mirror of
https://github.com/SELinuxProject/selinux
synced 2024-12-30 10:02:15 +00:00
8b71d70b55
Sadly, make test still fails on some tests. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
1941 lines
67 KiB
Plaintext
1941 lines
67 KiB
Plaintext
class security
|
|
class process
|
|
class system
|
|
class capability
|
|
class filesystem
|
|
class file
|
|
class dir
|
|
class fd
|
|
class lnk_file
|
|
class chr_file
|
|
class blk_file
|
|
class sock_file
|
|
class fifo_file
|
|
class socket
|
|
class tcp_socket
|
|
class udp_socket
|
|
class rawip_socket
|
|
class node
|
|
class netif
|
|
class netlink_socket
|
|
class packet_socket
|
|
class key_socket
|
|
class unix_stream_socket
|
|
class unix_dgram_socket
|
|
class sem
|
|
class msg
|
|
class msgq
|
|
class shm
|
|
class ipc
|
|
class passwd # userspace
|
|
class drawable # userspace
|
|
class window # userspace
|
|
class gc # userspace
|
|
class font # userspace
|
|
class colormap # userspace
|
|
class property # userspace
|
|
class cursor # userspace
|
|
class xclient # userspace
|
|
class xinput # userspace
|
|
class xserver # userspace
|
|
class xextension # userspace
|
|
class pax
|
|
class netlink_route_socket
|
|
class netlink_firewall_socket
|
|
class netlink_tcpdiag_socket
|
|
class netlink_nflog_socket
|
|
class netlink_xfrm_socket
|
|
class netlink_selinux_socket
|
|
class netlink_audit_socket
|
|
class netlink_ip6fw_socket
|
|
class netlink_dnrt_socket
|
|
class dbus # userspace
|
|
class nscd # userspace
|
|
class association
|
|
class netlink_kobject_uevent_socket
|
|
sid kernel
|
|
sid security
|
|
sid unlabeled
|
|
sid fs
|
|
sid file
|
|
sid file_labels
|
|
sid init
|
|
sid any_socket
|
|
sid port
|
|
sid netif
|
|
sid netmsg
|
|
sid node
|
|
sid igmp_packet
|
|
sid icmp_socket
|
|
sid tcp_socket
|
|
sid sysctl_modprobe
|
|
sid sysctl
|
|
sid sysctl_fs
|
|
sid sysctl_kernel
|
|
sid sysctl_net
|
|
sid sysctl_net_unix
|
|
sid sysctl_vm
|
|
sid sysctl_dev
|
|
sid kmod
|
|
sid policy
|
|
sid scmp_packet
|
|
sid devnull
|
|
common file
|
|
{
|
|
ioctl
|
|
read
|
|
write
|
|
create
|
|
getattr
|
|
setattr
|
|
lock
|
|
relabelfrom
|
|
relabelto
|
|
append
|
|
unlink
|
|
link
|
|
rename
|
|
execute
|
|
swapon
|
|
quotaon
|
|
mounton
|
|
}
|
|
common socket
|
|
{
|
|
ioctl
|
|
read
|
|
write
|
|
create
|
|
getattr
|
|
setattr
|
|
lock
|
|
relabelfrom
|
|
relabelto
|
|
append
|
|
bind
|
|
connect
|
|
listen
|
|
accept
|
|
getopt
|
|
setopt
|
|
shutdown
|
|
recvfrom
|
|
sendto
|
|
recv_msg
|
|
send_msg
|
|
name_bind
|
|
}
|
|
common ipc
|
|
{
|
|
create
|
|
destroy
|
|
getattr
|
|
setattr
|
|
read
|
|
write
|
|
associate
|
|
unix_read
|
|
unix_write
|
|
}
|
|
class filesystem
|
|
{
|
|
mount
|
|
remount
|
|
unmount
|
|
getattr
|
|
relabelfrom
|
|
relabelto
|
|
transition
|
|
associate
|
|
quotamod
|
|
quotaget
|
|
}
|
|
class dir
|
|
inherits file
|
|
{
|
|
add_name
|
|
remove_name
|
|
reparent
|
|
search
|
|
rmdir
|
|
}
|
|
class file
|
|
inherits file
|
|
{
|
|
execute_no_trans
|
|
entrypoint
|
|
execmod
|
|
}
|
|
class lnk_file
|
|
inherits file
|
|
class chr_file
|
|
inherits file
|
|
{
|
|
execute_no_trans
|
|
entrypoint
|
|
execmod
|
|
}
|
|
class blk_file
|
|
inherits file
|
|
class sock_file
|
|
inherits file
|
|
class fifo_file
|
|
inherits file
|
|
class fd
|
|
{
|
|
use
|
|
}
|
|
class socket
|
|
inherits socket
|
|
class tcp_socket
|
|
inherits socket
|
|
{
|
|
connectto
|
|
newconn
|
|
acceptfrom
|
|
node_bind
|
|
name_connect
|
|
}
|
|
class udp_socket
|
|
inherits socket
|
|
{
|
|
node_bind
|
|
}
|
|
class rawip_socket
|
|
inherits socket
|
|
{
|
|
node_bind
|
|
}
|
|
class node
|
|
{
|
|
tcp_recv
|
|
tcp_send
|
|
udp_recv
|
|
udp_send
|
|
rawip_recv
|
|
rawip_send
|
|
enforce_dest
|
|
}
|
|
class netif
|
|
{
|
|
tcp_recv
|
|
tcp_send
|
|
udp_recv
|
|
udp_send
|
|
rawip_recv
|
|
rawip_send
|
|
}
|
|
class netlink_socket
|
|
inherits socket
|
|
class packet_socket
|
|
inherits socket
|
|
class key_socket
|
|
inherits socket
|
|
class unix_stream_socket
|
|
inherits socket
|
|
{
|
|
connectto
|
|
newconn
|
|
acceptfrom
|
|
}
|
|
class unix_dgram_socket
|
|
inherits socket
|
|
class process
|
|
{
|
|
fork
|
|
transition
|
|
sigchld # commonly granted from child to parent
|
|
sigkill # cannot be caught or ignored
|
|
sigstop # cannot be caught or ignored
|
|
signull # for kill(pid, 0)
|
|
signal # all other signals
|
|
ptrace
|
|
getsched
|
|
setsched
|
|
getsession
|
|
getpgid
|
|
setpgid
|
|
getcap
|
|
setcap
|
|
share
|
|
getattr
|
|
setexec
|
|
setfscreate
|
|
noatsecure
|
|
siginh
|
|
setrlimit
|
|
rlimitinh
|
|
dyntransition
|
|
setcurrent
|
|
execmem
|
|
execstack
|
|
execheap
|
|
}
|
|
class ipc
|
|
inherits ipc
|
|
class sem
|
|
inherits ipc
|
|
class msgq
|
|
inherits ipc
|
|
{
|
|
enqueue
|
|
}
|
|
class msg
|
|
{
|
|
send
|
|
receive
|
|
}
|
|
class shm
|
|
inherits ipc
|
|
{
|
|
lock
|
|
}
|
|
class security
|
|
{
|
|
compute_av
|
|
compute_create
|
|
compute_member
|
|
check_context
|
|
load_policy
|
|
compute_relabel
|
|
compute_user
|
|
setenforce # was avc_toggle in system class
|
|
setbool
|
|
setsecparam
|
|
setcheckreqprot
|
|
}
|
|
class system
|
|
{
|
|
ipc_info
|
|
syslog_read
|
|
syslog_mod
|
|
syslog_console
|
|
}
|
|
class capability
|
|
{
|
|
chown
|
|
dac_override
|
|
dac_read_search
|
|
fowner
|
|
fsetid
|
|
kill
|
|
setgid
|
|
setuid
|
|
setpcap
|
|
linux_immutable
|
|
net_bind_service
|
|
net_broadcast
|
|
net_admin
|
|
net_raw
|
|
ipc_lock
|
|
ipc_owner
|
|
sys_module
|
|
sys_rawio
|
|
sys_chroot
|
|
sys_ptrace
|
|
sys_pacct
|
|
sys_admin
|
|
sys_boot
|
|
sys_nice
|
|
sys_resource
|
|
sys_time
|
|
sys_tty_config
|
|
mknod
|
|
lease
|
|
audit_write
|
|
audit_control
|
|
}
|
|
class passwd
|
|
{
|
|
passwd # change another user passwd
|
|
chfn # change another user finger info
|
|
chsh # change another user shell
|
|
rootok # pam_rootok check (skip auth)
|
|
crontab # crontab on another user
|
|
}
|
|
class drawable
|
|
{
|
|
create
|
|
destroy
|
|
draw
|
|
copy
|
|
getattr
|
|
}
|
|
class gc
|
|
{
|
|
create
|
|
free
|
|
getattr
|
|
setattr
|
|
}
|
|
class window
|
|
{
|
|
addchild
|
|
create
|
|
destroy
|
|
map
|
|
unmap
|
|
chstack
|
|
chproplist
|
|
chprop
|
|
listprop
|
|
getattr
|
|
setattr
|
|
setfocus
|
|
move
|
|
chselection
|
|
chparent
|
|
ctrllife
|
|
enumerate
|
|
transparent
|
|
mousemotion
|
|
clientcomevent
|
|
inputevent
|
|
drawevent
|
|
windowchangeevent
|
|
windowchangerequest
|
|
serverchangeevent
|
|
extensionevent
|
|
}
|
|
class font
|
|
{
|
|
load
|
|
free
|
|
getattr
|
|
use
|
|
}
|
|
class colormap
|
|
{
|
|
create
|
|
free
|
|
install
|
|
uninstall
|
|
list
|
|
read
|
|
store
|
|
getattr
|
|
setattr
|
|
}
|
|
class property
|
|
{
|
|
create
|
|
free
|
|
read
|
|
write
|
|
}
|
|
class cursor
|
|
{
|
|
create
|
|
createglyph
|
|
free
|
|
assign
|
|
setattr
|
|
}
|
|
class xclient
|
|
{
|
|
kill
|
|
}
|
|
class xinput
|
|
{
|
|
lookup
|
|
getattr
|
|
setattr
|
|
setfocus
|
|
warppointer
|
|
activegrab
|
|
passivegrab
|
|
ungrab
|
|
bell
|
|
mousemotion
|
|
relabelinput
|
|
}
|
|
class xserver
|
|
{
|
|
screensaver
|
|
gethostlist
|
|
sethostlist
|
|
getfontpath
|
|
setfontpath
|
|
getattr
|
|
grab
|
|
ungrab
|
|
}
|
|
class xextension
|
|
{
|
|
query
|
|
use
|
|
}
|
|
class pax
|
|
{
|
|
pageexec # Paging based non-executable pages
|
|
emutramp # Emulate trampolines
|
|
mprotect # Restrict mprotect()
|
|
randmmap # Randomize mmap() base
|
|
randexec # Randomize ET_EXEC base
|
|
segmexec # Segmentation based non-executable pages
|
|
}
|
|
class netlink_route_socket
|
|
inherits socket
|
|
{
|
|
nlmsg_read
|
|
nlmsg_write
|
|
}
|
|
class netlink_firewall_socket
|
|
inherits socket
|
|
{
|
|
nlmsg_read
|
|
nlmsg_write
|
|
}
|
|
class netlink_tcpdiag_socket
|
|
inherits socket
|
|
{
|
|
nlmsg_read
|
|
nlmsg_write
|
|
}
|
|
class netlink_nflog_socket
|
|
inherits socket
|
|
class netlink_xfrm_socket
|
|
inherits socket
|
|
{
|
|
nlmsg_read
|
|
nlmsg_write
|
|
}
|
|
class netlink_selinux_socket
|
|
inherits socket
|
|
class netlink_audit_socket
|
|
inherits socket
|
|
{
|
|
nlmsg_read
|
|
nlmsg_write
|
|
nlmsg_relay
|
|
nlmsg_readpriv
|
|
}
|
|
class netlink_ip6fw_socket
|
|
inherits socket
|
|
{
|
|
nlmsg_read
|
|
nlmsg_write
|
|
}
|
|
class netlink_dnrt_socket
|
|
inherits socket
|
|
class dbus
|
|
{
|
|
acquire_svc
|
|
send_msg
|
|
}
|
|
class nscd
|
|
{
|
|
getpwd
|
|
getgrp
|
|
gethost
|
|
getstat
|
|
admin
|
|
shmempwd
|
|
shmemgrp
|
|
shmemhost
|
|
}
|
|
class association
|
|
{
|
|
sendto
|
|
recvfrom
|
|
setcontext
|
|
}
|
|
class netlink_kobject_uevent_socket
|
|
inherits socket
|
|
sensitivity s0;
|
|
dominance { s0 }
|
|
category c0; category c1; category c2; category c3;
|
|
category c4; category c5; category c6; category c7;
|
|
category c8; category c9; category c10; category c11;
|
|
category c12; category c13; category c14; category c15;
|
|
category c16; category c17; category c18; category c19;
|
|
category c20; category c21; category c22; category c23;
|
|
category c24; category c25; category c26; category c27;
|
|
category c28; category c29; category c30; category c31;
|
|
category c32; category c33; category c34; category c35;
|
|
category c36; category c37; category c38; category c39;
|
|
category c40; category c41; category c42; category c43;
|
|
category c44; category c45; category c46; category c47;
|
