nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
b19be25429
selinux-refpolicy/policy/modules/system/miscfiles.if
Markus Linnala 9127219358 policy: interfaces: doc: indent param blocks consistently 
There is more than 5000 parameter documentations. Only about 300 are
differently done. Change them to be consistently indented.

param with one space
and content inside with one tab

This was done with:

sed -ri '
/^##[[:space:]]*<param/,/^##[[:space:]]*<[/]param>/{
	s/^##[[:space:]]*/##\t/;
	s/^##[[:space:]]*(<[/]?summary)/##\t\1/;
	s/^##[[:space:]]*(<[/]?param)/## \1/;
}' policy/modules/*/*.if

Signed-off-by: Markus Linnala <Markus.Linnala@cybercom.com>
2021-07-02 12:19:25 +03:00

1009 lines
21 KiB
Plaintext
Raw Blame History

## <summary>Miscellaneous files.</summary>
########################################
## <summary>
## Make the specified type usable as a cert file.
## </summary>
## <desc>
## <p>
## Make the specified type usable for cert files.
## This will also make the type usable for files, making
## calls to files_type() redundant. Failure to use this interface
## for a temporary file may result in problems with
## cert management tools.
## </p>
## <p>
## Related interfaces:
## </p>
## <ul>
## <li>files_type()</li>
## </ul>
## <p>
## Example:
## </p>
## <p>
## type mycertfile_t;
## cert_type(mycertfile_t)
## allow mydomain_t mycertfile_t:file read_file_perms;
## files_search_etc(mydomain_t)
## </p>
## </desc>
## <param name="type">
## <summary>
## Type to be used for files.
## </summary>
## </param>
## <infoflow type="none"/>
#
interface(`miscfiles_cert_type',`
gen_require(`
attribute cert_type;
')
typeattribute $1 cert_type;
files_type($1)
')
########################################
## <summary>
## Make the specified type usable
## as a SSL/TLS private key file.
## </summary>
## <desc>
## <p>
## Make the specified type usable for SSL/TLS private key files.
## This will also make the type usable for files, making
## calls to files_type() redundant. Failure to use this interface
## for a temporary file may result in problems with
## SSL/TLS private key management tools.
## </p>
## <p>
## Related interfaces:
## </p>
## <ul>
## <li>files_type()</li>
## </ul>
## <p>
## Example:
## </p>
## <p>
## type mytlsprivkeyfile_t;
## tls_privkey_type(mytlsprivkeyfile_t)
## allow mydomain_t mytlsprivkeyfile_t:file read_file_perms;
## files_search_etc(mydomain_t)
## </p>
## </desc>
## <param name="type">
## <summary>
## Type to be used for files.
## </summary>
## </param>
## <infoflow type="none"/>
#
interface(`miscfiles_tls_privkey_type',`
gen_require(`
attribute tls_privkey_type;
')
typeattribute $1 tls_privkey_type;
files_type($1)
')
########################################
## <summary>
## Read all SSL/TLS certificates.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`miscfiles_read_all_certs',`
gen_require(`
attribute cert_type;
')
allow $1 cert_type:dir list_dir_perms;
read_files_pattern($1, cert_type, cert_type)
read_lnk_files_pattern($1, cert_type, cert_type)
')
########################################
## <summary>
## Read generic SSL/TLS certificates.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`miscfiles_read_generic_certs',`
gen_require(`
type cert_t;
')
allow $1 cert_t:dir list_dir_perms;
read_files_pattern($1, cert_t, cert_t)
read_lnk_files_pattern($1, cert_t, cert_t)
')
########################################
## <summary>
## Do not audit attempts to read generic SSL/TLS certificates.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
## <rolecap/>
#
interface(`miscfiles_dontaudit_read_generic_certs',`
gen_require(`
type cert_t;
')
dontaudit $1 cert_t:dir list_dir_perms;
dontaudit $1 cert_t:file read_file_perms;
dontaudit $1 cert_t:lnk_file read_lnk_file_perms;
')
########################################
## <summary>
## Manage generic SSL/TLS certificates.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`miscfiles_manage_generic_cert_dirs',`
gen_require(`
type cert_t;
')
manage_dirs_pattern($1, cert_t, cert_t)
')
########################################
## <summary>
## Manage generic SSL/TLS certificates.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`miscfiles_manage_generic_cert_files',`
gen_require(`
type cert_t;
')
manage_files_pattern($1, cert_t, cert_t)
read_lnk_files_pattern($1, cert_t, cert_t)
')
########################################
## <summary>
## Read generic SSL/TLS private
## keys.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`miscfiles_read_generic_tls_privkey',`
gen_require(`
type tls_privkey_t;
')
allow $1 tls_privkey_t:dir list_dir_perms;
read_files_pattern($1, tls_privkey_t, tls_privkey_t)
read_lnk_files_pattern($1, tls_privkey_t, tls_privkey_t)
')
