## Policy for SELinux policy and userland applications. ####################################### ## ## Execute checkpolicy in the checkpolicy domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`seutil_domtrans_checkpolicy',` gen_require(` type checkpolicy_t, checkpolicy_exec_t; ') files_search_usr($1) corecmd_search_bin($1) domtrans_pattern($1, checkpolicy_exec_t, checkpolicy_t) ') ######################################## ## ## Execute checkpolicy in the checkpolicy domain, and ## allow the specified role the checkpolicy domain, ## and use the caller's terminal. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # interface(`seutil_run_checkpolicy',` gen_require(` type checkpolicy_t; ') seutil_domtrans_checkpolicy($1) role $2 types checkpolicy_t; ') ######################################## ## ## Execute checkpolicy in the caller domain. ## ## ## ## Domain allowed access. ## ## ## # interface(`seutil_exec_checkpolicy',` gen_require(` type checkpolicy_exec_t; ') files_search_usr($1) corecmd_search_bin($1) can_exec($1, checkpolicy_exec_t) ') ####################################### ## ## Execute load_policy in the load_policy domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`seutil_domtrans_loadpolicy',` gen_require(` type load_policy_t, load_policy_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, load_policy_exec_t, load_policy_t) ') ######################################## ## ## Execute load_policy in the load_policy domain, and ## allow the specified role the load_policy domain, ## and use the caller's terminal. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # interface(`seutil_run_loadpolicy',` gen_require(` type load_policy_t; ') seutil_domtrans_loadpolicy($1) role $2 types load_policy_t; ') ######################################## ## ## Execute load_policy in the caller domain. ## ## ## ## Domain allowed access. ## ## # interface(`seutil_exec_loadpolicy',` gen_require(` type load_policy_exec_t; ') corecmd_search_bin($1) can_exec($1, load_policy_exec_t) ') ######################################## ## ## Read the load_policy program file. ## ## ## ## Domain allowed access. ## ## # interface(`seutil_read_loadpolicy',` gen_require(` type load_policy_exec_t; ') corecmd_search_bin($1) allow $1 load_policy_exec_t:file read_file_perms; ') ####################################### ## ## Execute newrole in the newole domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`seutil_domtrans_newrole',` gen_require(` type newrole_t, newrole_exec_t; ') files_search_usr($1) corecmd_search_bin($1) domtrans_pattern($1, newrole_exec_t, newrole_t) ') ######################################## ## ## Execute newrole in the newrole domain, and ## allow the specified role the newrole domain, ## and use the caller's terminal. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # interface(`seutil_run_newrole',` gen_require(` attribute_role newrole_roles; ') seutil_domtrans_newrole($1) roleattribute $2 newrole_roles; ') ######################################## ## ## Execute newrole in the caller domain. ## ## ## ## Domain allowed access. ## ## # interface(`seutil_exec_newrole',` gen_require(` type newrole_t, newrole_exec_t; ') files_search_usr($1) corecmd_search_bin($1) can_exec($1, newrole_exec_t) ') ######################################## ## ## Do not audit the caller attempts to send ## a signal to newrole. ## ## ## ## Domain to not audit. ## ## # interface(`seutil_dontaudit_signal_newrole',` gen_require(` type newrole_t; ') dontaudit $1 newrole_t:process signal; ') ######################################## ## ## Send a SIGCHLD signal to newrole. ## ## ##

## Allow the specified domain to send a SIGCHLD ## signal to newrole. This signal is automatically ## sent from a process that is terminating to ## its parent. This may be needed by domains ## that are executed from newrole. ##

##
## ## ## Domain allowed access. ## ## ## # interface(`seutil_sigchld_newrole',` gen_require(` type newrole_t; ') allow $1 newrole_t:process sigchld; ') ######################################## ## ## Inherit and use newrole file descriptors. ## ## ## ## Domain allowed access. ## ## # interface(`seutil_use_newrole_fds',` gen_require(` type newrole_t; ') allow $1 newrole_t:fd use; ') ######################################## ## ## Do not audit attempts to inherit and use ## newrole file descriptors. ## ## ## ## Domain to not audit. ## ## # interface(`seutil_dontaudit_use_newrole_fds',` gen_require(` type newrole_t; ') dontaudit $1 newrole_t:fd use; ') ####################################### ## ## Execute restorecon in the restorecon domain. (Deprecated) ## ## ## ## Domain allowed to transition. ## ## # interface(`seutil_domtrans_restorecon',` refpolicywarn(`$0($*) has been deprecated, please use seutil_domtrans_setfiles() instead.') seutil_domtrans_setfiles($1) ') ######################################## ## ## Execute restorecon in the restorecon domain, and ## allow the specified role the restorecon domain, ## and use the caller's terminal. (Deprecated) ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # interface(`seutil_run_restorecon',` refpolicywarn(`$0($*) has been deprecated, please use seutil_run_setfiles() instead.') seutil_run_setfiles($1,$2) ') ######################################## ## ## Execute restorecon in the caller domain. (Deprecated) ## ## ## ## Domain allowed access. ## ## ## # interface(`seutil_exec_restorecon',` refpolicywarn(`$0($*) has been deprecated, please use seutil_exec_setfiles() instead.') seutil_exec_setfiles($1) ') ######################################## ## ## Execute run_init in the run_init domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`seutil_domtrans_runinit',` gen_require(` type run_init_t, run_init_exec_t; ') files_search_usr($1) corecmd_search_bin($1) domtrans_pattern($1, run_init_exec_t, run_init_t) ') ######################################## ## ## Execute init scripts in the run_init domain. ## ## ##