|
category c48; category c49; category c50; category c51;
|
|
category c52; category c53; category c54; category c55;
|
|
category c56; category c57; category c58; category c59;
|
|
category c60; category c61; category c62; category c63;
|
|
category c64; category c65; category c66; category c67;
|
|
category c68; category c69; category c70; category c71;
|
|
category c72; category c73; category c74; category c75;
|
|
category c76; category c77; category c78; category c79;
|
|
category c80; category c81; category c82; category c83;
|
|
category c84; category c85; category c86; category c87;
|
|
category c88; category c89; category c90; category c91;
|
|
category c92; category c93; category c94; category c95;
|
|
category c96; category c97; category c98; category c99;
|
|
category c100; category c101; category c102; category c103;
|
|
category c104; category c105; category c106; category c107;
|
|
category c108; category c109; category c110; category c111;
|
|
category c112; category c113; category c114; category c115;
|
|
category c116; category c117; category c118; category c119;
|
|
category c120; category c121; category c122; category c123;
|
|
category c124; category c125; category c126; category c127;
|
|
category c128; category c129; category c130; category c131;
|
|
category c132; category c133; category c134; category c135;
|
|
category c136; category c137; category c138; category c139;
|
|
category c140; category c141; category c142; category c143;
|
|
category c144; category c145; category c146; category c147;
|
|
category c148; category c149; category c150; category c151;
|
|
category c152; category c153; category c154; category c155;
|
|
category c156; category c157; category c158; category c159;
|
|
category c160; category c161; category c162; category c163;
|
|
category c164; category c165; category c166; category c167;
|
|
category c168; category c169; category c170; category c171;
|
|
category c172; category c173; category c174; category c175;
|
|
category c176; category c177; category c178; category c179;
|
|
category c180; category c181; category c182; category c183;
|
|
category c184; category c185; category c186; category c187;
|
|
category c188; category c189; category c190; category c191;
|
|
category c192; category c193; category c194; category c195;
|
|
category c196; category c197; category c198; category c199;
|
|
category c200; category c201; category c202; category c203;
|
|
category c204; category c205; category c206; category c207;
|
|
category c208; category c209; category c210; category c211;
|
|
category c212; category c213; category c214; category c215;
|
|
category c216; category c217; category c218; category c219;
|
|
category c220; category c221; category c222; category c223;
|
|
category c224; category c225; category c226; category c227;
|
|
category c228; category c229; category c230; category c231;
|
|
category c232; category c233; category c234; category c235;
|
|
category c236; category c237; category c238; category c239;
|
|
category c240; category c241; category c242; category c243;
|
|
category c244; category c245; category c246; category c247;
|
|
category c248; category c249; category c250; category c251;
|
|
category c252; category c253; category c254; category c255;
|
|
level s0:c0.c255;
|
|
mlsconstrain file { write setattr append unlink link rename
|
|
ioctl lock execute relabelfrom } (h1 dom h2);
|
|
mlsconstrain file { create relabelto } ((h1 dom h2) and (l2 eq h2));
|
|
mlsconstrain file { read } ((h1 dom h2) or ( t2 == domain ) or ( t1 == mlsfileread ));
|
|
mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
|
|
( h1 dom h2 );
|
|
mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
|
|
(( h1 dom h2 ) and ( l2 eq h2 ));
|
|
mlsconstrain process { ptrace } ( h1 dom h2 );
|
|
mlsconstrain process { sigkill sigstop } ( h1 dom h2 ) or
|
|
( t1 == mcskillall );
|
|
mlsconstrain xextension query ( t1 == mlsfileread );
|
|
attribute netif_type;
|
|
attribute node_type;
|
|
attribute port_type;
|
|
attribute reserved_port_type;
|
|
attribute device_node;
|
|
attribute memory_raw_read;
|
|
attribute memory_raw_write;
|
|
attribute domain;
|
|
attribute unconfined_domain_type;
|
|
attribute set_curr_context;
|
|
attribute entry_type;
|
|
attribute privfd;
|
|
attribute can_change_process_identity;
|
|
attribute can_change_process_role;
|
|
attribute can_change_object_identity;
|
|
attribute can_system_change;
|
|
attribute process_user_target;
|
|
attribute cron_source_domain;
|
|
attribute cron_job_domain;
|
|
attribute process_uncond_exempt; # add userhelperdomain to this one
|
|
attribute file_type;
|
|
attribute lockfile;
|
|
attribute mountpoint;
|
|
attribute pidfile;
|
|
attribute polydir;
|
|
attribute usercanread;
|
|
attribute polyparent;
|
|
attribute polymember;
|
|
attribute security_file_type;
|
|
attribute tmpfile;
|
|
attribute tmpfsfile;
|
|
attribute filesystem_type;
|
|
attribute noxattrfs;
|
|
attribute can_load_kernmodule;
|
|
attribute can_receive_kernel_messages;
|
|
attribute kern_unconfined;
|
|
attribute proc_type;
|
|
attribute sysctl_type;
|
|
attribute mcskillall;
|
|
attribute mlsfileread;
|
|
attribute mlsfilereadtoclr;
|
|
attribute mlsfilewrite;
|
|
attribute mlsfilewritetoclr;
|
|
attribute mlsfileupgrade;
|
|
attribute mlsfiledowngrade;
|
|
attribute mlsnetread;
|
|
attribute mlsnetreadtoclr;
|
|
attribute mlsnetwrite;
|
|
attribute mlsnetwritetoclr;
|
|
attribute mlsnetupgrade;
|
|
attribute mlsnetdowngrade;
|
|
attribute mlsnetrecvall;
|
|
attribute mlsipcread;
|
|
attribute mlsipcreadtoclr;
|
|
attribute mlsipcwrite;
|
|
attribute mlsipcwritetoclr;
|
|
attribute mlsprocread;
|
|
attribute mlsprocreadtoclr;
|
|
attribute mlsprocwrite;
|
|
attribute mlsprocwritetoclr;
|
|
attribute mlsprocsetsl;
|
|
attribute mlsxwinread;
|
|
attribute mlsxwinreadtoclr;
|
|
attribute mlsxwinwrite;
|
|
attribute mlsxwinwritetoclr;
|
|
attribute mlsxwinreadproperty;
|
|
attribute mlsxwinwriteproperty;
|
|
attribute mlsxwinreadcolormap;
|
|
attribute mlsxwinwritecolormap;
|
|
attribute mlsxwinwritexinput;
|
|
attribute mlstrustedobject;
|
|
attribute privrangetrans;
|
|
attribute mlsrangetrans;
|
|
attribute can_load_policy;
|
|
attribute can_setenforce;
|
|
attribute can_setsecparam;
|
|
attribute ttynode;
|
|
attribute ptynode;
|
|
attribute server_ptynode;
|
|
attribute serial_device;
|
|
type bin_t;
|
|
type sbin_t;
|
|
type ls_exec_t;
|
|
type shell_exec_t;
|
|
type chroot_exec_t;
|
|
type ppp_device_t;
|
|
type tun_tap_device_t;
|
|
type port_t, port_type;
|
|
type reserved_port_t, port_type, reserved_port_type;
|
|
type afs_bos_port_t, port_type;
|
|
type afs_fs_port_t, port_type;
|
|
type afs_ka_port_t, port_type;
|
|
type afs_pt_port_t, port_type;
|
|
type afs_vl_port_t, port_type;
|
|
type amanda_port_t, port_type;
|
|
type amavisd_recv_port_t, port_type;
|
|
type amavisd_send_port_t, port_type;
|
|
type asterisk_port_t, port_type;
|
|
type auth_port_t, port_type;
|
|
type bgp_port_t, port_type;
|
|
type biff_port_t, port_type, reserved_port_type;
|
|
type clamd_port_t, port_type;
|
|
type clockspeed_port_t, port_type;
|
|
type comsat_port_t, port_type;
|
|
type cvs_port_t, port_type;
|
|
type dcc_port_t, port_type;
|
|
type dbskkd_port_t, port_type;
|
|
type dhcpc_port_t, port_type;
|
|
type dhcpd_port_t, port_type;
|
|
type dict_port_t, port_type;
|
|
type distccd_port_t, port_type;
|
|
type dns_port_t, port_type;
|
|
type fingerd_port_t, port_type;
|
|
type ftp_data_port_t, port_type;
|
|
type ftp_port_t, port_type;
|
|
type gatekeeper_port_t, port_type;
|
|
type giftd_port_t, port_type;
|
|
type gopher_port_t, port_type;
|
|
type http_cache_port_t, port_type;
|
|
type http_port_t, port_type;
|
|
type howl_port_t, port_type;
|
|
type hplip_port_t, port_type;
|
|
type i18n_input_port_t, port_type;
|
|
type imaze_port_t, port_type;
|
|
type inetd_child_port_t, port_type;
|
|
type innd_port_t, port_type;
|
|
type ipp_port_t, port_type;
|
|
type ircd_port_t, port_type;
|
|
type isakmp_port_t, port_type;
|
|
type jabber_client_port_t, port_type;
|
|
type jabber_interserver_port_t, port_type;
|
|
type kerberos_admin_port_t, port_type;
|
|
type kerberos_master_port_t, port_type;
|
|
type kerberos_port_t, port_type;
|
|
type ktalkd_port_t, port_type;
|
|
type ldap_port_t, port_type;
|
|
type lrrd_port_t, port_type;
|
|
type mail_port_t, port_type;
|
|
type monopd_port_t, port_type;
|
|
type mysqld_port_t, port_type;
|
|
type nessus_port_t, port_type;
|
|
type nmbd_port_t, port_type;
|
|
type ntp_port_t, port_type;
|
|
type openvpn_port_t, port_type;
|
|
type pegasus_http_port_t, port_type;
|
|
type pegasus_https_port_t, port_type;
|
|
type pop_port_t, port_type;
|
|
type portmap_port_t, port_type;
|
|
type postgresql_port_t, port_type;
|
|
type postgrey_port_t, port_type;
|
|
type printer_port_t, port_type;
|
|
type ptal_port_t, port_type;
|
|
type pxe_port_t, port_type;
|
|
type pyzor_port_t, port_type;
|
|
type radacct_port_t, port_type;
|
|
type radius_port_t, port_type;
|
|
type razor_port_t, port_type;
|
|
type rlogind_port_t, port_type;
|
|
type rndc_port_t, port_type;
|
|
type router_port_t, port_type;
|
|
type rsh_port_t, port_type;
|
|
type rsync_port_t, port_type;
|
|
type smbd_port_t, port_type;
|
|
type smtp_port_t, port_type;
|
|
type snmp_port_t, port_type;
|
|