########################################
## <summary>
## Manage generic SSL/TLS private
## keys.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`miscfiles_manage_generic_tls_privkey_dirs',`
gen_require(`
type tls_privkey_t;
')
manage_dirs_pattern($1, tls_privkey_t, tls_privkey_t)
')
########################################
## <summary>
## Manage generic SSL/TLS private
## keys.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`miscfiles_manage_generic_tls_privkey_files',`
gen_require(`
type tls_privkey_t;
')
manage_files_pattern($1, tls_privkey_t, tls_privkey_t)
read_lnk_files_pattern($1, tls_privkey_t, tls_privkey_t)
')
########################################
## <summary>
## Manage generic SSL/TLS private
## keys.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`miscfiles_manage_generic_tls_privkey_symlinks',`
gen_require(`
type tls_privkey_t;
')
manage_lnk_files_pattern($1, tls_privkey_t, tls_privkey_t)
')
########################################
## <summary>
## Read fonts.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`miscfiles_read_fonts',`
gen_require(`
type fonts_t, fonts_cache_t;
')
# cjp: fonts can be in either of these dirs
files_search_usr($1)
libs_search_lib($1)
allow $1 fonts_t:dir list_dir_perms;
read_files_pattern($1, fonts_t, fonts_t)
allow $1 fonts_t:file map;
read_lnk_files_pattern($1, fonts_t, fonts_t)
allow $1 fonts_cache_t:dir list_dir_perms;
read_files_pattern($1, fonts_cache_t, fonts_cache_t)
allow $1 fonts_cache_t:file map;
read_lnk_files_pattern($1, fonts_cache_t, fonts_cache_t)
')
########################################
## <summary>
## Set the attributes on a fonts directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`miscfiles_setattr_fonts_dirs',`
gen_require(`
type fonts_t;
')
allow $1 fonts_t:dir setattr;
')
########################################
## <summary>
## Do not audit attempts to set the attributes
## on a fonts directory.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
## <rolecap/>
#
interface(`miscfiles_dontaudit_setattr_fonts_dirs',`
gen_require(`
type fonts_t;
')
dontaudit $1 fonts_t:dir setattr;
')
########################################
## <summary>
## Do not audit attempts to write fonts.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
## <rolecap/>
#
interface(`miscfiles_dontaudit_write_fonts',`
gen_require(`
type fonts_t;
')
dontaudit $1 fonts_t:dir { write setattr };
dontaudit $1 fonts_t:file write;
')
########################################
## <summary>
## Create, read, write, and delete fonts.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`miscfiles_manage_fonts',`
gen_require(`
type fonts_t;
')
# cjp: fonts can be in either of these dirs
files_search_usr($1)
libs_search_lib($1)
manage_dirs_pattern($1, fonts_t, fonts_t)
manage_files_pattern($1, fonts_t, fonts_t)
manage_lnk_files_pattern($1, fonts_t, fonts_t)
')
########################################
## <summary>
## Watch fonts directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`miscfiles_watch_fonts_dirs',`
gen_require(`
type fonts_t;
')
allow $1 fonts_t:dir watch;
')
########################################
## <summary>
## Set the attributes on a fonts cache directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`miscfiles_setattr_fonts_cache_dirs',`
gen_require(`
type fonts_cache_t;
')
allow $1 fonts_cache_t:dir setattr;
')
########################################
## <summary>
## Do not audit attempts to set the attributes
## on a fonts cache directory.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`miscfiles_dontaudit_setattr_fonts_cache_dirs',`
gen_require(`
type fonts_cache_t;
')
dontaudit $1 fonts_cache_t:dir setattr;
')
########################################
## <summary>
## Create, read, write, and delete fonts cache.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`miscfiles_manage_fonts_cache',`
gen_require(`
type fonts_cache_t;
')
files_search_var($1)
manage_dirs_pattern($1, fonts_cache_t, fonts_cache_t)
manage_files_pattern($1, fonts_cache_t, fonts_cache_t)
manage_lnk_files_pattern($1, fonts_cache_t, fonts_cache_t)
')
########################################
## <summary>
## Read hardware identification data.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`miscfiles_read_hwdata',`
gen_require(`
type hwdata_t;
')
allow $1 hwdata_t:dir list_dir_perms;
read_files_pattern($1, hwdata_t, hwdata_t)
read_lnk_files_pattern($1, hwdata_t, hwdata_t)
')
########################################
## <summary>
## Allow process to setattr localization info
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`miscfiles_setattr_localization',`
gen_require(`
type locale_t;
')
files_search_usr($1)
allow $1 locale_t:dir list_dir_perms;
allow $1 locale_t:file setattr;
')
