133 lines
2.7 KiB
Plaintext
133 lines
2.7 KiB
Plaintext
## <summary>Multicategory security policy</summary>
|
|
## <required val="true">
|
|
## Contains attributes used in MCS policy.
|
|
## </required>
|
|
|
|
########################################
|
|
## <summary>
|
|
## Constrain by category access control (MCS).
|
|
## </summary>
|
|
## <desc>
|
|
## <p>
|
|
## Constrain the specified type by category based
|
|
## access control (MCS) This prevents this domain from
|
|
## interacting with subjects and operating on objects
|
|
## that it otherwise would be able to interact
|
|
## with or operate on respectively.
|
|
## </p>
|
|
## </desc>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Type to be constrained by MCS.
|
|
## </summary>
|
|
## </param>
|
|
## <infoflow type="none"/>
|
|
#
|
|
interface(`mcs_constrained',`
|
|
gen_require(`
|
|
attribute mcs_constrained_type;
|
|
')
|
|
|
|
typeattribute $1 mcs_constrained_type;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## This domain is allowed to read files and directories
|
|
## regardless of their MCS category set.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain target for user exemption.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`mcs_file_read_all',`
|
|
gen_require(`
|
|
attribute mcsreadall;
|
|
')
|
|
|
|
typeattribute $1 mcsreadall;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## This domain is allowed to write files and directories
|
|
## regardless of their MCS category set.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain target for user exemption.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`mcs_file_write_all',`
|
|
gen_require(`
|
|
attribute mcswriteall;
|
|
')
|
|
|
|
typeattribute $1 mcswriteall;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## This domain is allowed to sigkill and sigstop
|
|
## all domains regardless of their MCS category set.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain target for user exemption.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`mcs_killall',`
|
|
gen_require(`
|
|
attribute mcskillall;
|
|
')
|
|
|
|
typeattribute $1 mcskillall;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## This domain is allowed to ptrace
|
|
## all domains regardless of their MCS
|
|
## category set.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain target for user exemption.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`mcs_ptrace_all',`
|
|
gen_require(`
|
|
attribute mcsptraceall;
|
|
')
|
|
|
|
typeattribute $1 mcsptraceall;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Make specified domain MCS trusted
|
|
## for setting any category set for
|
|
## the processes it executes.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain target for user exemption.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`mcs_process_set_categories',`
|
|
gen_require(`
|
|
attribute mcssetcats;
|
|
')
|
|
|
|
typeattribute $1 mcssetcats;
|
|
')
|