type spamd_port_t, port_type;
|
|
type ssh_port_t, port_type;
|
|
type soundd_port_t, port_type;
|
|
type socks_port_t, port_type; type stunnel_port_t, port_type;
|
|
type swat_port_t, port_type;
|
|
type syslogd_port_t, port_type;
|
|
type telnetd_port_t, port_type;
|
|
type tftp_port_t, port_type;
|
|
type transproxy_port_t, port_type;
|
|
type utcpserver_port_t, port_type;
|
|
type uucpd_port_t, port_type;
|
|
type vnc_port_t, port_type;
|
|
type xserver_port_t, port_type;
|
|
type xen_port_t, port_type;
|
|
type zebra_port_t, port_type;
|
|
type zope_port_t, port_type;
|
|
type node_t, node_type;
|
|
type compat_ipv4_node_t alias node_compat_ipv4_t, node_type;
|
|
type inaddr_any_node_t alias node_inaddr_any_t, node_type;
|
|
type node_internal_t, node_type;
|
|
type link_local_node_t alias node_link_local_t, node_type;
|
|
type lo_node_t alias node_lo_t, node_type;
|
|
type mapped_ipv4_node_t alias node_mapped_ipv4_t, node_type;
|
|
type multicast_node_t alias node_multicast_t, node_type;
|
|
type site_local_node_t alias node_site_local_t, node_type;
|
|
type unspec_node_t alias node_unspec_t, node_type;
|
|
type netif_t, netif_type;
|
|
type device_t;
|
|
type agp_device_t;
|
|
type apm_bios_t;
|
|
type cardmgr_dev_t;
|
|
type clock_device_t;
|
|
type cpu_device_t;
|
|
type crypt_device_t;
|
|
type dri_device_t;
|
|
type event_device_t;
|
|
type framebuf_device_t;
|
|
type lvm_control_t;
|
|
type memory_device_t;
|
|
type misc_device_t;
|
|
type mouse_device_t;
|
|
type mtrr_device_t;
|
|
type null_device_t;
|
|
type power_device_t;
|
|
type printer_device_t;
|
|
type random_device_t;
|
|
type scanner_device_t;
|
|
type sound_device_t;
|
|
type sysfs_t;
|
|
type urandom_device_t;
|
|
type usbfs_t alias usbdevfs_t;
|
|
type usb_device_t;
|
|
type v4l_device_t;
|
|
type xserver_misc_device_t;
|
|
type zero_device_t;
|
|
type xconsole_device_t;
|
|
type devfs_control_t;
|
|
type boot_t;
|
|
type default_t, file_type, mountpoint;
|
|
type etc_t, file_type;
|
|
type etc_runtime_t, file_type;
|
|
type file_t, file_type, mountpoint;
|
|
type home_root_t, file_type, mountpoint;
|
|
type lost_found_t, file_type;
|
|
type mnt_t, file_type, mountpoint;
|
|
type modules_object_t;
|
|
type no_access_t, file_type;
|
|
type poly_t, file_type;
|
|
type readable_t, file_type;
|
|
type root_t, file_type, mountpoint;
|
|
type src_t, file_type, mountpoint;
|
|
type system_map_t;
|
|
type tmp_t, mountpoint; #, polydir
|
|
type usr_t, file_type, mountpoint;
|
|
type var_t, file_type, mountpoint;
|
|
type var_lib_t, file_type, mountpoint;
|
|
type var_lock_t, file_type, lockfile;
|
|
type var_run_t, file_type, pidfile;
|
|
type var_spool_t;
|
|
type fs_t;
|
|
type bdev_t;
|
|
type binfmt_misc_fs_t;
|
|
type capifs_t;
|
|
type configfs_t;
|
|
type eventpollfs_t;
|
|
type futexfs_t;
|
|
type hugetlbfs_t;
|
|
type inotifyfs_t;
|
|
type nfsd_fs_t;
|
|
type ramfs_t;
|
|
type romfs_t;
|
|
type rpc_pipefs_t;
|
|
type tmpfs_t;
|
|
type autofs_t, noxattrfs;
|
|
type cifs_t alias sambafs_t, noxattrfs;
|
|
type dosfs_t, noxattrfs;
|
|
type iso9660_t, filesystem_type, noxattrfs;
|
|
type removable_t, noxattrfs;
|
|
type nfs_t, filesystem_type, noxattrfs;
|
|
type kernel_t, can_load_kernmodule;
|
|
type debugfs_t;
|
|
type proc_t, proc_type;
|
|
type proc_kmsg_t, proc_type;
|
|
type proc_kcore_t, proc_type;
|
|
type proc_mdstat_t, proc_type;
|
|
type proc_net_t, proc_type;
|
|
type proc_xen_t, proc_type;
|
|
type sysctl_t, sysctl_type;
|
|
type sysctl_irq_t, sysctl_type;
|
|
type sysctl_rpc_t, sysctl_type;
|
|
type sysctl_fs_t, sysctl_type;
|
|
type sysctl_kernel_t, sysctl_type;
|
|
type sysctl_modprobe_t, sysctl_type;
|
|
type sysctl_hotplug_t, sysctl_type;
|
|
type sysctl_net_t, sysctl_type;
|
|
type sysctl_net_unix_t, sysctl_type;
|
|
type sysctl_vm_t, sysctl_type;
|
|
type sysctl_dev_t, sysctl_type;
|
|
type unlabeled_t;
|
|
type auditd_exec_t;
|
|
type crond_exec_t;
|
|
type cupsd_exec_t;
|
|
type getty_t;
|
|
type init_t;
|
|
type init_exec_t;
|
|
type initrc_t;
|
|
type initrc_exec_t;
|
|
type login_exec_t;
|
|
type sshd_exec_t;
|
|
type su_exec_t;
|
|
type udev_exec_t;
|
|
type unconfined_t;
|
|
type xdm_exec_t;
|
|
type lvm_exec_t;
|
|
type security_t;
|
|
type bsdpty_device_t;
|
|
type console_device_t;
|
|
type devpts_t;
|
|
type devtty_t;
|
|
type ptmx_t;
|
|
type tty_device_t, serial_device;
|
|
type usbtty_device_t, serial_device;
|
|
bool secure_mode false;
|
|
bool secure_mode_insmod false;
|
|
bool secure_mode_policyload false;
|
|
bool allow_cvs_read_shadow false;
|
|
bool allow_execheap false;
|
|
bool allow_execmem true;
|
|
bool allow_execmod false;
|
|
bool allow_execstack true;
|
|
bool allow_ftpd_anon_write false;
|
|
bool allow_gssd_read_tmp true;
|
|
bool allow_httpd_anon_write false;
|
|
bool allow_java_execstack false;
|
|
bool allow_kerberos true;
|
|
bool allow_rsync_anon_write false;
|
|
bool allow_saslauthd_read_shadow false;
|
|
bool allow_smbd_anon_write false;
|
|
bool allow_ptrace false;
|
|
bool allow_ypbind false;
|
|
bool fcron_crond false;
|
|
bool ftp_home_dir false;
|
|
bool ftpd_is_daemon true;
|
|
bool httpd_builtin_scripting true;
|
|
bool httpd_can_network_connect false;
|
|
bool httpd_can_network_connect_db false;
|
|
bool httpd_can_network_relay false;
|
|
bool httpd_enable_cgi true;
|
|
bool httpd_enable_ftp_server false;
|
|
bool httpd_enable_homedirs true;
|
|
bool httpd_ssi_exec true;
|
|
bool httpd_tty_comm false;
|
|
bool httpd_unified true;
|
|
bool named_write_master_zones false;
|
|
bool nfs_export_all_rw true;
|
|
bool nfs_export_all_ro true;
|
|
bool pppd_can_insmod false;
|
|
bool read_default_t true;
|
|
bool run_ssh_inetd false;
|
|
bool samba_enable_home_dirs false;
|
|
bool spamassasin_can_network false;
|
|
bool squid_connect_any false;
|
|
bool ssh_sysadm_login false;
|
|
bool stunnel_is_daemon false;
|
|
bool use_nfs_home_dirs false;
|
|
bool use_samba_home_dirs false;
|
|
bool user_ping true;
|
|
bool spamd_enable_home_dirs true;
|
|
allow bin_t fs_t:filesystem associate;
|
|
allow bin_t noxattrfs:filesystem associate;
|
|
typeattribute bin_t file_type;
|
|
allow sbin_t fs_t:filesystem associate;
|
|
allow sbin_t noxattrfs:filesystem associate;
|
|
typeattribute sbin_t file_type;
|
|
allow ls_exec_t fs_t:filesystem associate;
|
|
allow ls_exec_t noxattrfs:filesystem associate;
|
|
typeattribute ls_exec_t file_type;
|
|
typeattribute ls_exec_t entry_type;
|
|
allow shell_exec_t fs_t:filesystem associate;
|
|
allow shell_exec_t noxattrfs:filesystem associate;
|
|
typeattribute shell_exec_t file_type;
|
|
allow chroot_exec_t fs_t:filesystem associate;
|
|
allow chroot_exec_t noxattrfs:filesystem associate;
|
|
typeattribute chroot_exec_t file_type;
|
|
typeattribute ppp_device_t device_node;
|
|
allow ppp_device_t fs_t:filesystem associate;
|
|
allow ppp_device_t tmpfs_t:filesystem associate;
|
|
allow ppp_device_t tmp_t:filesystem associate;
|
|
typeattribute tun_tap_device_t device_node;
|
|
allow tun_tap_device_t fs_t:filesystem associate;
|
|
allow tun_tap_device_t tmpfs_t:filesystem associate;
|
|
allow tun_tap_device_t tmp_t:filesystem associate;
|
|
typeattribute auth_port_t reserved_port_type;
|
|
typeattribute bgp_port_t reserved_port_type;
|
|
typeattribute bgp_port_t reserved_port_type;
|
|
typeattribute comsat_port_t reserved_port_type;
|
|
typeattribute dhcpc_port_t reserved_port_type;
|
|
typeattribute dhcpd_port_t reserved_port_type;
|
|
typeattribute dhcpd_port_t reserved_port_type;
|
|
typeattribute dhcpd_port_t reserved_port_type;
|
|
typeattribute dhcpd_port_t reserved_port_type;
|
|
typeattribute dhcpd_port_t reserved_port_type;
|
|
typeattribute dns_port_t reserved_port_type;
|
|
typeattribute dns_port_t reserved_port_type;
|
|
typeattribute fingerd_port_t reserved_port_type;
|
|
typeattribute ftp_data_port_t reserved_port_type;
|
|
typeattribute ftp_port_t reserved_port_type;
|
|
typeattribute gopher_port_t reserved_port_type;
|
|
typeattribute gopher_port_t reserved_port_type;
|
|
typeattribute http_port_t reserved_port_type;
|
|
typeattribute http_port_t reserved_port_type;
|
|
typeattribute http_port_t reserved_port_type;
|
|
typeattribute inetd_child_port_t reserved_port_type;
|
|
typeattribute inetd_child_port_t reserved_port_type;
|
|
typeattribute inetd_child_port_t reserved_port_type;
|
|
typeattribute inetd_child_port_t reserved_port_type;
|
|
typeattribute inetd_child_port_t reserved_port_type;
|
|
typeattribute inetd_child_port_t reserved_port_type;
|
|
typeattribute inetd_child_port_t reserved_port_type;
|
|
typeattribute inetd_child_port_t reserved_port_type;
|
|
typeattribute inetd_child_port_t reserved_port_type;
|
|
typeattribute inetd_child_port_t reserved_port_type;
|
|
typeattribute inetd_child_port_t reserved_port_type;
|
|
typeattribute inetd_child_port_t reserved_port_type;
|
|
typeattribute inetd_child_port_t reserved_port_type;
|
|
typeattribute inetd_child_port_t reserved_port_type;
|
|
typeattribute inetd_child_port_t reserved_port_type;
|
|
typeattribute inetd_child_port_t reserved_port_type;
|
|
typeattribute inetd_child_port_t reserved_port_type;
|
|
typeattribute innd_port_t reserved_port_type;
|
|
typeattribute ipp_port_t reserved_port_type;
|
|
typeattribute ipp_port_t reserved_port_type;
|
|
typeattribute isakmp_port_t reserved_port_type;
|
|
