3bb507efa6
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
985 lines
18 KiB
Plaintext
985 lines
18 KiB
Plaintext
## <summary>Multilevel security policy</summary>
|
|
## <desc>
|
|
## <p>
|
|
## This module contains interfaces for handling multilevel
|
|
## security. The interfaces allow the specified subjects
|
|
## and objects to be allowed certain privileges in the
|
|
## MLS rules.
|
|
## </p>
|
|
## </desc>
|
|
## <required val="true">
|
|
## Contains attributes used in MLS policy.
|
|
## </required>
|
|
|
|
########################################
|
|
## <summary>
|
|
## Make specified domain MLS trusted
|
|
## for reading from files up to its clearance.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`mls_file_read_to_clearance',`
|
|
gen_require(`
|
|
attribute mlsfilereadtoclr;
|
|
')
|
|
|
|
typeattribute $1 mlsfilereadtoclr;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Make specified domain MLS trusted
|
|
## for reading from files at all levels.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`mls_file_read_all_levels',`
|
|
gen_require(`
|
|
attribute mlsfileread;
|
|
')
|
|
|
|
typeattribute $1 mlsfileread;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Make specified domain MLS trusted
|
|
## for write to files up to its clearance.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`mls_file_write_to_clearance',`
|
|
gen_require(`
|
|
attribute mlsfilewritetoclr;
|
|
')
|
|
|
|
typeattribute $1 mlsfilewritetoclr;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Make specified domain MLS trusted
|
|
## for writing to files at all levels.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`mls_file_write_all_levels',`
|
|
gen_require(`
|
|
attribute mlsfilewrite;
|
|
')
|
|
|
|
typeattribute $1 mlsfilewrite;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Make specified domain MLS trusted
|
|
## for relabelto to files up to its clearance.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`mls_file_relabel_to_clearance',`
|
|
gen_require(`
|
|
attribute mlsfilerelabeltoclr;
|
|
')
|
|
|
|
typeattribute $1 mlsfilerelabeltoclr;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Make specified domain MLS trusted
|
|
## for relabelto to files at all levels.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`mls_file_relabel',`
|
|
gen_require(`
|
|
attribute mlsfilerelabel;
|
|
')
|
|
|
|
typeattribute $1 mlsfilerelabel;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Make specified domain MLS trusted
|
|
## for raising the level of files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`mls_file_upgrade',`
|
|
gen_require(`
|
|
attribute mlsfileupgrade;
|
|
')
|
|
|
|
typeattribute $1 mlsfileupgrade;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Make specified domain MLS trusted
|
|
## for lowering the level of files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`mls_file_downgrade',`
|
|
gen_require(`
|
|
attribute mlsfiledowngrade;
|
|
')
|
|
|
|
typeattribute $1 mlsfiledowngrade;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Make specified domain trusted to
|
|
## be written to within its MLS range.
|
|
## The subject's MLS range must be a
|
|
## proper subset of the object's MLS range.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`mls_file_write_within_range',`
|
|
gen_require(`
|
|
attribute mlsfilewriteinrange;
|
|
')
|
|
|
|
typeattribute $1 mlsfilewriteinrange;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Make specified domain MLS trusted
|
|
## for reading from sockets at any level.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`mls_socket_read_all_levels',`
|
|
gen_require(`
|
|
attribute mlsnetread;
|
|
')
|
|
|
|
typeattribute $1 mlsnetread;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Make specified domain MLS trusted
|
|
## for reading from sockets at any level
|
|
## that is dominated by the process clearance.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`mls_socket_read_to_clearance',`
|
|
gen_require(`
|
|
attribute mlsnetreadtoclr;
|
|
')
|
|
|
|
typeattribute $1 mlsnetreadtoclr;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Make specified domain MLS trusted
|
|
## for writing to sockets up to
|
|
## its clearance.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`mls_socket_write_to_clearance',`
|
|
gen_require(`
|
|
attribute mlsnetwritetoclr;
|
|
')
|
|
|
|
typeattribute $1 mlsnetwritetoclr;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Make specified domain MLS trusted
|
|
## for writing to sockets at any level.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`mls_socket_write_all_levels',`
|
|
gen_require(`
|
|
attribute mlsnetwrite;
|
|
')
|
|
|
|
typeattribute $1 mlsnetwrite;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Make specified domain MLS trusted
|
|
## for receiving network data from
|
|
## network interfaces or hosts at any level.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`mls_net_receive_all_levels',`
|
|
gen_require(`
|
|
attribute mlsnetrecvall;
|
|
')
|
|
|
|
typeattribute $1 mlsnetrecvall;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Make specified domain trusted to
