390 lines
7.8 KiB
Plaintext
390 lines
7.8 KiB
Plaintext
## <summary>Miscelaneous files.</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read system SSL certificates.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`miscfiles_read_certs',`
|
|
gen_require(`
|
|
type cert_t;
|
|
')
|
|
|
|
allow $1 cert_t:dir list_dir_perms;
|
|
read_files_pattern($1,cert_t,cert_t)
|
|
read_lnk_files_pattern($1,cert_t,cert_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read fonts.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`miscfiles_read_fonts',`
|
|
gen_require(`
|
|
type fonts_t;
|
|
')
|
|
|
|
# cjp: fonts can be in either of these dirs
|
|
files_search_usr($1)
|
|
libs_search_lib($1)
|
|
|
|
allow $1 fonts_t:dir list_dir_perms;
|
|
read_files_pattern($1,fonts_t,fonts_t)
|
|
read_lnk_files_pattern($1,fonts_t,fonts_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create, read, write, and delete fonts.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`miscfiles_manage_fonts',`
|
|
gen_require(`
|
|
type fonts_t;
|
|
')
|
|
|
|
# cjp: fonts can be in either of these dirs
|
|
files_search_usr($1)
|
|
libs_search_lib($1)
|
|
|
|
manage_dirs_pattern($1,fonts_t,fonts_t)
|
|
manage_files_pattern($1,fonts_t,fonts_t)
|
|
manage_lnk_files_pattern($1,fonts_t,fonts_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read hardware identification data.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`miscfiles_read_hwdata',`
|
|
gen_require(`
|
|
type hwdata_t;
|
|
')
|
|
|
|
allow $1 hwdata_t:dir list_dir_perms;
|
|
read_files_pattern($1,hwdata_t,hwdata_t)
|
|
read_lnk_files_pattern($1,hwdata_t,hwdata_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Allow process to read localization info
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`miscfiles_read_localization',`
|
|
gen_require(`
|
|
type locale_t;
|
|
')
|
|
|
|
files_read_etc_symlinks($1)
|
|
files_search_usr($1)
|
|
allow $1 locale_t:dir list_dir_perms;
|
|
read_files_pattern($1,locale_t,locale_t)
|
|
read_lnk_files_pattern($1,locale_t,locale_t)
|
|
|
|
# why?
|
|
libs_read_lib_files($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Allow process to write localization info
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`miscfiles_rw_localization',`
|
|
gen_require(`
|
|
type locale_t;
|
|
')
|
|
|
|
files_search_usr($1)
|
|
allow $1 locale_t:dir list_dir_perms;
|
|
rw_files_pattern($1,locale_t,locale_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Allow process to read legacy time localization info
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`miscfiles_legacy_read_localization',`
|
|
gen_require(`
|
|
type locale_t;
|
|
')
|
|
|
|
miscfiles_read_localization($1)
|
|
allow $1 locale_t:file execute;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to search man pages.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`miscfiles_dontaudit_search_man_pages',`
|
|
gen_require(`
|
|
type man_t;
|
|
')
|
|
|
|
dontaudit $1 man_t:dir search;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read man pages
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`miscfiles_read_man_pages',`
|
|
gen_require(`
|
|
type man_t;
|
|
')
|
|
|
|
files_search_usr($1)
|
|
allow $1 man_t:dir list_dir_perms;
|
|
read_files_pattern($1,man_t,man_t)
|
|
read_lnk_files_pattern($1,man_t,man_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Delete man pages
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
# cjp: added for tmpreaper
|
|
#
|
|
interface(`miscfiles_delete_man_pages',`
|
|
gen_require(`
|
|
type man_t;
|
|
')
|
|
|
|
files_search_usr($1)
|
|
|
|
allow $1 man_t:dir setattr;
|
|
delete_dirs_pattern($1,man_t,man_t)
|
|
delete_files_pattern($1,man_t,man_t)
|
|
delete_lnk_files_pattern($1,man_t,man_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create, read, write, and delete man pages
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`miscfiles_manage_man_pages',`
|
|
gen_require(`
|
|
type man_t;
|
|
')
|
|
|
|
files_search_usr($1)
|
|
manage_dirs_pattern($1,man_t,man_t)
|
|
manage_files_pattern($1,man_t,man_t)
|
|
read_lnk_files_pattern($1,man_t,man_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read public files used for file
|
|
## transfer services.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`miscfiles_read_public_files',`
|
|
gen_require(`
|
|
type public_content_t, public_content_rw_t;
|
|
')
|
|
|
|
allow $1 { public_content_t public_content_rw_t }:dir list_dir_perms;
|
|
read_files_pattern($1,{ public_content_t public_content_rw_t },{ public_content_t public_content_rw_t })
|
|
read_lnk_files_pattern($1,{ public_content_t public_content_rw_t },{ public_content_t public_content_rw_t })
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create, read, write, and delete public files
|
|
## and directories used for file transfer services.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`miscfiles_manage_public_files',`
|
|
gen_require(`
|
|
type public_content_rw_t;
|
|
')
|
|
|
|
manage_dirs_pattern($1,public_content_rw_t,public_content_rw_t)
|
|
manage_files_pattern($1,public_content_rw_t,public_content_rw_t)
|
|
manage_lnk_files_pattern($1,public_content_rw_t,public_content_rw_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read TeX data
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`miscfiles_read_tetex_data',`
|
|
gen_require(`
|
|
type tetex_data_t;
|
|
')
|
|
|
|
files_search_var($1)
|
|
files_search_var_lib($1)
|
|
|
|
# cjp: TeX data can be in either of the above dirs
|
|
allow $1 tetex_data_t:dir list_dir_perms;
|
|
read_files_pattern($1,tetex_data_t,tetex_data_t)
|
|
read_lnk_files_pattern($1,tetex_data_t,tetex_data_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute TeX data programs in the caller domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`miscfiles_exec_tetex_data',`
|
|
gen_require(`
|
|
type fonts_t;
|
|
')
|
|
|
|
files_search_var($1)
|
|
files_search_var_lib($1)
|
|
|
|
# cjp: TeX data can be in either of the above dirs
|
|
allow $1 tetex_data_t:dir list_dir_perms;
|
|
exec_files_pattern($1,tetex_data_t,tetex_data_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Let test files be an entry point for
|
|
## a specified domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to be entered.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`miscfiles_domain_entry_test_files',`
|
|
gen_require(`
|
|
type test_file_t;
|
|
')
|
|
|
|
domain_entry_file($1, test_file_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read test files and directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`miscfiles_read_test_files',`
|
|
gen_require(`
|
|
type test_file_t;
|
|
')
|
|
|
|
read_files_pattern($1,test_file_t,test_file_t)
|
|
read_lnk_files_pattern($1,test_file_t,test_file_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute test files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`miscfiles_exec_test_files',`
|
|
gen_require(`
|
|
type test_file_t;
|
|
')
|
|
|
|
exec_files_pattern($1,test_file_t,test_file_t)
|
|
read_lnk_files_pattern($1,test_file_t,test_file_t)
|
|
')
|