typeattribute kerberos_admin_port_t reserved_port_type;
|
|
typeattribute kerberos_admin_port_t reserved_port_type;
|
|
typeattribute kerberos_admin_port_t reserved_port_type;
|
|
typeattribute kerberos_port_t reserved_port_type;
|
|
typeattribute kerberos_port_t reserved_port_type;
|
|
typeattribute kerberos_port_t reserved_port_type;
|
|
typeattribute kerberos_port_t reserved_port_type;
|
|
typeattribute ktalkd_port_t reserved_port_type;
|
|
typeattribute ktalkd_port_t reserved_port_type;
|
|
typeattribute ldap_port_t reserved_port_type;
|
|
typeattribute ldap_port_t reserved_port_type;
|
|
typeattribute ldap_port_t reserved_port_type;
|
|
typeattribute ldap_port_t reserved_port_type;
|
|
typeattribute nmbd_port_t reserved_port_type;
|
|
typeattribute nmbd_port_t reserved_port_type;
|
|
typeattribute nmbd_port_t reserved_port_type;
|
|
typeattribute ntp_port_t reserved_port_type;
|
|
typeattribute pop_port_t reserved_port_type;
|
|
typeattribute pop_port_t reserved_port_type;
|
|
typeattribute pop_port_t reserved_port_type;
|
|
typeattribute pop_port_t reserved_port_type;
|
|
typeattribute pop_port_t reserved_port_type;
|
|
typeattribute pop_port_t reserved_port_type;
|
|
typeattribute pop_port_t reserved_port_type;
|
|
typeattribute portmap_port_t reserved_port_type;
|
|
typeattribute portmap_port_t reserved_port_type;
|
|
typeattribute printer_port_t reserved_port_type;
|
|
typeattribute rlogind_port_t reserved_port_type;
|
|
typeattribute rndc_port_t reserved_port_type;
|
|
typeattribute router_port_t reserved_port_type;
|
|
typeattribute rsh_port_t reserved_port_type;
|
|
typeattribute rsync_port_t reserved_port_type;
|
|
typeattribute rsync_port_t reserved_port_type;
|
|
typeattribute smbd_port_t reserved_port_type;
|
|
typeattribute smbd_port_t reserved_port_type;
|
|
typeattribute smtp_port_t reserved_port_type;
|
|
typeattribute smtp_port_t reserved_port_type;
|
|
typeattribute smtp_port_t reserved_port_type;
|
|
typeattribute snmp_port_t reserved_port_type;
|
|
typeattribute snmp_port_t reserved_port_type;
|
|
typeattribute snmp_port_t reserved_port_type;
|
|
typeattribute spamd_port_t reserved_port_type;
|
|
typeattribute ssh_port_t reserved_port_type;
|
|
typeattribute swat_port_t reserved_port_type;
|
|
typeattribute syslogd_port_t reserved_port_type;
|
|
typeattribute telnetd_port_t reserved_port_type;
|
|
typeattribute tftp_port_t reserved_port_type;
|
|
typeattribute uucpd_port_t reserved_port_type;
|
|
allow device_t tmpfs_t:filesystem associate;
|
|
allow device_t fs_t:filesystem associate;
|
|
allow device_t noxattrfs:filesystem associate;
|
|
typeattribute device_t file_type;
|
|
allow device_t fs_t:filesystem associate;
|
|
allow device_t noxattrfs:filesystem associate;
|
|
typeattribute device_t file_type;
|
|
typeattribute device_t mountpoint;
|
|
allow device_t tmp_t:filesystem associate;
|
|
typeattribute agp_device_t device_node;
|
|
allow agp_device_t fs_t:filesystem associate;
|
|
allow agp_device_t tmpfs_t:filesystem associate;
|
|
allow agp_device_t tmp_t:filesystem associate;
|
|
typeattribute apm_bios_t device_node;
|
|
allow apm_bios_t fs_t:filesystem associate;
|
|
allow apm_bios_t tmpfs_t:filesystem associate;
|
|
allow apm_bios_t tmp_t:filesystem associate;
|
|
typeattribute cardmgr_dev_t device_node;
|
|
allow cardmgr_dev_t fs_t:filesystem associate;
|
|
allow cardmgr_dev_t tmpfs_t:filesystem associate;
|
|
allow cardmgr_dev_t tmp_t:filesystem associate;
|
|
allow cardmgr_dev_t fs_t:filesystem associate;
|
|
allow cardmgr_dev_t noxattrfs:filesystem associate;
|
|
typeattribute cardmgr_dev_t file_type;
|
|
allow cardmgr_dev_t fs_t:filesystem associate;
|
|
allow cardmgr_dev_t noxattrfs:filesystem associate;
|
|
typeattribute cardmgr_dev_t file_type;
|
|
typeattribute cardmgr_dev_t polymember;
|
|
allow cardmgr_dev_t tmpfs_t:filesystem associate;
|
|
typeattribute cardmgr_dev_t tmpfile;
|
|
allow cardmgr_dev_t tmp_t:filesystem associate;
|
|
typeattribute clock_device_t device_node;
|
|
allow clock_device_t fs_t:filesystem associate;
|
|
allow clock_device_t tmpfs_t:filesystem associate;
|
|
allow clock_device_t tmp_t:filesystem associate;
|
|
typeattribute cpu_device_t device_node;
|
|
allow cpu_device_t fs_t:filesystem associate;
|
|
allow cpu_device_t tmpfs_t:filesystem associate;
|
|
allow cpu_device_t tmp_t:filesystem associate;
|
|
typeattribute crypt_device_t device_node;
|
|
allow crypt_device_t fs_t:filesystem associate;
|
|
allow crypt_device_t tmpfs_t:filesystem associate;
|
|
allow crypt_device_t tmp_t:filesystem associate;
|
|
typeattribute dri_device_t device_node;
|
|
allow dri_device_t fs_t:filesystem associate;
|
|
allow dri_device_t tmpfs_t:filesystem associate;
|
|
allow dri_device_t tmp_t:filesystem associate;
|
|
typeattribute event_device_t device_node;
|
|
allow event_device_t fs_t:filesystem associate;
|
|
allow event_device_t tmpfs_t:filesystem associate;
|
|
allow event_device_t tmp_t:filesystem associate;
|
|
typeattribute framebuf_device_t device_node;
|
|
allow framebuf_device_t fs_t:filesystem associate;
|
|
allow framebuf_device_t tmpfs_t:filesystem associate;
|
|
allow framebuf_device_t tmp_t:filesystem associate;
|
|
typeattribute lvm_control_t device_node;
|
|
allow lvm_control_t fs_t:filesystem associate;
|
|
allow lvm_control_t tmpfs_t:filesystem associate;
|
|
allow lvm_control_t tmp_t:filesystem associate;
|
|
typeattribute memory_device_t device_node;
|
|
allow memory_device_t fs_t:filesystem associate;
|
|
allow memory_device_t tmpfs_t:filesystem associate;
|
|
allow memory_device_t tmp_t:filesystem associate;
|
|
neverallow ~memory_raw_read memory_device_t:{ chr_file blk_file } read;
|
|
neverallow ~memory_raw_write memory_device_t:{ chr_file blk_file } { append write };
|
|
typeattribute misc_device_t device_node;
|
|
allow misc_device_t fs_t:filesystem associate;
|
|
allow misc_device_t tmpfs_t:filesystem associate;
|
|
allow misc_device_t tmp_t:filesystem associate;
|
|
typeattribute mouse_device_t device_node;
|
|
allow mouse_device_t fs_t:filesystem associate;
|
|
allow mouse_device_t tmpfs_t:filesystem associate;
|
|
allow mouse_device_t tmp_t:filesystem associate;
|
|
typeattribute mtrr_device_t device_node;
|
|
allow mtrr_device_t fs_t:filesystem associate;
|
|
allow mtrr_device_t tmpfs_t:filesystem associate;
|
|
allow mtrr_device_t tmp_t:filesystem associate;
|
|
typeattribute null_device_t device_node;
|
|
allow null_device_t fs_t:filesystem associate;
|
|
allow null_device_t tmpfs_t:filesystem associate;
|
|
allow null_device_t tmp_t:filesystem associate;
|
|
typeattribute null_device_t mlstrustedobject;
|
|
typeattribute power_device_t device_node;
|
|
allow power_device_t fs_t:filesystem associate;
|
|
allow power_device_t tmpfs_t:filesystem associate;
|
|
allow power_device_t tmp_t:filesystem associate;
|
|
typeattribute printer_device_t device_node;
|
|
allow printer_device_t fs_t:filesystem associate;
|
|
allow printer_device_t tmpfs_t:filesystem associate;
|
|
allow printer_device_t tmp_t:filesystem associate;
|
|
typeattribute random_device_t device_node;
|
|
allow random_device_t fs_t:filesystem associate;
|
|
allow random_device_t tmpfs_t:filesystem associate;
|
|
allow random_device_t tmp_t:filesystem associate;
|
|
typeattribute scanner_device_t device_node;
|
|
allow scanner_device_t fs_t:filesystem associate;
|
|
allow scanner_device_t tmpfs_t:filesystem associate;
|
|
allow scanner_device_t tmp_t:filesystem associate;
|
|
typeattribute sound_device_t device_node;
|
|
allow sound_device_t fs_t:filesystem associate;
|
|
allow sound_device_t tmpfs_t:filesystem associate;
|
|
allow sound_device_t tmp_t:filesystem associate;
|
|
allow sysfs_t fs_t:filesystem associate;
|
|
allow sysfs_t noxattrfs:filesystem associate;
|
|
typeattribute sysfs_t file_type;
|
|
typeattribute sysfs_t mountpoint;
|
|
typeattribute sysfs_t filesystem_type;
|
|
allow sysfs_t self:filesystem associate;
|
|
typeattribute urandom_device_t device_node;
|
|
allow urandom_device_t fs_t:filesystem associate;
|
|
allow urandom_device_t tmpfs_t:filesystem associate;
|
|
allow urandom_device_t tmp_t:filesystem associate;
|
|
allow usbfs_t fs_t:filesystem associate;
|
|
allow usbfs_t noxattrfs:filesystem associate;
|
|
typeattribute usbfs_t file_type;
|
|
typeattribute usbfs_t mountpoint;
|
|
typeattribute usbfs_t filesystem_type;
|
|
allow usbfs_t self:filesystem associate;
|
|
typeattribute usbfs_t noxattrfs;
|
|
typeattribute usb_device_t device_node;
|
|
allow usb_device_t fs_t:filesystem associate;
|
|
allow usb_device_t tmpfs_t:filesystem associate;
|
|
allow usb_device_t tmp_t:filesystem associate;
|
|
typeattribute v4l_device_t device_node;
|
|
allow v4l_device_t fs_t:filesystem associate;
|
|
allow v4l_device_t tmpfs_t:filesystem associate;
|
|
allow v4l_device_t tmp_t:filesystem associate;
|
|
typeattribute xserver_misc_device_t device_node;
|
|
allow xserver_misc_device_t fs_t:filesystem associate;
|
|
allow xserver_misc_device_t tmpfs_t:filesystem associate;
|
|
allow xserver_misc_device_t tmp_t:filesystem associate;
|
|
typeattribute zero_device_t device_node;
|
|
allow zero_device_t fs_t:filesystem associate;
|
|
allow zero_device_t tmpfs_t:filesystem associate;
|
|
allow zero_device_t tmp_t:filesystem associate;
|
|
typeattribute zero_device_t mlstrustedobject;
|
|
