selinux-refpolicy/policy/support/misc_patterns.spt

139 lines
2.5 KiB
Cheetah

#
# Common domain transition pattern perms
#
# Parameters:
# 1. source domain
# 2. entry point file type
# 3. target domain
#
define(`domain_transition_pattern',`
allow $1 $2:file mmap_exec_file_perms;
allow $1 $3:process transition;
dontaudit $1 $3:process { noatsecure siginh rlimitinh };
')
#
# Specified domain transition patterns
#
# Parameters:
# 1. source domain
# 2. entry point file type
# 3. target domain
#
define(`spec_domtrans_pattern',`
allow $1 self:process setexec;
domain_transition_pattern($1,$2,$3)
allow $3 $1:fd use;
allow $3 $1:fifo_file rw_inherited_fifo_file_perms;
allow $3 $1:process sigchld;
')
#
# Automatic domain transition patterns
#
# Parameters:
# 1. source domain
# 2. entry point file type
# 3. target domain
#
define(`domain_auto_transition_pattern',`
domain_transition_pattern($1,$2,$3)
type_transition $1 $2:process $3;
')
#
# Automatic domain transition patterns
# with feedback permissions
#
# Parameters:
# 1. source domain
# 2. entry point file type
# 3. target domain
#
define(`domtrans_pattern',`
domain_auto_transition_pattern($1,$2,$3)
allow $3 $1:fd use;
allow $3 $1:fifo_file rw_inherited_fifo_file_perms;
allow $3 $1:process sigchld;
')
#
# Automatic domain transition patterns
# with NoNewPerms
#
# Parameters:
# 1. source domain
# 2. entry point file type
# 3. target domain
#
define(`nnp_domtrans_pattern',`
domtrans_pattern($1,$2,$3)
allow $1 $3:process2 nnp_transition;
')
#
# Automatic domain transition patterns
# on nosuid filesystem
#
# Parameters:
# 1. source domain
# 2. entry point file type
# 3. target domain
#
define(`nosuid_domtrans_pattern',`
domtrans_pattern($1,$2,$3)
allow $1 $3:process2 nosuid_transition;
')
#
# Dynamic transition pattern
#
# Parameters:
# 1. source domain
# 2. target domain
#
define(`dyntrans_pattern',`
allow $1 self:process setcurrent;
allow $1 $2:process dyntransition;
allow $2 $1:process sigchld;
')
#
# Read foreign domain proc data
#
# Parameters:
# 1. source domain
# 2. target domain
#
define(`ps_process_pattern',`
allow $1 $2:dir list_dir_perms;
allow $1 $2:file read_file_perms;
allow $1 $2:lnk_file read_lnk_file_perms;
allow $1 $2:process getattr;
')
#
# Process administration pattern
#
# Parameters:
# 1. source domain
# 2. target domain
#
define(`admin_process_pattern',`
ps_process_pattern($1, $2)
allow $1 $2:process { ptrace signal_perms };
')
#
# File execution pattern
#
# Parameters:
# 1. source domain
# 2. executable file type
#
define(`can_exec',`allow $1 $2:file { mmap_exec_file_perms ioctl lock execute_no_trans };')