## Execute init scripts in the run_init domain. ## This is used for the Gentoo integrated run_init. ##

##
## ## ## Domain allowed to transition. ## ## # interface(`seutil_init_script_domtrans_runinit',` gen_require(` type run_init_t; ') init_script_file_domtrans($1, run_init_t) allow run_init_t $1:fd use; allow run_init_t $1:fifo_file rw_file_perms; allow run_init_t $1:process sigchld; ') ######################################## ## ## Execute run_init in the run_init domain, and ## allow the specified role the run_init domain, ## and use the caller's terminal. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # interface(`seutil_run_runinit',` gen_require(` attribute_role run_init_roles; ') seutil_domtrans_runinit($1) roleattribute $2 run_init_roles; ') ######################################## ## ## Execute init scripts in the run_init domain, and ## allow the specified role the run_init domain, ## and use the caller's terminal. ## ## ##

## Execute init scripts in the run_init domain, and ## allow the specified role the run_init domain, ## and use the caller's terminal. ##

##

## This is used for the Gentoo integrated run_init. ##

##
## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## # interface(`seutil_init_script_run_runinit',` gen_require(` attribute_role run_init_roles; ') seutil_init_script_domtrans_runinit($1) roleattribute $2 run_init_roles; ') ######################################## ## ## Inherit and use run_init file descriptors. ## ## ## ## Domain allowed access. ## ## # interface(`seutil_use_runinit_fds',` gen_require(` type run_init_t; ') allow $1 run_init_t:fd use; ') ######################################## ## ## Execute setfiles in the setfiles domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`seutil_domtrans_setfiles',` gen_require(` type setfiles_t, setfiles_exec_t; ') files_search_usr($1) corecmd_search_bin($1) domtrans_pattern($1, setfiles_exec_t, setfiles_t) ') ######################################## ## ## Execute setfiles in the setfiles domain, and ## allow the specified role the setfiles domain, ## and use the caller's terminal. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # interface(`seutil_run_setfiles',` gen_require(` type setfiles_t; ') seutil_domtrans_setfiles($1) role $2 types setfiles_t; ') ######################################## ## ## Execute setfiles in the caller domain. ## ## ## ## Domain allowed access. ## ## # interface(`seutil_exec_setfiles',` gen_require(` type setfiles_exec_t; ') files_search_usr($1) corecmd_search_bin($1) can_exec($1, setfiles_exec_t) ') ######################################## ## ## Do not audit attempts to search the SELinux ## configuration directory (/etc/selinux). ## ## ## ## Domain to not audit. ## ## # interface(`seutil_dontaudit_search_config',` gen_require(` type selinux_config_t; ') dontaudit $1 selinux_config_t:dir search_dir_perms; ') ######################################## ## ## Do not audit attempts to read the SELinux ## userland configuration (/etc/selinux). ## ## ## ## Domain to not audit. ## ## # interface(`seutil_dontaudit_read_config',` gen_require(` type selinux_config_t; ') dontaudit $1 selinux_config_t:dir search_dir_perms; dontaudit $1 selinux_config_t:file read_file_perms; ') ######################################## ## ## Read the general SELinux configuration files. ## ## ## ## Domain allowed access. ## ## ## # interface(`seutil_read_config',` gen_require(` type selinux_config_t; ') files_search_etc($1) allow $1 selinux_config_t:dir list_dir_perms; read_files_pattern($1, selinux_config_t, selinux_config_t) read_lnk_files_pattern($1, selinux_config_t, selinux_config_t) ') ######################################## ## ## Read and write the general SELinux configuration files. ## ## ## ## Domain allowed access. ## ## ## # interface(`seutil_rw_config',` gen_require(` type selinux_config_t; ') files_search_etc($1) allow $1 selinux_config_t:dir list_dir_perms; rw_files_pattern($1, selinux_config_t, selinux_config_t) ') ####################################### ## ## Create, read, write, and delete ## the general selinux configuration files. (Deprecated) ## ## ##