|
|
## write to network objects within its MLS range.
|
|
## The subject's MLS range must be a
|
|
## proper subset of the object's MLS range.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`mls_net_write_within_range',`
|
|
gen_require(`
|
|
attribute mlsnetwriteranged;
|
|
')
|
|
|
|
typeattribute $1 mlsnetwriteranged;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Make specified domain trusted to
|
|
## write inbound packets regardless of the
|
|
## network's or node's MLS range.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`mls_net_inbound_all_levels',`
|
|
gen_require(`
|
|
attribute mlsnetinbound;
|
|
')
|
|
|
|
typeattribute $1 mlsnetinbound;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Make specified domain trusted to
|
|
## write outbound packets regardless of the
|
|
## network's or node's MLS range.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`mls_net_outbound_all_levels',`
|
|
gen_require(`
|
|
attribute mlsnetoutbound;
|
|
')
|
|
|
|
typeattribute $1 mlsnetoutbound;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Make specified domain MLS trusted
|
|
## for reading from System V IPC objects
|
|
## up to its clearance.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`mls_sysvipc_read_to_clearance',`
|
|
gen_require(`
|
|
attribute mlsipcreadtoclr;
|
|
')
|
|
|
|
typeattribute $1 mlsipcreadtoclr;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Make specified domain MLS trusted
|
|
## for reading from System V IPC objects
|
|
## at any level.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`mls_sysvipc_read_all_levels',`
|
|
gen_require(`
|
|
attribute mlsipcread;
|
|
')
|
|
|
|
typeattribute $1 mlsipcread;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Make specified domain MLS trusted
|
|
## for writing to System V IPC objects
|
|
## up to its clearance.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`mls_sysvipc_write_to_clearance',`
|
|
gen_require(`
|
|
attribute mlsipcwritetoclr;
|
|
')
|
|
|
|
typeattribute $1 mlsipcwritetoclr;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Make specified domain MLS trusted
|
|
## for writing to System V IPC objects
|
|
## at any level.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`mls_sysvipc_write_all_levels',`
|
|
gen_require(`
|
|
attribute mlsipcwrite;
|
|
')
|
|
|
|
typeattribute $1 mlsipcwrite;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Make specified domain MLS trusted
|
|
## for writing to keys up to
|
|
## its clearance.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`mls_key_write_to_clearance',`
|
|
gen_require(`
|
|
attribute mlskeywritetoclr;
|
|
')
|
|
|
|
typeattribute $1 mlskeywritetoclr;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Make specified domain MLS trusted
|
|
## for writing to keys at all levels.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`mls_key_write_all_levels',`
|
|
gen_require(`
|
|
attribute mlskeywrite;
|
|
')
|
|
|
|
typeattribute $1 mlskeywrite;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Allow the specified domain to do a MLS
|
|
## range transition that changes
|
|
## the current level.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`mls_rangetrans_source',`
|
|
gen_require(`
|
|
attribute privrangetrans;
|
|
')
|
|
|
|
typeattribute $1 privrangetrans;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Make specified domain a target domain
|
|
## for MLS range transitions that change
|
|
## the current level.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`mls_rangetrans_target',`
|
|
gen_require(`
|
|
attribute mlsrangetrans;
|
|
')
|
|
|
|
typeattribute $1 mlsrangetrans;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Make specified domain MLS trusted
|
|
## for reading from processes up to
|
|
## its clearance.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`mls_process_read_to_clearance',`
|
|
gen_require(`
|
|
attribute mlsprocreadtoclr;
|
|
')
|
|
|
|
typeattribute $1 mlsprocreadtoclr;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Make specified domain MLS trusted
|
|
## for reading from processes at all levels.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`mls_process_read_all_levels',`
|
|
gen_require(`
|
|
attribute mlsprocread;
|
|
')
|
|
|
|
typeattribute $1 mlsprocread;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Make specified domain MLS trusted
|
|
## for writing to processes up to
|
|
## its clearance.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`mls_process_write_to_clearance',`
|
|
gen_require(`
|
|
attribute mlsprocwritetoclr;
|
|
')
|
|
|
|
typeattribute $1 mlsprocwritetoclr;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Make specified domain MLS trusted
|
|
## for writing to processes at all levels.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`mls_process_write_all_levels',`
|
|
gen_require(`
|
|
attribute mlsprocwrite;
|
|
')
|
|
|
|
typeattribute $1 mlsprocwrite;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Make specified domain MLS trusted
|
|
## for setting the level of processes
|
|
## it executes.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`mls_process_set_level',`
|
|
gen_require(`
|
|
attribute mlsprocsetsl;
|
|
')
|
|
|
|
typeattribute $1 mlsprocsetsl;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Make specified domain MLS trusted
|
|
## for reading from X objects up to its clearance.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`mls_xwin_read_to_clearance',`
|
|
gen_require(`
|
|
attribute mlsxwinreadtoclr;
|
|
')
|
|
|
|
typeattribute $1 mlsxwinreadtoclr;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Make specified domain MLS trusted
|
|
## for reading from X objects at any level.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`mls_xwin_read_all_levels',`
|
|
gen_require(`
|
|
attribute mlsxwinread;
|
|
')
|
|
|
|
typeattribute $1 mlsxwinread;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Make specified domain MLS trusted
|
|
## for write to X objects up to its clearance.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`mls_xwin_write_to_clearance',`
|
|
gen_require(`
|
|
attribute mlsxwinwritetoclr;
|
|
')
|
|
|
|
typeattribute $1 mlsxwinwritetoclr;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Make specified domain MLS trusted
|
|
## for writing to X objects at any level.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`mls_xwin_write_all_levels',`
|
|
gen_require(`
|
|
attribute mlsxwinwrite;
|
|
')
|
|
|
|
typeattribute $1 mlsxwinwrite;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Make specified domain MLS trusted
|
|
## for reading from X colormaps at any level.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`mls_colormap_read_all_levels',`
|
|
gen_require(`
|
|
attribute mlsxwinreadcolormap;
|
|
')
|
|
|
|
typeattribute $1 mlsxwinreadcolormap;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Make specified domain MLS trusted
|
|
## for writing to X colormaps at any level.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`mls_colormap_write_all_levels',`
|
|
gen_require(`
|
|
attribute mlsxwinwritecolormap;
|
|
')
|
|
|
|
typeattribute $1 mlsxwinwritecolormap;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Make specified object MLS trusted.