allow xconsole_device_t fs_t:filesystem associate;
|
|
allow xconsole_device_t noxattrfs:filesystem associate;
|
|
typeattribute xconsole_device_t file_type;
|
|
allow xconsole_device_t tmpfs_t:filesystem associate;
|
|
allow xconsole_device_t tmp_t:filesystem associate;
|
|
typeattribute devfs_control_t device_node;
|
|
allow devfs_control_t fs_t:filesystem associate;
|
|
allow devfs_control_t tmpfs_t:filesystem associate;
|
|
allow devfs_control_t tmp_t:filesystem associate;
|
|
neverallow domain ~domain:process { transition dyntransition };
|
|
neverallow { domain -set_curr_context } self:process setcurrent;
|
|
neverallow { domain unlabeled_t } ~{ domain unlabeled_t }:process *;
|
|
neverallow ~{ domain unlabeled_t } *:process *;
|
|
allow file_type self:filesystem associate;
|
|
allow boot_t fs_t:filesystem associate;
|
|
allow boot_t noxattrfs:filesystem associate;
|
|
typeattribute boot_t file_type;
|
|
allow boot_t fs_t:filesystem associate;
|
|
allow boot_t noxattrfs:filesystem associate;
|
|
typeattribute boot_t file_type;
|
|
typeattribute boot_t mountpoint;
|
|
allow default_t fs_t:filesystem associate;
|
|
allow default_t noxattrfs:filesystem associate;
|
|
allow etc_t fs_t:filesystem associate;
|
|
allow etc_t noxattrfs:filesystem associate;
|
|
allow etc_runtime_t fs_t:filesystem associate;
|
|
allow etc_runtime_t noxattrfs:filesystem associate;
|
|
allow file_t fs_t:filesystem associate;
|
|
allow file_t noxattrfs:filesystem associate;
|
|
allow kernel_t file_t:dir mounton;
|
|
allow home_root_t fs_t:filesystem associate;
|
|
allow home_root_t noxattrfs:filesystem associate;
|
|
allow home_root_t fs_t:filesystem associate;
|
|
allow home_root_t noxattrfs:filesystem associate;
|
|
typeattribute home_root_t file_type;
|
|
typeattribute home_root_t polyparent;
|
|
allow lost_found_t fs_t:filesystem associate;
|
|
allow lost_found_t noxattrfs:filesystem associate;
|
|
allow mnt_t fs_t:filesystem associate;
|
|
allow mnt_t noxattrfs:filesystem associate;
|
|
allow modules_object_t fs_t:filesystem associate;
|
|
allow modules_object_t noxattrfs:filesystem associate;
|
|
typeattribute modules_object_t file_type;
|
|
allow no_access_t fs_t:filesystem associate;
|
|
allow no_access_t noxattrfs:filesystem associate;
|
|
allow poly_t fs_t:filesystem associate;
|
|
allow poly_t noxattrfs:filesystem associate;
|
|
allow readable_t fs_t:filesystem associate;
|
|
allow readable_t noxattrfs:filesystem associate;
|
|
allow root_t fs_t:filesystem associate;
|
|
allow root_t noxattrfs:filesystem associate;
|
|
allow root_t fs_t:filesystem associate;
|
|
allow root_t noxattrfs:filesystem associate;
|
|
typeattribute root_t file_type;
|
|
typeattribute root_t polyparent;
|
|
allow kernel_t root_t:dir mounton;
|
|
allow src_t fs_t:filesystem associate;
|
|
allow src_t noxattrfs:filesystem associate;
|
|
allow system_map_t fs_t:filesystem associate;
|
|
allow system_map_t noxattrfs:filesystem associate;
|
|
typeattribute system_map_t file_type;
|
|
allow tmp_t fs_t:filesystem associate;
|
|
allow tmp_t noxattrfs:filesystem associate;
|
|
typeattribute tmp_t file_type;
|
|
allow tmp_t fs_t:filesystem associate;
|
|
allow tmp_t noxattrfs:filesystem associate;
|
|
typeattribute tmp_t file_type;
|
|
typeattribute tmp_t polymember;
|
|
allow tmp_t tmpfs_t:filesystem associate;
|
|
typeattribute tmp_t tmpfile;
|
|
allow tmp_t tmp_t:filesystem associate;
|
|
allow tmp_t fs_t:filesystem associate;
|
|
allow tmp_t noxattrfs:filesystem associate;
|
|
typeattribute tmp_t file_type;
|
|
typeattribute tmp_t polyparent;
|
|
allow usr_t fs_t:filesystem associate;
|
|
allow usr_t noxattrfs:filesystem associate;
|
|
allow var_t fs_t:filesystem associate;
|
|
allow var_t noxattrfs:filesystem associate;
|
|
allow var_lib_t fs_t:filesystem associate;
|
|
allow var_lib_t noxattrfs:filesystem associate;
|
|
allow var_lock_t fs_t:filesystem associate;
|
|
allow var_lock_t noxattrfs:filesystem associate;
|
|
allow var_run_t fs_t:filesystem associate;
|
|
allow var_run_t noxattrfs:filesystem associate;
|
|
allow var_spool_t fs_t:filesystem associate;
|
|
allow var_spool_t noxattrfs:filesystem associate;
|
|
typeattribute var_spool_t file_type;
|
|
allow var_spool_t fs_t:filesystem associate;
|
|
allow var_spool_t noxattrfs:filesystem associate;
|
|
typeattribute var_spool_t file_type;
|
|
typeattribute var_spool_t polymember;
|
|
allow var_spool_t tmpfs_t:filesystem associate;
|
|
typeattribute var_spool_t tmpfile;
|
|
allow var_spool_t tmp_t:filesystem associate;
|
|
typeattribute fs_t filesystem_type;
|
|
allow fs_t self:filesystem associate;
|
|
typeattribute bdev_t filesystem_type;
|
|
allow bdev_t self:filesystem associate;
|
|
typeattribute binfmt_misc_fs_t filesystem_type;
|
|
allow binfmt_misc_fs_t self:filesystem associate;
|
|
allow binfmt_misc_fs_t fs_t:filesystem associate;
|
|
allow binfmt_misc_fs_t noxattrfs:filesystem associate;
|
|
typeattribute binfmt_misc_fs_t file_type;
|
|
typeattribute binfmt_misc_fs_t mountpoint;
|
|
typeattribute capifs_t filesystem_type;
|
|
allow capifs_t self:filesystem associate;
|
|
typeattribute configfs_t filesystem_type;
|
|
allow configfs_t self:filesystem associate;
|
|
typeattribute eventpollfs_t filesystem_type;
|
|
allow eventpollfs_t self:filesystem associate;
|
|
typeattribute futexfs_t filesystem_type;
|
|
allow futexfs_t self:filesystem associate;
|
|
typeattribute hugetlbfs_t filesystem_type;
|
|
allow hugetlbfs_t self:filesystem associate;
|
|
allow hugetlbfs_t fs_t:filesystem associate;
|
|
allow hugetlbfs_t noxattrfs:filesystem associate;
|
|
typeattribute hugetlbfs_t file_type;
|
|
typeattribute hugetlbfs_t mountpoint;
|
|
typeattribute inotifyfs_t filesystem_type;
|
|
allow inotifyfs_t self:filesystem associate;
|
|
typeattribute nfsd_fs_t filesystem_type;
|
|
allow nfsd_fs_t self:filesystem associate;
|
|
typeattribute ramfs_t filesystem_type;
|
|
allow ramfs_t self:filesystem associate;
|
|
typeattribute romfs_t filesystem_type;
|
|
allow romfs_t self:filesystem associate;
|
|
typeattribute rpc_pipefs_t filesystem_type;
|
|
allow rpc_pipefs_t self:filesystem associate;
|
|
typeattribute tmpfs_t filesystem_type;
|
|
allow tmpfs_t self:filesystem associate;
|
|
allow tmpfs_t fs_t:filesystem associate;
|
|
allow tmpfs_t noxattrfs:filesystem associate;
|
|
typeattribute tmpfs_t file_type;
|
|
allow tmpfs_t fs_t:filesystem associate;
|
|
allow tmpfs_t noxattrfs:filesystem associate;
|
|
typeattribute tmpfs_t file_type;
|
|
typeattribute tmpfs_t mountpoint;
|
|
allow tmpfs_t noxattrfs:filesystem associate;
|
|
typeattribute autofs_t filesystem_type;
|
|
allow autofs_t self:filesystem associate;
|
|
allow autofs_t fs_t:filesystem associate;
|
|
allow autofs_t noxattrfs:filesystem associate;
|
|
typeattribute autofs_t file_type;
|
|
typeattribute autofs_t mountpoint;
|
|
typeattribute cifs_t filesystem_type;
|
|
allow cifs_t self:filesystem associate;
|
|
typeattribute dosfs_t filesystem_type;
|
|
allow dosfs_t self:filesystem associate;
|
|
allow dosfs_t fs_t:filesystem associate;
|
|
typeattribute iso9660_t filesystem_type;
|
|
allow iso9660_t self:filesystem associate;
|
|
allow removable_t noxattrfs:filesystem associate;
|
|
typeattribute removable_t filesystem_type;
|
|
allow removable_t self:filesystem associate;
|
|
allow removable_t fs_t:filesystem associate;
|
|
allow removable_t noxattrfs:filesystem associate;
|
|
typeattribute removable_t file_type;
|
|
typeattribute removable_t usercanread;
|
|
typeattribute nfs_t filesystem_type;
|
|
allow nfs_t self:filesystem associate;
|
|
allow nfs_t fs_t:filesystem associate;
|
|
allow nfs_t noxattrfs:filesystem associate;
|
|
typeattribute nfs_t file_type;
|
|
typeattribute nfs_t mountpoint;
|
|
neverallow ~can_load_kernmodule self:capability sys_module;
|
|
role system_r;
|
|
role sysadm_r;
|
|
role staff_r;
|
|
role user_r;
|
|
role secadm_r;
|
|
typeattribute kernel_t domain;
|
|
allow kernel_t self:dir { read getattr lock search ioctl };
|
|
allow kernel_t self:lnk_file { read getattr lock ioctl };
|
|
allow kernel_t self:file { getattr read write append ioctl lock };
|
|
allow kernel_t self:process { fork sigchld };
|
|
role secadm_r types kernel_t;
|
|
role sysadm_r types kernel_t;
|
|
role user_r types kernel_t;
|
|
role staff_r types kernel_t;
|
|
typeattribute kernel_t privrangetrans;
|
|
role system_r types kernel_t;
|
|
typeattribute debugfs_t filesystem_type;
|
|
allow debugfs_t self:filesystem associate;
|
|
allow debugfs_t self:filesystem associate;
|
|
allow proc_t fs_t:filesystem associate;
|
|
allow proc_t noxattrfs:filesystem associate;
|
|
typeattribute proc_t file_type;
|
|
typeattribute proc_t mountpoint;
|
|
typeattribute proc_t filesystem_type;
|
|
allow proc_t self:filesystem associate;
|
|
neverallow ~can_receive_kernel_messages proc_kmsg_t:file ~getattr;
|
|
neverallow { domain -kern_unconfined } proc_kcore_t:file ~getattr;
|
|
allow sysctl_t fs_t:filesystem associate;
|
|
allow sysctl_t noxattrfs:filesystem associate;
|
|
typeattribute sysctl_t file_type;
|
|
typeattribute sysctl_t mountpoint;
|
|
allow sysctl_fs_t fs_t:filesystem associate;
|
|
allow sysctl_fs_t noxattrfs:filesystem associate;
|
|
typeattribute sysctl_fs_t file_type;
|
|
typeattribute sysctl_fs_t mountpoint;
|
|
allow kernel_t self:capability *;
|
|
allow kernel_t unlabeled_t:dir mounton;
|
|
allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
|
allow kernel_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
|
|
allow kernel_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
|
|
allow kernel_t self:msg { send receive };
|
|
allow kernel_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
|
|
allow kernel_t self:unix_dgram_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } };
|
|
allow kernel_t self:unix_stream_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } listen accept };
|
|
allow kernel_t self:unix_dgram_socket sendto;
|
|
allow kernel_t self:unix_stream_socket connectto;
|
|
allow kernel_t self:fifo_file { getattr read write append ioctl lock };
|
|
allow kernel_t self:sock_file { read getattr lock ioctl };
|
|
allow kernel_t self:fd use;
|
|
allow kernel_t proc_t:dir { read getattr lock search ioctl };
|
|
allow kernel_t proc_t:{ lnk_file file } { read getattr lock ioctl };
|
|
allow kernel_t proc_net_t:dir { read getattr lock search ioctl };
|
|
allow kernel_t proc_net_t:file { read getattr lock ioctl };
|
|
allow kernel_t proc_mdstat_t:file { read getattr lock ioctl };
|
|
allow kernel_t proc_kcore_t:file getattr;
|
|
allow kernel_t proc_kmsg_t:file getattr;
|
|
allow kernel_t sysctl_t:dir { read getattr lock search ioctl };
|
|
allow kernel_t sysctl_kernel_t:dir { read getattr lock search ioctl };
|
|
allow kernel_t sysctl_kernel_t:file { read getattr lock ioctl };
|
|
allow kernel_t unlabeled_t:fifo_file { getattr read write append ioctl lock };
|
|
allow kernel_t unlabeled_t:association { sendto recvfrom };
|
|
allow kernel_t netif_type:netif rawip_send;
|
|
allow kernel_t netif_type:netif rawip_recv;
|
|
allow kernel_t node_type:node rawip_send;
|
|
allow kernel_t node_type:node rawip_recv;
|
|
allow kernel_t netif_t:netif rawip_send;
|
|
allow kernel_t netif_type:netif { tcp_send tcp_recv };
|
|
allow kernel_t node_type:node { tcp_send tcp_recv };
|
|
allow kernel_t node_t:node rawip_send;
|
|
allow kernel_t multicast_node_t:node rawip_send;
|
|
allow kernel_t sysfs_t:dir { read getattr lock search ioctl };
|
|
allow kernel_t sysfs_t:{ file lnk_file } { read getattr lock ioctl };
|
|
allow kernel_t usbfs_t:dir search;
|
|
allow kernel_t filesystem_type:filesystem mount;
|
|
allow kernel_t security_t:dir { read search getattr };
|
|
allow kernel_t security_t:file { getattr read write };
|
|
typeattribute kernel_t can_load_policy;
|
|
if(!secure_mode_policyload) {
|
|
allow kernel_t security_t:security load_policy;
|
|
auditallow kernel_t security_t:security load_policy;
|
|
}
|
|
allow kernel_t device_t:dir { read getattr lock search ioctl };
|
|
allow kernel_t device_t:lnk_file { getattr read };
|
|
allow kernel_t console_device_t:chr_file { getattr read write append ioctl lock };
|
|
allow kernel_t bin_t:dir { read getattr lock search ioctl };
|
|
allow kernel_t bin_t:lnk_file { read getattr lock ioctl };
|
|
allow kernel_t shell_exec_t:file { { read getattr lock execute ioctl } execute_no_trans };
|
|
allow kernel_t sbin_t:dir { read getattr lock search ioctl };
|
|
allow kernel_t bin_t:dir { read getattr lock search ioctl };
|
|
allow kernel_t bin_t:lnk_file { read getattr lock ioctl };
|
|
allow kernel_t bin_t:file { { read getattr lock execute ioctl } execute_no_trans };
|
|
allow kernel_t domain:process signal;
|
|
allow kernel_t proc_t:dir search;
|
|
allow kernel_t domain:dir search;
|
|
allow kernel_t root_t:dir { read getattr lock search ioctl };
|
|
allow kernel_t root_t:lnk_file { read getattr lock ioctl };
|
|
allow kernel_t etc_t:dir { read getattr lock search ioctl };
|
|
allow kernel_t home_root_t:dir { read getattr lock search ioctl };
|
|
allow kernel_t usr_t:dir { read getattr lock search ioctl };
|
|
allow kernel_t usr_t:{ file lnk_file } { read getattr lock ioctl };
|
|
typeattribute kernel_t mlsprocread;
|
|
typeattribute kernel_t mlsprocwrite;
|
|
allow kernel_t self:capability *;
|
|
allow kernel_t self:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
|
|
allow kernel_t self:process transition;
|
|
allow kernel_t self:file { getattr read write append ioctl lock };
|
|
allow kernel_t self:nscd *;
|
|
allow kernel_t self:dbus *;
|
|
allow kernel_t self:passwd *;
|
|
allow kernel_t proc_type:{ dir file } *;
|
|
allow kernel_t sysctl_t:{ dir file } *;
|
|
allow kernel_t kernel_t:system *;
|
|
allow kernel_t unlabeled_t:{ dir file lnk_file sock_file fifo_file chr_file blk_file } *;
|
|
allow kernel_t unlabeled_t:filesystem *;
|
|
allow kernel_t unlabeled_t:association *;
|
|
typeattribute kernel_t can_load_kernmodule, can_receive_kernel_messages;
|
|
typeattribute kernel_t kern_unconfined;
|
|
allow kernel_t { proc_t proc_net_t }:dir search;
|
|
allow kernel_t sysctl_type:dir { read getattr lock search ioctl };
|
|
allow kernel_t sysctl_type:file { { getattr read write append ioctl lock } setattr };
|
|
allow kernel_t node_type:node *;
|
|
allow kernel_t netif_type:netif *;
|
|
allow kernel_t port_type:tcp_socket { send_msg recv_msg name_connect };
|
|
allow kernel_t port_type:udp_socket { send_msg recv_msg };
|
|
allow kernel_t port_type:{ tcp_socket udp_socket rawip_socket } name_bind;
|
|
allow kernel_t node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
|
|
allow kernel_t unlabeled_t:association { sendto recvfrom };
|
|
allow kernel_t device_node:{ chr_file blk_file } *;
|
|
allow kernel_t mtrr_device_t:{ dir file } *;
|
|
allow kernel_t self:capability sys_rawio;
|
|
typeattribute kernel_t memory_raw_write, memory_raw_read;
|
|
typeattribute kernel_t unconfined_domain_type;
|
|
typeattribute kernel_t can_change_process_identity;
|
|
typeattribute kernel_t can_change_process_role;
|
|
typeattribute kernel_t can_change_object_identity;
|
|
typeattribute kernel_t set_curr_context;
|
|
allow kernel_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket } socket key_socket } *;
|
|
allow kernel_t domain:fd use;
|
|
allow kernel_t domain:fifo_file { getattr read write append ioctl lock };
|
|
allow kernel_t domain:process ~{ transition dyntransition execmem execstack execheap };
|
|
allow kernel_t domain:{ sem msgq shm } *;
|
|
allow kernel_t domain:msg { send receive };
|
|
allow kernel_t domain:dir { read getattr lock search ioctl };
|
|
allow kernel_t domain:file { read getattr lock ioctl };
|
|
allow kernel_t domain:lnk_file { read getattr lock ioctl };
|
|
dontaudit kernel_t domain:dir { read getattr lock search ioctl };
|
|
dontaudit kernel_t domain:lnk_file { read getattr lock ioctl };
|
|
dontaudit kernel_t domain:file { read getattr lock ioctl };
|
|
dontaudit kernel_t domain:sock_file { read getattr lock ioctl };
|
|
dontaudit kernel_t domain:fifo_file { read getattr lock ioctl };
|
|
allow kernel_t file_type:{ file chr_file } ~execmod;
|
|
allow kernel_t file_type:{ dir lnk_file sock_file fifo_file blk_file } *;
|
|
allow kernel_t file_type:filesystem *;
|
|
allow kernel_t file_type:{ unix_stream_socket unix_dgram_socket } name_bind;
|
|
if (allow_execmod) {
|
|
allow kernel_t file_type:file execmod;
|
|
}
|
|
allow kernel_t filesystem_type:filesystem *;
|
|
allow kernel_t filesystem_type:{ dir file lnk_file sock_file fifo_file chr_file blk_file } *;
|
|
allow kernel_t security_t:dir { getattr search read };
|
|
allow kernel_t security_t:file { getattr read write };
|
|
typeattribute kernel_t can_load_policy, can_setenforce, can_setsecparam;
|
|
if(!secure_mode_policyload) {
|
|
allow kernel_t security_t:security *;
|
|
auditallow kernel_t security_t:security { load_policy setenforce setbool };
|
|
}
|
|
if (allow_execheap) {
|
|
allow kernel_t self:process execheap;
|
|
}
|
|
if (allow_execmem) {
|
|
allow kernel_t self:process execmem;
|
|
}
|
|
if (allow_execmem && allow_execstack) {
|
|
allow kernel_t self:process execstack;
|
|
auditallow kernel_t self:process execstack;
|
|
} else {
|
|
}
|
|
if (allow_execheap) {
|
|
auditallow kernel_t self:process execheap;
|
|
}
|
|
if (allow_execmem) {
|
|
auditallow kernel_t self:process execmem;
|
|
}
|
|
if (read_default_t) {
|
|
allow kernel_t default_t:dir { read getattr lock search ioctl };
|
|
allow kernel_t default_t:file { read getattr lock ioctl };
|
|
allow kernel_t default_t:lnk_file { read getattr lock ioctl };
|
|
allow kernel_t default_t:sock_file { read getattr lock ioctl };
|
|
allow kernel_t default_t:fifo_file { read getattr lock ioctl };
|
|
}
|
|
allow unlabeled_t self:filesystem associate;
|
|
range_transition getty_t login_exec_t s0 - s0:c0.c255;
|
|
range_transition init_t xdm_exec_t s0 - s0:c0.c255;
|
|
range_transition initrc_t crond_exec_t s0 - s0:c0.c255;
|
|
range_transition initrc_t cupsd_exec_t s0 - s0:c0.c255;
|
|
range_transition initrc_t sshd_exec_t s0 - s0:c0.c255;
|
|
range_transition initrc_t udev_exec_t s0 - s0:c0.c255;
|
|
range_transition initrc_t xdm_exec_t s0 - s0:c0.c255;
|
|
range_transition kernel_t udev_exec_t s0 - s0:c0.c255;
|
|
range_transition unconfined_t su_exec_t s0 - s0:c0.c255;
|
|
range_transition unconfined_t initrc_exec_t s0;
|
|
typeattribute security_t filesystem_type;
|
|
allow security_t self:filesystem associate;
|
|
typeattribute security_t mlstrustedobject;
|
|
neverallow ~can_load_policy security_t:security load_policy;
|
|
neverallow ~can_setenforce security_t:security setenforce;
|
|
neverallow ~can_setsecparam security_t:security setsecparam;
|
|