########################################
## <summary>
## Allow process to read localization information.
## </summary>
## <desc>
## <p>
## Allow the specified domain to read the localization files.
## This is typically for time zone configuration files, such as
## /etc/localtime and files in /usr/share/zoneinfo.
## Typically, any domain which needs to know the GMT/UTC
## offset of the current timezone will need access
## to these files. Generally, it should be safe for any
## domain to read these files.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <infoflow type="read" weight="10"/>
#
interface(`miscfiles_read_localization',`
gen_require(`
type locale_t;
')
files_read_etc_symlinks($1)
files_search_usr($1)
allow $1 locale_t:dir list_dir_perms;
read_files_pattern($1, locale_t, locale_t)
read_lnk_files_pattern($1, locale_t, locale_t)
allow $1 locale_t:file map;
')
########################################
## <summary>
## Allow process to write localization info
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`miscfiles_rw_localization',`
gen_require(`
type locale_t;
')
files_search_usr($1)
allow $1 locale_t:dir list_dir_perms;
rw_files_pattern($1, locale_t, locale_t)
')
########################################
## <summary>
## Allow process to relabel localization info
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`miscfiles_relabel_localization',`
gen_require(`
type locale_t;
')
files_search_usr($1)
relabel_files_pattern($1, locale_t, locale_t)
')
########################################
## <summary>
## Allow process to read legacy time localization info
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`miscfiles_legacy_read_localization',`
gen_require(`
type locale_t;
')
miscfiles_read_localization($1)
allow $1 locale_t:file execute;
')
########################################
## <summary>
## Watch time localization info
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`miscfiles_watch_localization',`
gen_require(`
type locale_t;
')
allow $1 locale_t:file watch;
')
########################################
## <summary>
## Search man pages.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`miscfiles_search_man_pages',`
gen_require(`
type man_t, man_cache_t;
')
allow $1 { man_cache_t man_t }:dir search_dir_perms;
files_search_usr($1)
')
########################################
## <summary>
## Do not audit attempts to search man pages.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`miscfiles_dontaudit_search_man_pages',`
gen_require(`
type man_t, man_cache_t;
')
dontaudit $1 { man_cache_t man_t }:dir search_dir_perms;
')
########################################
## <summary>
## Read man pages
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`miscfiles_read_man_pages',`
gen_require(`
type man_t, man_cache_t;
')
files_search_usr($1)
allow $1 { man_cache_t man_t }:dir list_dir_perms;
read_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
read_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
')
########################################
## <summary>
## Delete man pages
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
# cjp: added for tmpreaper
#
interface(`miscfiles_delete_man_pages',`
gen_require(`
type man_t, man_cache_t;
')
files_search_usr($1)
allow $1 { man_cache_t man_t }:dir { setattr_dir_perms list_dir_perms };
delete_dirs_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
delete_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
delete_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
')
########################################
## <summary>
## Create, read, write, and delete man pages
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`miscfiles_manage_man_pages',`
gen_require(`
type man_t, man_cache_t;
')
files_search_usr($1)
manage_dirs_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
manage_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
read_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
')
########################################
## <summary>
## Read man cache content.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`miscfiles_read_man_cache',`
gen_require(`
type man_cache_t;
')
files_search_var($1)
allow $1 man_cache_t:dir list_dir_perms;
allow $1 man_cache_t:file read_file_perms;
allow $1 man_cache_t:lnk_file read_lnk_file_perms;
')
########################################
## <summary>
## Map man cache content.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`miscfiles_map_man_cache',`
gen_require(`