|
|
## </summary>
|
|
## <desc>
|
|
## <p>
|
|
## Make specified object MLS trusted. This
|
|
## allows all levels to read and write the
|
|
## object.
|
|
## </p>
|
|
## <p>
|
|
## This currently only applies to filesystem
|
|
## objects, for example, files and directories.
|
|
## </p>
|
|
## </desc>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the object.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`mls_trusted_object',`
|
|
gen_require(`
|
|
attribute mlstrustedobject;
|
|
')
|
|
|
|
typeattribute $1 mlstrustedobject;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Make specified socket MLS trusted.
|
|
## </summary>
|
|
## <desc>
|
|
## <p>
|
|
## Make specified socket MLS trusted. For sockets
|
|
## marked as such, this allows all levels to:
|
|
## * sendto to unix_dgram_sockets
|
|
## * connectto to unix_stream_sockets
|
|
## respectively.
|
|
## </p>
|
|
## </desc>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the object.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`mls_trusted_socket',`
|
|
gen_require(`
|
|
attribute mlstrustedsocket;
|
|
')
|
|
|
|
typeattribute $1 mlstrustedsocket;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Make the specified domain trusted
|
|
## to inherit and use file descriptors
|
|
## from all levels.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`mls_fd_use_all_levels',`
|
|
gen_require(`
|
|
attribute mlsfduse;
|
|
')
|
|
|
|
typeattribute $1 mlsfduse;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Make the file descriptors from the
|
|
## specified domain inheritable by
|
|
## all levels.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`mls_fd_share_all_levels',`
|
|
gen_require(`
|
|
attribute mlsfdshare;
|
|
')
|
|
|
|
typeattribute $1 mlsfdshare;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Make specified domain MLS trusted
|
|
## for translating contexts at all levels. (Deprecated)
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`mls_context_translate_all_levels',`
|
|
refpolicywarn(`$0($*) has been deprecated')
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Make specified domain MLS trusted
|
|
## for reading from databases at any level.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`mls_db_read_all_levels',`
|
|
gen_require(`
|
|
attribute mlsdbread;
|
|
')
|
|
|
|
typeattribute $1 mlsdbread;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Make specified domain MLS trusted
|
|
## for writing to databases at any level.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`mls_db_write_all_levels',`
|
|
gen_require(`
|
|
attribute mlsdbwrite;
|
|
')
|
|
|
|
typeattribute $1 mlsdbwrite;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Make specified domain MLS trusted
|
|
## for raising the level of databases.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`mls_db_upgrade',`
|
|
gen_require(`
|
|
attribute mlsdbupgrade;
|
|
')
|
|
|
|
typeattribute $1 mlsdbupgrade;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Make specified domain MLS trusted
|
|
## for lowering the level of databases.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`mls_db_downgrade',`
|
|
gen_require(`
|
|
attribute mlsdbdowngrade;
|
|
')
|
|
|
|
typeattribute $1 mlsdbdowngrade;
|
|
')
|
|
########################################
|
|
## <summary>
|
|
## Make specified domain MLS trusted
|
|
## for sending dbus messages to
|
|
## all levels.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`mls_dbus_send_all_levels',`
|
|
gen_require(`
|
|
attribute mlsdbussend;
|
|
')
|
|
|
|
typeattribute $1 mlsdbussend;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Make specified domain MLS trusted
|
|
## for receiving dbus messages from
|
|
## all levels.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`mls_dbus_recv_all_levels',`
|
|
gen_require(`
|
|
attribute mlsdbusrecv;
|
|
')
|
|
|
|
typeattribute $1 mlsdbusrecv;
|
|
')
|