+allow $1 selinux_config_t:dir search;
+allow $1 policy_src_t:dir { getattr search read };
+allow $1 policy_src_t:file { getattr read };
+')
+
+define(`selinux_read_source_policy_depend',`
+type selinux_config_t, policy_src_t;
+class dir { getattr search read };
+class file { getattr read };
+')
+
+########################################
+#
+# selinux_manage_source_policy(domain)
+#
+define(`selinux_manage_source_policy',`
+requires_block_template(`$0'_depend)
+# FIXME: search etc_t:dir
+allow $1 selinux_config_t:dir search;
+allow $1 policy_src_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
+allow $1 policy_src_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+')
+
+define(`selinux_manage_source_policy_depend',`
+type selinux_config_t, policy_src_t;
+class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
+class file { create ioctl read getattr lock write setattr append link unlink rename };
+')

refpolicy/policy/modules/system/selinuxutil.if

@@ -280,8 +280,64 @@ typeattribute $1 can_write_binary_policy;
 ')
 
 define(`selinux_write_binary_policy_depend',`
-type policy_config_t;
 attribute can_write_binary_policy;
+type policy_config_t;
 class dir { getattr search read write add_name remove_name };
 class file { getattr create write unlink };
 ')
+
+########################################
+#
+# selinux_manage_binary_policy(domain)
+#
+define(`selinux_manage_binary_policy',`
+requires_block_template(`$0'_depend)
+# FIXME: search etc_t:dir
+allow $1 selinux_config_t:dir search;
+allow $1 policy_config_t:dir { getattr search read };
+allow $1 policy_config_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+typeattribute $1 can_write_binary_policy;
+')
+
+define(`selinux_manage_binary_policy_depend',`
+attribute can_write_binary_policy;
+type selinux_config_t, policy_config_t;
+class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
+class file { create ioctl read getattr lock write setattr append link unlink rename };
+')
+
+########################################
+#
+# selinux_read_source_policy(domain)
+#
+define(`selinux_read_source_policy',`
+requires_block_template(`$0'_depend)
+# FIXME: search etc_t:dir
+allow $1 selinux_config_t:dir search;
+allow $1 policy_src_t:dir { getattr search read };
+allow $1 policy_src_t:file { getattr read };
+')
+
+define(`selinux_read_source_policy_depend',`
+type selinux_config_t, policy_src_t;
+class dir { getattr search read };
+class file { getattr read };
+')
+
+########################################
+#
+# selinux_manage_source_policy(domain)
+#
+define(`selinux_manage_source_policy',`
+requires_block_template(`$0'_depend)
+# FIXME: search etc_t:dir
+allow $1 selinux_config_t:dir search;
+allow $1 policy_src_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
+allow $1 policy_src_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+')
+
+define(`selinux_manage_source_policy_depend',`
+type selinux_config_t, policy_src_t;
+class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
+class file { create ioctl read getattr lock write setattr append link unlink rename };
+')