type man_cache_t;
')
allow $1 man_cache_t:file map;
')
########################################
## <summary>
## Create, read, write, and delete
## man cache content.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`miscfiles_manage_man_cache',`
gen_require(`
type man_cache_t;
')
files_search_var($1)
allow $1 man_cache_t:dir manage_dir_perms;
allow $1 man_cache_t:file manage_file_perms;
allow $1 man_cache_t:lnk_file manage_lnk_file_perms;
')
########################################
## <summary>
## Relabel from and to man cache.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`miscfiles_relabel_man_cache',`
gen_require(`
type man_cache_t;
')
relabel_dirs_pattern($1, man_cache_t, man_cache_t)
relabel_files_pattern($1, man_cache_t, man_cache_t)
')
########################################
## <summary>
## Read public files used for file
## transfer services.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`miscfiles_read_public_files',`
gen_require(`
type public_content_t, public_content_rw_t;
')
allow $1 { public_content_t public_content_rw_t }:dir list_dir_perms;
read_files_pattern($1, { public_content_t public_content_rw_t }, { public_content_t public_content_rw_t })
read_lnk_files_pattern($1, { public_content_t public_content_rw_t }, { public_content_t public_content_rw_t })
')
########################################
## <summary>
## Create, read, write, and delete public files
## and directories used for file transfer services.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`miscfiles_manage_public_files',`
gen_require(`
type public_content_rw_t;
')
manage_dirs_pattern($1, public_content_rw_t, public_content_rw_t)
manage_files_pattern($1, public_content_rw_t, public_content_rw_t)
manage_lnk_files_pattern($1, public_content_rw_t, public_content_rw_t)
')
########################################
## <summary>
## Watch public files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`miscfiles_watch_public_dirs',`
gen_require(`
type public_content_rw_t;
')
allow $1 public_content_rw_t:dir watch;
')
########################################
## <summary>
## Read TeX data
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`miscfiles_read_tetex_data',`
gen_require(`
type tetex_data_t;
')
files_search_var($1)
files_search_var_lib($1)
# cjp: TeX data can be in either of the above dirs
allow $1 tetex_data_t:dir list_dir_perms;
read_files_pattern($1, tetex_data_t, tetex_data_t)
read_lnk_files_pattern($1, tetex_data_t, tetex_data_t)
')
########################################
## <summary>
## Execute TeX data programs in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`miscfiles_exec_tetex_data',`
gen_require(`
type tetex_data_t;
')
files_search_var($1)
files_search_var_lib($1)
# cjp: TeX data can be in either of the above dirs
allow $1 tetex_data_t:dir list_dir_perms;
exec_files_pattern($1, tetex_data_t, tetex_data_t)
')
########################################
## <summary>
## Let test files be an entry point for
## a specified domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`miscfiles_domain_entry_test_files',`
gen_require(`
type test_file_t;
')
domain_entry_file($1, test_file_t)
')
########################################
## <summary>
## Read test files and directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`miscfiles_read_test_files',`
gen_require(`
type test_file_t;
')
read_files_pattern($1, test_file_t, test_file_t)
read_lnk_files_pattern($1, test_file_t, test_file_t)
')
########################################
## <summary>
## Execute test files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`miscfiles_exec_test_files',`
gen_require(`
type test_file_t;
')
exec_files_pattern($1, test_file_t, test_file_t)
read_lnk_files_pattern($1, test_file_t, test_file_t)
')
########################################
## <summary>
## Create files in etc directories
## with localization file type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`miscfiles_etc_filetrans_localization',`
gen_require(`
type locale_t;
')
files_etc_filetrans($1, locale_t, file)
')
########################################
## <summary>
## Create, read, write, and delete localization
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`miscfiles_manage_localization',`
gen_require(`
type locale_t;
')
manage_dirs_pattern($1, locale_t, locale_t)
manage_files_pattern($1, locale_t, locale_t)
manage_lnk_files_pattern($1, locale_t, locale_t)
')
Reference in New Issue View Git Blame Copy Permalink