selinux-refpolicy/policy/modules/kernel/mcs.if

133 lines
2.7 KiB
Plaintext

## <summary>Multicategory security policy</summary>
## <required val="true">
## Contains attributes used in MCS policy.
## </required>
########################################
## <summary>
## Constrain by category access control (MCS).
## </summary>
## <desc>
## <p>
## Constrain the specified type by category based
## access control (MCS) This prevents this domain from
## interacting with subjects and operating on objects
## that it otherwise would be able to interact
## with or operate on respectively.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Type to be constrained by MCS.
## </summary>
## </param>
## <infoflow type="none"/>
#
interface(`mcs_constrained',`
gen_require(`
attribute mcs_constrained_type;
')
typeattribute $1 mcs_constrained_type;
')
########################################
## <summary>
## This domain is allowed to read files and directories
## regardless of their MCS category set.
## </summary>
## <param name="domain">
## <summary>
## Domain target for user exemption.
## </summary>
## </param>
## <rolecap/>
#
interface(`mcs_file_read_all',`
gen_require(`
attribute mcsreadall;
')
typeattribute $1 mcsreadall;
')
########################################
## <summary>
## This domain is allowed to write files and directories
## regardless of their MCS category set.
## </summary>
## <param name="domain">
## <summary>
## Domain target for user exemption.
## </summary>
## </param>
## <rolecap/>
#
interface(`mcs_file_write_all',`
gen_require(`
attribute mcswriteall;
')
typeattribute $1 mcswriteall;
')
########################################
## <summary>
## This domain is allowed to sigkill and sigstop
## all domains regardless of their MCS category set.
## </summary>
## <param name="domain">
## <summary>
## Domain target for user exemption.
## </summary>
## </param>
## <rolecap/>
#
interface(`mcs_killall',`
gen_require(`
attribute mcskillall;
')
typeattribute $1 mcskillall;
')
########################################
## <summary>
## This domain is allowed to ptrace
## all domains regardless of their MCS
## category set.
## </summary>
## <param name="domain">
## <summary>
## Domain target for user exemption.
## </summary>
## </param>
#
interface(`mcs_ptrace_all',`
gen_require(`
attribute mcsptraceall;
')
typeattribute $1 mcsptraceall;
')
########################################
## <summary>
## Make specified domain MCS trusted
## for setting any category set for
## the processes it executes.
## </summary>
## <param name="domain">
## <summary>
## Domain target for user exemption.
## </summary>
## </param>
#
interface(`mcs_process_set_categories',`
gen_require(`
attribute mcssetcats;
')
typeattribute $1 mcssetcats;
')