######################################## # # Macros for switching between source policy # and loadable policy module support # ############################## # # For adding the module statement # define(`policy_module',` ifdef(`monolithic_policy',`',` module $1 $2; ') ') ############################## # # For use in interfaces, to optionally insert a requires block # define(`requires_block_template',` ifdef(`monolithic_policy',`',` require { $1 } ') dnl end ifdef monolithic_policy ') dnl end requires_block_template ############################## # # Optional policy handling # define(`optional_policy',` ifdef(`monolithic_policy',` ifdef(`$1',$2,$3) ',` optional { $2 } else { $3 } ') dnl end ifdef monolithic_policy ') dnl end optional_policy ############################## # # Tunable policy handling # define(`tunable_policy',` ifdef(`monolithic_policy',` ifdef(`$1',$2,$3) ',` optional { require { $1 } $2 } else { $3 } ') dnl end ifdef monolithic_policy ') dnl end tunable_policy ######################################## # # Helper macros # # # shiftn(num,list...) # # shift the list num times # define(`shiftn',`ifelse($1,0,`shift($*)',`shiftn(decr($1),shift(shift($*)))')') ######################################## # # context_template(context,sensitivity) # # Optionally put the sensitivity for the file # define(`context_template',`ifdef(`enable_mls',`$1:$2',`$1')') dnl ######################################## # # user_mls(level,range) # define(`user_mls',`ifdef(`enable_mls',`level $1 range $2')') dnl ######################################## # # Macros for sets of classes and permissions. # # # All directory and file classes # define(`dir_file_class_set', `{ dir file lnk_file sock_file fifo_file chr_file blk_file }') # # All non-directory file classes. # define(`file_class_set', `{ file lnk_file sock_file fifo_file chr_file blk_file }') # # Non-device file classes. # define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }') # # Device file classes. # define(`devfile_class_set', `{ chr_file blk_file }') # # All socket classes. # define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket }') # # Datagram socket classes. # define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }') # # Stream socket classes. # define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }') # # Unprivileged socket classes (exclude rawip, netlink, packet). # define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }') # # Permissions for getting file attributes. # define(`stat_file_perms', `{ getattr }') # # Permissions for executing files. # define(`x_file_perms', `{ getattr execute }') # # Permissions for reading files and their attributes. # define(`r_file_perms', `{ read getattr lock ioctl }') # # Permissions for reading and executing files. # define(`rx_file_perms', `{ read getattr lock execute ioctl }') # # Permissions for reading and writing files and their attributes. # define(`rw_file_perms', `{ ioctl read getattr lock write append }') # # Permissions for reading and appending to files. # define(`ra_file_perms', `{ ioctl read getattr lock append }') # # Permissions for linking, unlinking and renaming files. # define(`link_file_perms', `{ getattr link unlink rename }') # # Permissions for creating lnk_files. # define(`create_lnk_perms', `{ create read getattr setattr link unlink rename }') # # Permissions for creating and using files. # define(`create_file_perms', `{ create ioctl read getattr lock write setattr append link unlink rename }') # # Permissions for reading directories and their attributes. # define(`r_dir_perms', `{ read getattr lock search ioctl }') # # Permissions for reading and writing directories and their attributes. # define(`rw_dir_perms', `{ read getattr lock search ioctl add_name remove_name write }') # # Permissions for reading and adding names to directories. # define(`ra_dir_perms', `{ read getattr lock search ioctl add_name write }') # # Permissions for creating and using directories. # define(`create_dir_perms', `{ create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }') # # Permissions to mount and unmount file systems. # define(`mount_fs_perms', `{ mount remount unmount getattr }') # # Permissions for using sockets. # define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }') # # Permissions for creating and using sockets. # define(`create_socket_perms', `{ create rw_socket_perms }') # # Permissions for using stream sockets. # define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }') # # Permissions for creating and using stream sockets. # define(`create_stream_socket_perms', `{ create_socket_perms listen accept }') # # Permissions for creating and using sockets. # define(`connected_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }') # # Permissions for creating and using sockets. # define(`connected_stream_socket_perms', `{ connected_socket_perms listen accept }') # # Permissions for creating and using netlink sockets. # define(`create_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }') # # Permissions for using netlink sockets for operations that modify state. # define(`rw_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }') # # Permissions for using netlink sockets for operations that observe state. # define(`r_netlink_socket_perms', `{ create_socket_perms nlmsg_read }') # # Permissions for sending all signals. # define(`signal_perms', `{ sigchld sigkill sigstop signull signal }') # # Permissions for sending and receiving network packets. # define(`packet_perms', `{ tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send }') # # Permissions for using System V IPC # define(`r_sem_perms', `{ associate getattr read unix_read }') define(`rw_sem_perms', `{ associate getattr read write unix_read unix_write }') define(`create_sem_perms', `{ associate getattr setattr create destroy read write unix_read unix_write }') define(`r_msgq_perms', `{ associate getattr read unix_read }') define(`rw_msgq_perms', `{ associate getattr read write enqueue unix_read unix_write }') define(`create_msgq_perms', `{ associate getattr setattr create destroy read write enqueue unix_read unix_write }') define(`r_shm_perms', `{ associate getattr read unix_read }') define(`rw_shm_perms', `{ associate getattr read write lock unix_read unix_write }') define(`create_shm_perms', `{ associate getattr setattr create destroy read write lock unix_read unix_write }')