typeattribute bsdpty_device_t device_node;
|
|
allow bsdpty_device_t fs_t:filesystem associate;
|
|
allow bsdpty_device_t tmpfs_t:filesystem associate;
|
|
allow bsdpty_device_t tmp_t:filesystem associate;
|
|
typeattribute console_device_t device_node;
|
|
allow console_device_t fs_t:filesystem associate;
|
|
allow console_device_t tmpfs_t:filesystem associate;
|
|
allow console_device_t tmp_t:filesystem associate;
|
|
allow devpts_t fs_t:filesystem associate;
|
|
allow devpts_t noxattrfs:filesystem associate;
|
|
typeattribute devpts_t file_type;
|
|
typeattribute devpts_t mountpoint;
|
|
allow devpts_t tmpfs_t:filesystem associate;
|
|
allow devpts_t tmp_t:filesystem associate;
|
|
typeattribute devpts_t filesystem_type;
|
|
allow devpts_t self:filesystem associate;
|
|
typeattribute devpts_t ttynode, ptynode;
|
|
typeattribute devtty_t device_node;
|
|
allow devtty_t fs_t:filesystem associate;
|
|
allow devtty_t tmpfs_t:filesystem associate;
|
|
allow devtty_t tmp_t:filesystem associate;
|
|
typeattribute devtty_t mlstrustedobject;
|
|
typeattribute ptmx_t device_node;
|
|
allow ptmx_t fs_t:filesystem associate;
|
|
allow ptmx_t tmpfs_t:filesystem associate;
|
|
allow ptmx_t tmp_t:filesystem associate;
|
|
typeattribute ptmx_t mlstrustedobject;
|
|
typeattribute tty_device_t device_node;
|
|
allow tty_device_t fs_t:filesystem associate;
|
|
allow tty_device_t tmpfs_t:filesystem associate;
|
|
allow tty_device_t tmp_t:filesystem associate;
|
|
typeattribute tty_device_t ttynode;
|
|
typeattribute usbtty_device_t device_node;
|
|
allow usbtty_device_t fs_t:filesystem associate;
|
|
allow usbtty_device_t tmpfs_t:filesystem associate;
|
|
allow usbtty_device_t tmp_t:filesystem associate;
|
|
user system_u roles { system_r } level s0 range s0 - s0:c0.c255;
|
|
user user_u roles { user_r sysadm_r system_r } level s0 range s0 - s0:c0.c255;
|
|
user root roles { user_r sysadm_r system_r } level s0 range s0 - s0:c0.c255;
|
|
constrain process transition
|
|
( u1 == u2
|
|
or t1 == can_change_process_identity
|
|
);
|
|
constrain process transition
|
|
( r1 == r2
|
|
or t1 == can_change_process_role
|
|
);
|
|
constrain process dyntransition
|
|
( u1 == u2 and r1 == r2 );
|
|
constrain { dir file lnk_file sock_file fifo_file chr_file blk_file } { create relabelto relabelfrom }
|
|
( u1 == u2 or t1 == can_change_object_identity );
|
|
constrain { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket } { create relabelto relabelfrom }
|
|
( u1 == u2 or t1 == can_change_object_identity );
|
|
sid port system_u:object_r:port_t:s0
|
|
sid node system_u:object_r:node_t:s0
|
|
sid netif system_u:object_r:netif_t:s0
|
|
sid devnull system_u:object_r:null_device_t:s0
|
|
sid file system_u:object_r:file_t:s0
|
|
sid fs system_u:object_r:fs_t:s0
|
|
sid kernel system_u:system_r:kernel_t:s0
|
|
sid sysctl system_u:object_r:sysctl_t:s0
|
|
sid unlabeled system_u:object_r:unlabeled_t:s0
|
|
sid any_socket system_u:object_r:unlabeled_t:s0
|
|
sid file_labels system_u:object_r:unlabeled_t:s0
|
|
sid icmp_socket system_u:object_r:unlabeled_t:s0
|
|
sid igmp_packet system_u:object_r:unlabeled_t:s0
|
|
sid init system_u:object_r:unlabeled_t:s0
|
|
sid kmod system_u:object_r:unlabeled_t:s0
|
|
sid netmsg system_u:object_r:unlabeled_t:s0
|
|
sid policy system_u:object_r:unlabeled_t:s0
|
|
sid scmp_packet system_u:object_r:unlabeled_t:s0
|
|
sid sysctl_modprobe system_u:object_r:unlabeled_t:s0
|
|
sid sysctl_fs system_u:object_r:unlabeled_t:s0
|
|
sid sysctl_kernel system_u:object_r:unlabeled_t:s0
|
|
sid sysctl_net system_u:object_r:unlabeled_t:s0
|
|
sid sysctl_net_unix system_u:object_r:unlabeled_t:s0
|
|
sid sysctl_vm system_u:object_r:unlabeled_t:s0
|
|
sid sysctl_dev system_u:object_r:unlabeled_t:s0
|
|
sid tcp_socket system_u:object_r:unlabeled_t:s0
|
|
sid security system_u:object_r:security_t:s0
|
|
fs_use_xattr ext2 system_u:object_r:fs_t:s0;
|
|
fs_use_xattr ext3 system_u:object_r:fs_t:s0;
|
|
fs_use_xattr gfs system_u:object_r:fs_t:s0;
|
|
fs_use_xattr jfs system_u:object_r:fs_t:s0;
|
|
fs_use_xattr reiserfs system_u:object_r:fs_t:s0;
|
|
fs_use_xattr xfs system_u:object_r:fs_t:s0;
|
|
fs_use_task pipefs system_u:object_r:fs_t:s0;
|
|
fs_use_task sockfs system_u:object_r:fs_t:s0;
|
|
fs_use_trans mqueue system_u:object_r:tmpfs_t:s0;
|
|
fs_use_trans shm system_u:object_r:tmpfs_t:s0;
|
|
fs_use_trans tmpfs system_u:object_r:tmpfs_t:s0;
|
|
fs_use_trans devpts system_u:object_r:devpts_t:s0;
|
|
genfscon proc /mtrr system_u:object_r:mtrr_device_t:s0
|
|
genfscon sysfs / system_u:object_r:sysfs_t:s0
|
|
genfscon usbfs / system_u:object_r:usbfs_t:s0
|
|
genfscon usbdevfs / system_u:object_r:usbfs_t:s0
|
|
genfscon rootfs / system_u:object_r:root_t:s0
|
|
genfscon bdev / system_u:object_r:bdev_t:s0
|
|
genfscon binfmt_misc / system_u:object_r:binfmt_misc_fs_t:s0
|
|
genfscon capifs / system_u:object_r:capifs_t:s0
|
|
genfscon configfs / system_u:object_r:configfs_t:s0
|
|
genfscon eventpollfs / system_u:object_r:eventpollfs_t:s0
|
|
genfscon futexfs / system_u:object_r:futexfs_t:s0
|
|
genfscon hugetlbfs / system_u:object_r:hugetlbfs_t:s0
|
|
genfscon inotifyfs / system_u:object_r:inotifyfs_t:s0
|
|
genfscon nfsd / system_u:object_r:nfsd_fs_t:s0
|
|
genfscon ramfs / system_u:object_r:ramfs_t:s0
|
|
genfscon romfs / system_u:object_r:romfs_t:s0
|
|
genfscon cramfs / system_u:object_r:romfs_t:s0
|
|
genfscon rpc_pipefs / system_u:object_r:rpc_pipefs_t:s0
|
|
genfscon autofs / system_u:object_r:autofs_t:s0
|
|
genfscon automount / system_u:object_r:autofs_t:s0
|
|
genfscon cifs / system_u:object_r:cifs_t:s0
|
|
genfscon smbfs / system_u:object_r:cifs_t:s0
|
|
genfscon fat / system_u:object_r:dosfs_t:s0
|
|
genfscon msdos / system_u:object_r:dosfs_t:s0
|
|
genfscon ntfs / system_u:object_r:dosfs_t:s0
|
|
genfscon vfat / system_u:object_r:dosfs_t:s0
|
|
genfscon iso9660 / system_u:object_r:iso9660_t:s0
|
|
genfscon udf / system_u:object_r:iso9660_t:s0
|
|
genfscon nfs / system_u:object_r:nfs_t:s0
|
|
genfscon nfs4 / system_u:object_r:nfs_t:s0
|
|
genfscon afs / system_u:object_r:nfs_t:s0
|
|
genfscon hfsplus / system_u:object_r:nfs_t:s0
|
|
genfscon debugfs / system_u:object_r:debugfs_t:s0
|
|
genfscon proc / system_u:object_r:proc_t:s0
|
|
genfscon proc /sysvipc system_u:object_r:proc_t:s0
|
|
genfscon proc /kmsg system_u:object_r:proc_kmsg_t:s0
|
|
genfscon proc /kcore system_u:object_r:proc_kcore_t:s0
|
|
genfscon proc /mdstat system_u:object_r:proc_mdstat_t:s0
|
|
genfscon proc /net system_u:object_r:proc_net_t:s0
|
|
genfscon proc /xen system_u:object_r:proc_xen_t:s0
|
|
genfscon proc /sys system_u:object_r:sysctl_t:s0
|
|
genfscon proc /irq system_u:object_r:sysctl_irq_t:s0
|
|
genfscon proc /net/rpc system_u:object_r:sysctl_rpc_t:s0
|
|
genfscon proc /sys/fs system_u:object_r:sysctl_fs_t:s0
|
|
genfscon proc /sys/kernel system_u:object_r:sysctl_kernel_t:s0
|
|
genfscon proc /sys/kernel/modprobe system_u:object_r:sysctl_modprobe_t:s0
|
|
genfscon proc /sys/kernel/hotplug system_u:object_r:sysctl_hotplug_t:s0
|
|
genfscon proc /sys/net system_u:object_r:sysctl_net_t:s0
|
|
genfscon proc /sys/net/unix system_u:object_r:sysctl_net_unix_t:s0
|
|
genfscon proc /sys/vm system_u:object_r:sysctl_vm_t:s0
|
|
genfscon proc /sys/dev system_u:object_r:sysctl_dev_t:s0
|
|
genfscon selinuxfs / system_u:object_r:security_t:s0
|
|
portcon udp 7007 system_u:object_r:afs_bos_port_t:s0
|
|
portcon tcp 2040 system_u:object_r:afs_fs_port_t:s0
|
|
portcon udp 7000 system_u:object_r:afs_fs_port_t:s0
|
|
portcon udp 7005 system_u:object_r:afs_fs_port_t:s0
|
|
portcon udp 7004 system_u:object_r:afs_ka_port_t:s0
|
|
portcon udp 7002 system_u:object_r:afs_pt_port_t:s0
|
|
portcon udp 7003 system_u:object_r:afs_vl_port_t:s0
|
|
portcon udp 10080 system_u:object_r:amanda_port_t:s0
|
|
portcon tcp 10080 system_u:object_r:amanda_port_t:s0
|
|
portcon udp 10081 system_u:object_r:amanda_port_t:s0
|
|
portcon tcp 10081 system_u:object_r:amanda_port_t:s0
|
|
portcon tcp 10082 system_u:object_r:amanda_port_t:s0
|
|
portcon tcp 10083 system_u:object_r:amanda_port_t:s0
|
|
portcon tcp 10024 system_u:object_r:amavisd_recv_port_t:s0
|
|
portcon tcp 10025 system_u:object_r:amavisd_send_port_t:s0
|
|
portcon tcp 1720 system_u:object_r:asterisk_port_t:s0
|
|
portcon udp 2427 system_u:object_r:asterisk_port_t:s0
|
|
portcon udp 2727 system_u:object_r:asterisk_port_t:s0
|
|
portcon udp 4569 system_u:object_r:asterisk_port_t:s0
|
|
portcon udp 5060 system_u:object_r:asterisk_port_t:s0
|
|
portcon tcp 113 system_u:object_r:auth_port_t:s0
|
|
portcon tcp 179 system_u:object_r:bgp_port_t:s0
|
|
portcon udp 179 system_u:object_r:bgp_port_t:s0
|
|
portcon tcp 3310 system_u:object_r:clamd_port_t:s0
|
|
portcon udp 4041 system_u:object_r:clockspeed_port_t:s0
|
|
portcon udp 512 system_u:object_r:comsat_port_t:s0
|
|
portcon tcp 2401 system_u:object_r:cvs_port_t:s0
|
|
portcon udp 2401 system_u:object_r:cvs_port_t:s0
|
|
portcon udp 6276 system_u:object_r:dcc_port_t:s0
|
|
portcon udp 6277 system_u:object_r:dcc_port_t:s0
|
|
portcon tcp 1178 system_u:object_r:dbskkd_port_t:s0
|
|
portcon udp 68 system_u:object_r:dhcpc_port_t:s0
|
|
portcon udp 67 system_u:object_r:dhcpd_port_t:s0
|
|
portcon tcp 647 system_u:object_r:dhcpd_port_t:s0
|
|
portcon udp 647 system_u:object_r:dhcpd_port_t:s0
|
|
portcon tcp 847 system_u:object_r:dhcpd_port_t:s0