## Create, read, write, and delete ## the general selinux configuration files. ##

##

## This interface has been deprecated, please ## use the seutil_manage_config() interface instead. ##

##
## ## ## Domain allowed access. ## ## ## # interface(`seutil_manage_selinux_config',` refpolicywarn(`$0($*) has been deprecated. Please use seutil_manage_config() instead.') seutil_manage_config($1) ') ####################################### ## ## Create, read, write, and delete ## the general selinux configuration files. ## ## ## ## Domain allowed access. ## ## ## # interface(`seutil_manage_config',` gen_require(` type selinux_config_t; ') files_search_etc($1) manage_files_pattern($1, selinux_config_t, selinux_config_t) read_lnk_files_pattern($1, selinux_config_t, selinux_config_t) ') ####################################### ## ## Create, read, write, and delete ## the general selinux configuration files. ## ## ## ## Domain allowed access. ## ## ## # interface(`seutil_manage_config_dirs',` gen_require(` type selinux_config_t; ') files_search_etc($1) allow $1 selinux_config_t:dir manage_dir_perms; ') ######################################## ## ## Search the policy directory with default_context files. ## ## ## ## Domain allowed access. ## ## # interface(`seutil_search_default_contexts',` gen_require(` type selinux_config_t, default_context_t; ') files_search_etc($1) search_dirs_pattern($1, selinux_config_t, default_context_t) ') ######################################## ## ## Read the default_contexts files. ## ## ## ## Domain allowed access. ## ## ## # interface(`seutil_read_default_contexts',` gen_require(` type selinux_config_t, default_context_t; ') files_search_etc($1) allow $1 selinux_config_t:dir search_dir_perms; allow $1 default_context_t:dir list_dir_perms; read_files_pattern($1, default_context_t, default_context_t) ') ######################################## ## ## Create, read, write, and delete the default_contexts files. ## ## ## ## Domain allowed access. ## ## # interface(`seutil_manage_default_contexts',` gen_require(` type selinux_config_t, default_context_t; ') files_search_etc($1) allow $1 selinux_config_t:dir search_dir_perms; manage_files_pattern($1, default_context_t, default_context_t) ') ######################################## ## ## Read the file_contexts files. ## ## ## ## Domain allowed access. ## ## ## # interface(`seutil_read_file_contexts',` gen_require(` type selinux_config_t, default_context_t, file_context_t; ') files_search_etc($1) allow $1 { selinux_config_t default_context_t }:dir search_dir_perms; read_files_pattern($1, file_context_t, file_context_t) ') ######################################## ## ## Do not audit attempts to read the file_contexts files. ## ## ## ## Domain to not audit. ## ## ## # interface(`seutil_dontaudit_read_file_contexts',` gen_require(` type selinux_config_t, default_context_t, file_context_t; ') dontaudit $1 { selinux_config_t default_context_t file_context_t }:dir search_dir_perms; dontaudit $1 file_context_t:file read_file_perms; ') ######################################## ## ## Read and write the file_contexts files. ## ## ## ## Domain allowed access. ## ## # interface(`seutil_rw_file_contexts',` gen_require(` type selinux_config_t, file_context_t, default_context_t; ') files_search_etc($1) allow $1 { selinux_config_t default_context_t }:dir search_dir_perms; rw_files_pattern($1, file_context_t, file_context_t) ') ######################################## ## ## Create, read, write, and delete the file_contexts files. ## ## ## ## Domain allowed access. ## ## ## # interface(`seutil_manage_file_contexts',` gen_require(` type selinux_config_t, file_context_t, default_context_t; ') files_search_etc($1) allow $1 { selinux_config_t default_context_t }:dir search_dir_perms; manage_files_pattern($1, file_context_t, file_context_t) ') ######################################## ## ## Read the SELinux binary policy. ## ## ## ## Domain allowed access. ## ## # interface(`seutil_read_bin_policy',` gen_require(` type selinux_config_t, policy_config_t; ') files_search_etc($1) allow $1 selinux_config_t:dir search_dir_perms; read_files_pattern($1, policy_config_t, policy_config_t) ') ######################################## ## ## Create the SELinux binary policy. ## ## ## ## Domain allowed access. ## ## # interface(`seutil_create_bin_policy',` gen_require(` # attribute can_write_binary_policy; type selinux_config_t, policy_config_t; ') files_search_etc($1) allow $1 selinux_config_t:dir search_dir_perms; create_files_pattern($1, policy_config_t, policy_config_t) write_files_pattern($1, policy_config_t, policy_config_t) # typeattribute $1 can_write_binary_policy; ') ######################################## ## ## Allow the caller to relabel a file to the binary policy type. ## ## ## ## Domain allowed access. ## ## # interface(`seutil_relabelto_bin_policy',` gen_require(` attribute can_relabelto_binary_policy; type policy_config_t; ') allow $1 policy_config_t:file relabelto; typeattribute $1 can_relabelto_binary_policy; ') ######################################## ## ## Create, read, write, and delete the SELinux ## binary policy. ## ## ## ## Domain allowed access. ## ## # interface(`seutil_manage_bin_policy',` gen_require(` attribute can_write_binary_policy; type selinux_config_t, policy_config_t; ') files_search_etc($1) allow $1 selinux_config_t:dir search_dir_perms; manage_files_pattern($1, policy_config_t, policy_config_t) typeattribute $1 can_write_binary_policy; ') ######################################## ## ## Read SELinux policy source files. ## ## ## ## Domain allowed access. ## ## # interface(`seutil_read_src_policy',` gen_require(` type selinux_config_t, policy_src_t; ') files_search_etc($1) list_dirs_pattern($1, selinux_config_t, policy_src_t) read_files_pattern($1, policy_src_t, policy_src_t) ') ######################################## ## ## Create, read, write, and delete SELinux ## policy source files. ## ## ## ## Domain allowed access. ## ## ## # interface(`seutil_manage_src_policy',` gen_require(` type selinux_config_t, policy_src_t; ') files_search_etc($1) allow $1 selinux_config_t:dir search_dir_perms; manage_dirs_pattern($1, policy_src_t, policy_src_t) manage_files_pattern($1, policy_src_t, policy_src_t) ') ######################################## ## ## Execute a domain transition to run semanage. ## ## ## ## Domain allowed to transition. ## ## # interface(`seutil_domtrans_semanage',` gen_require(` type semanage_t, semanage_exec_t; ') files_search_usr($1) corecmd_search_bin($1) domtrans_pattern($1, semanage_exec_t, semanage_t) ') ######################################## ## ## Execute semanage in the semanage domain, and ## allow the specified role the semanage domain, ## and use the caller's terminal. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # interface(`seutil_run_semanage',` gen_require(` attribute_role semanage_roles; ') seutil_domtrans_semanage($1) roleattribute $2 semanage_roles; ') ######################################## ## ## Full management of the semanage ## module store. ## ## ## ## Domain allowed access. ## ## # interface(`seutil_manage_module_store',` gen_require(` type selinux_config_t, semanage_store_t; ') files_search_etc($1) manage_dirs_pattern($1, selinux_config_t, semanage_store_t) manage_files_pattern($1, semanage_store_t, semanage_store_t) manage_lnk_files_pattern($1, semanage_store_t, semanage_store_t) filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "modules") ') ####################################### ## ## Get read lock on module store ## ## ## ## Domain allowed access. ## ## # interface(`seutil_get_semanage_read_lock',` gen_require(` type selinux_config_t, semanage_read_lock_t; ') files_search_etc($1) rw_files_pattern($1, selinux_config_t, semanage_read_lock_t) ') ####################################### ## ## Get trans lock on module store ## ## ## ## Domain allowed access. ## ## # interface(`seutil_get_semanage_trans_lock',` gen_require(` type selinux_config_t, semanage_trans_lock_t; ') files_search_etc($1) rw_files_pattern($1, selinux_config_t, semanage_trans_lock_t) ') ######################################## ## ## SELinux-enabled program access for ## libselinux-linked programs. ## ## ##

## SELinux-enabled programs are typically ## linked to the libselinux library. This ## interface will allow access required for ## the libselinux constructor to function. ##

##
## ## ## Domain allowed access. ## ## # interface(`seutil_libselinux_linked',` selinux_get_fs_mount($1) seutil_read_config($1) ') ######################################## ## ## Do not audit SELinux-enabled program access for ## libselinux-linked programs. ## ## ##

## SELinux-enabled programs are typically ## linked to the libselinux library. This ## interface will dontaudit access required for ## the libselinux constructor to function. ##

##

## Generally this should not be used on anything ## but simple SELinux-enabled programs that do not ## rely on data initialized by the libselinux ## constructor. ##

##
## ## ## Domain to not audit. ## ## # interface(`seutil_dontaudit_libselinux_linked',` selinux_dontaudit_get_fs_mount($1) seutil_dontaudit_read_config($1) ')