|
|
portcon udp 847 system_u:object_r:dhcpd_port_t:s0
|
|
portcon tcp 2628 system_u:object_r:dict_port_t:s0
|
|
portcon tcp 3632 system_u:object_r:distccd_port_t:s0
|
|
portcon udp 53 system_u:object_r:dns_port_t:s0
|
|
portcon tcp 53 system_u:object_r:dns_port_t:s0
|
|
portcon tcp 79 system_u:object_r:fingerd_port_t:s0
|
|
portcon tcp 20 system_u:object_r:ftp_data_port_t:s0
|
|
portcon tcp 21 system_u:object_r:ftp_port_t:s0
|
|
portcon udp 1718 system_u:object_r:gatekeeper_port_t:s0
|
|
portcon udp 1719 system_u:object_r:gatekeeper_port_t:s0
|
|
portcon tcp 1721 system_u:object_r:gatekeeper_port_t:s0
|
|
portcon tcp 7000 system_u:object_r:gatekeeper_port_t:s0
|
|
portcon tcp 1213 system_u:object_r:giftd_port_t:s0
|
|
portcon tcp 70 system_u:object_r:gopher_port_t:s0
|
|
portcon udp 70 system_u:object_r:gopher_port_t:s0
|
|
portcon tcp 3128 system_u:object_r:http_cache_port_t:s0
|
|
portcon udp 3130 system_u:object_r:http_cache_port_t:s0
|
|
portcon tcp 8080 system_u:object_r:http_cache_port_t:s0
|
|
portcon tcp 8118 system_u:object_r:http_cache_port_t:s0
|
|
portcon tcp 80 system_u:object_r:http_port_t:s0
|
|
portcon tcp 443 system_u:object_r:http_port_t:s0
|
|
portcon tcp 488 system_u:object_r:http_port_t:s0
|
|
portcon tcp 8008 system_u:object_r:http_port_t:s0
|
|
portcon tcp 9050 system_u:object_r:http_port_t:s0
|
|
portcon tcp 5335 system_u:object_r:howl_port_t:s0
|
|
portcon udp 5353 system_u:object_r:howl_port_t:s0
|
|
portcon tcp 50000 system_u:object_r:hplip_port_t:s0
|
|
portcon tcp 50002 system_u:object_r:hplip_port_t:s0
|
|
portcon tcp 9010 system_u:object_r:i18n_input_port_t:s0
|
|
portcon tcp 5323 system_u:object_r:imaze_port_t:s0
|
|
portcon udp 5323 system_u:object_r:imaze_port_t:s0
|
|
portcon tcp 7 system_u:object_r:inetd_child_port_t:s0
|
|
portcon udp 7 system_u:object_r:inetd_child_port_t:s0
|
|
portcon tcp 9 system_u:object_r:inetd_child_port_t:s0
|
|
portcon udp 9 system_u:object_r:inetd_child_port_t:s0
|
|
portcon tcp 13 system_u:object_r:inetd_child_port_t:s0
|
|
portcon udp 13 system_u:object_r:inetd_child_port_t:s0
|
|
portcon tcp 19 system_u:object_r:inetd_child_port_t:s0
|
|
portcon udp 19 system_u:object_r:inetd_child_port_t:s0
|
|
portcon tcp 37 system_u:object_r:inetd_child_port_t:s0
|
|
portcon udp 37 system_u:object_r:inetd_child_port_t:s0
|
|
portcon tcp 512 system_u:object_r:inetd_child_port_t:s0
|
|
portcon tcp 543 system_u:object_r:inetd_child_port_t:s0
|
|
portcon tcp 544 system_u:object_r:inetd_child_port_t:s0
|
|
portcon tcp 891 system_u:object_r:inetd_child_port_t:s0
|
|
portcon udp 891 system_u:object_r:inetd_child_port_t:s0
|
|
portcon tcp 892 system_u:object_r:inetd_child_port_t:s0
|
|
portcon udp 892 system_u:object_r:inetd_child_port_t:s0
|
|
portcon tcp 2105 system_u:object_r:inetd_child_port_t:s0
|
|
portcon tcp 5666 system_u:object_r:inetd_child_port_t:s0
|
|
portcon tcp 119 system_u:object_r:innd_port_t:s0
|
|
portcon tcp 631 system_u:object_r:ipp_port_t:s0
|
|
portcon udp 631 system_u:object_r:ipp_port_t:s0
|
|
portcon tcp 6667 system_u:object_r:ircd_port_t:s0
|
|
portcon udp 500 system_u:object_r:isakmp_port_t:s0
|
|
portcon tcp 5222 system_u:object_r:jabber_client_port_t:s0
|
|
portcon tcp 5223 system_u:object_r:jabber_client_port_t:s0
|
|
portcon tcp 5269 system_u:object_r:jabber_interserver_port_t:s0
|
|
portcon tcp 464 system_u:object_r:kerberos_admin_port_t:s0
|
|
portcon udp 464 system_u:object_r:kerberos_admin_port_t:s0
|
|
portcon tcp 749 system_u:object_r:kerberos_admin_port_t:s0
|
|
portcon tcp 4444 system_u:object_r:kerberos_master_port_t:s0
|
|
portcon udp 4444 system_u:object_r:kerberos_master_port_t:s0
|
|
portcon tcp 88 system_u:object_r:kerberos_port_t:s0
|
|
portcon udp 88 system_u:object_r:kerberos_port_t:s0
|
|
portcon tcp 750 system_u:object_r:kerberos_port_t:s0
|
|
portcon udp 750 system_u:object_r:kerberos_port_t:s0
|
|
portcon udp 517 system_u:object_r:ktalkd_port_t:s0
|
|
portcon udp 518 system_u:object_r:ktalkd_port_t:s0
|
|
portcon tcp 389 system_u:object_r:ldap_port_t:s0
|
|
portcon udp 389 system_u:object_r:ldap_port_t:s0
|
|
portcon tcp 636 system_u:object_r:ldap_port_t:s0
|
|
portcon udp 636 system_u:object_r:ldap_port_t:s0
|
|
portcon tcp 2000 system_u:object_r:mail_port_t:s0
|
|
portcon tcp 1234 system_u:object_r:monopd_port_t:s0
|
|
portcon tcp 3306 system_u:object_r:mysqld_port_t:s0
|
|
portcon tcp 1241 system_u:object_r:nessus_port_t:s0
|
|
portcon udp 137 system_u:object_r:nmbd_port_t:s0
|
|
portcon udp 138 system_u:object_r:nmbd_port_t:s0
|
|
portcon udp 139 system_u:object_r:nmbd_port_t:s0
|
|
portcon udp 123 system_u:object_r:ntp_port_t:s0
|
|
portcon udp 5000 system_u:object_r:openvpn_port_t:s0
|
|
portcon tcp 5988 system_u:object_r:pegasus_http_port_t:s0
|
|
portcon tcp 5989 system_u:object_r:pegasus_https_port_t:s0
|
|
portcon tcp 106 system_u:object_r:pop_port_t:s0
|
|
portcon tcp 109 system_u:object_r:pop_port_t:s0
|
|
portcon tcp 110 system_u:object_r:pop_port_t:s0
|
|
portcon tcp 143 system_u:object_r:pop_port_t:s0
|
|
portcon tcp 220 system_u:object_r:pop_port_t:s0
|
|
portcon tcp 993 system_u:object_r:pop_port_t:s0
|
|
portcon tcp 995 system_u:object_r:pop_port_t:s0
|
|
portcon tcp 1109 system_u:object_r:pop_port_t:s0
|
|
portcon udp 111 system_u:object_r:portmap_port_t:s0
|
|
portcon tcp 111 system_u:object_r:portmap_port_t:s0
|
|
portcon tcp 5432 system_u:object_r:postgresql_port_t:s0
|
|
portcon tcp 60000 system_u:object_r:postgrey_port_t:s0
|
|
portcon tcp 515 system_u:object_r:printer_port_t:s0
|
|
portcon tcp 5703 system_u:object_r:ptal_port_t:s0
|
|
portcon udp 4011 system_u:object_r:pxe_port_t:s0
|
|
portcon udp 24441 system_u:object_r:pyzor_port_t:s0
|
|
portcon udp 1646 system_u:object_r:radacct_port_t:s0
|
|
portcon udp 1813 system_u:object_r:radacct_port_t:s0
|
|
portcon udp 1645 system_u:object_r:radius_port_t:s0
|
|
portcon udp 1812 system_u:object_r:radius_port_t:s0
|
|
portcon tcp 2703 system_u:object_r:razor_port_t:s0
|
|
portcon tcp 513 system_u:object_r:rlogind_port_t:s0
|
|
portcon tcp 953 system_u:object_r:rndc_port_t:s0
|
|
portcon udp 520 system_u:object_r:router_port_t:s0
|
|
portcon tcp 514 system_u:object_r:rsh_port_t:s0
|
|
portcon tcp 873 system_u:object_r:rsync_port_t:s0
|
|
portcon udp 873 system_u:object_r:rsync_port_t:s0
|
|
portcon tcp 137-139 system_u:object_r:smbd_port_t:s0
|
|
portcon tcp 445 system_u:object_r:smbd_port_t:s0
|
|
portcon tcp 25 system_u:object_r:smtp_port_t:s0
|
|
portcon tcp 465 system_u:object_r:smtp_port_t:s0
|
|
portcon tcp 587 system_u:object_r:smtp_port_t:s0
|
|
portcon udp 161 system_u:object_r:snmp_port_t:s0
|
|
portcon udp 162 system_u:object_r:snmp_port_t:s0
|
|
portcon tcp 199 system_u:object_r:snmp_port_t:s0
|
|
portcon tcp 783 system_u:object_r:spamd_port_t:s0
|
|
portcon tcp 22 system_u:object_r:ssh_port_t:s0
|
|
portcon tcp 8000 system_u:object_r:soundd_port_t:s0
|
|
portcon tcp 9433 system_u:object_r:soundd_port_t:s0
|
|
portcon tcp 901 system_u:object_r:swat_port_t:s0
|
|
portcon udp 514 system_u:object_r:syslogd_port_t:s0
|
|
portcon tcp 23 system_u:object_r:telnetd_port_t:s0
|
|
portcon udp 69 system_u:object_r:tftp_port_t:s0
|
|
portcon tcp 8081 system_u:object_r:transproxy_port_t:s0
|
|
portcon tcp 540 system_u:object_r:uucpd_port_t:s0
|
|
portcon tcp 5900 system_u:object_r:vnc_port_t:s0
|
|
portcon tcp 6001 system_u:object_r:xserver_port_t:s0
|
|
portcon tcp 6002 system_u:object_r:xserver_port_t:s0
|
|
portcon tcp 6003 system_u:object_r:xserver_port_t:s0
|
|
portcon tcp 6004 system_u:object_r:xserver_port_t:s0
|
|
portcon tcp 6005 system_u:object_r:xserver_port_t:s0
|
|
portcon tcp 6006 system_u:object_r:xserver_port_t:s0
|
|
portcon tcp 6007 system_u:object_r:xserver_port_t:s0
|
|
portcon tcp 6008 system_u:object_r:xserver_port_t:s0
|
|
portcon tcp 6009 system_u:object_r:xserver_port_t:s0
|
|
portcon tcp 6010 system_u:object_r:xserver_port_t:s0
|
|
portcon tcp 6011 system_u:object_r:xserver_port_t:s0
|
|
portcon tcp 6012 system_u:object_r:xserver_port_t:s0
|
|
portcon tcp 6013 system_u:object_r:xserver_port_t:s0
|
|
portcon tcp 6014 system_u:object_r:xserver_port_t:s0
|
|
portcon tcp 6015 system_u:object_r:xserver_port_t:s0
|
|
portcon tcp 6016 system_u:object_r:xserver_port_t:s0
|
|
portcon tcp 6017 system_u:object_r:xserver_port_t:s0
|
|
portcon tcp 6018 system_u:object_r:xserver_port_t:s0
|
|
portcon tcp 6019 system_u:object_r:xserver_port_t:s0
|
|
portcon tcp 8002 system_u:object_r:xen_port_t:s0
|
|
portcon tcp 2601 system_u:object_r:zebra_port_t:s0
|
|
portcon tcp 8021 system_u:object_r:zope_port_t:s0
|
|
portcon tcp 1-1023 system_u:object_r:reserved_port_t:s0
|
|
portcon udp 1-1023 system_u:object_r:reserved_port_t:s0
|
|
nodecon :: ffff:ffff:ffff:ffff:ffff:ffff:: system_u:object_r:compat_ipv4_node_t:s0
|
|
nodecon 0.0.0.0 255.255.255.255 system_u:object_r:inaddr_any_node_t:s0
|
|
nodecon fe80:: ffff:ffff:ffff:ffff:: system_u:object_r:link_local_node_t:s0
|
|
nodecon 127.0.0.1 255.255.255.255 system_u:object_r:lo_node_t:s0
|
|
nodecon ::ffff:0000:0000 ffff:ffff:ffff:ffff:ffff:ffff:: system_u:object_r:mapped_ipv4_node_t:s0
|
|
nodecon ff00:: ff00:: system_u:object_r:multicast_node_t:s0
|
|
nodecon fec0:: ffc0:: system_u:object_r:site_local_node_t:s0
|
|
nodecon :: ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system_u:object_r:unspec_node_t:s0
|