[selinux-policy: 53/3172] initial commit
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 19:09:34 UTC 2010
commit 835b6ab31bf7f8244a59cfd52b4912c98073fbff
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Wed Apr 27 18:17:25 2005 +0000
initial commit
docs/macro_conversion_guide | 987 +++++++++++++++++++++++++++++++++++++++++++
1 files changed, 987 insertions(+), 0 deletions(-)
---
diff --git a/docs/macro_conversion_guide b/docs/macro_conversion_guide
new file mode 100644
index 0000000..08199fa
--- /dev/null
+++ b/docs/macro_conversion_guide
@@ -0,0 +1,987 @@
+#
+# This is the guide for converting old macros to local policy
+# and new interfaces.
+#
+# $1, $2, etc. are replaced with and the first and second, etc.
+# parameters to the old macro.
+#
+
+########################################
+#
+# Object class sets
+#
+
+#
+# devfile_class_set
+#
+{ chr_file blk_file }
+
+#
+# dgram_socket_class_set
+#
+{ udp_socket unix_dgram_socket }
+
+#
+# dir_file_class_set
+#
+{ dir file lnk_file sock_file fifo_file chr_file blk_file }
+
+#
+# file_class_set
+#
+{ file lnk_file sock_file fifo_file chr_file blk_file }
+
+#
+# notdevfile_class_set
+#
+{ file lnk_file sock_file fifo_file }
+
+#
+# socket_class_set
+#
+{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket }
+
+#
+# stream_socket_class_set
+#
+{ tcp_socket unix_stream_socket }
+
+#
+# unpriv_socket_class_set
+#
+{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }
+
+########################################
+#
+# Permission Sets
+#
+
+#
+# connected_socket_perms
+#
+{ create ioctl read getattr write setattr append bind getopt setopt shutdown }
+
+#
+# connected_stream_socket_perms
+#
+{ create ioctl read getattr write setattr append bind getopt setopt shutdown listen accept }
+
+#
+# create_dir_perms
+#
+{ create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }
+
+#
+# create_file_perms
+#
+{ create ioctl read getattr lock write setattr append link unlink rename }
+
+#
+# create_lnk_perms
+#
+{ create read getattr setattr link unlink rename }
+
+#
+# create_msgq_perms
+#
+{ associate getattr setattr create destroy read write enqueue unix_read unix_write }
+
+#
+# create_netlink_socket_perms
+#
+{ create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }
+
+#
+# create_sem_perms
+#
+{ associate getattr setattr create destroy read write unix_read unix_write }
+
+#
+# create_shm_perms
+#
+{ associate getattr setattr create destroy read write lock unix_read unix_write }
+
+#
+# create_socket_perms
+#
+{ create ioctl read getattr write setattr append bind connect getopt setopt shutdown }
+
+#
+# create_stream_socket_perms
+#
+{ create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }
+
+#
+# link_file_perms
+#
+{ getattr link unlink rename }
+
+#
+# mount_fs_perms
+#
+{ mount remount unmount getattr }
+
+#
+# packet_perms
+#
+{ tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send }
+
+#
+# r_dir_perms
+#
+{ read getattr lock search ioctl }
+
+#
+# r_file_perms
+#
+{ read getattr lock ioctl }
+
+#
+# r_msgq_perms
+#
+{ associate getattr read unix_read }
+
+#
+# r_netlink_socket_perms
+#
+{ create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read }
+
+#
+# r_sem_perms
+#
+{ associate getattr read unix_read }
+
+#
+# r_shm_perms
+#
+{ associate getattr read unix_read }
+
+#
+# ra_dir_perms
+#
+{ read getattr lock search ioctl add_name write }
+
+#
+# ra_file_perms
+#
+{ ioctl read getattr lock append }
+
+#
+# rw_dir_perms
+#
+{ read getattr lock search ioctl add_name remove_name write }
+
+#
+# rw_file_perms
+#
+{ ioctl read getattr lock write append }
+
+#
+# rw_msgq_perms
+#
+{ associate getattr read write enqueue unix_read unix_write }
+
+#
+# rw_netlink_socket_perms
+#
+{ create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }
+
+#
+# rw_sem_perms
+#
+{ associate getattr read write unix_read unix_write }
+
+#
+# rw_shm_perms
+#
+{ associate getattr read write lock unix_read unix_write }
+
+#
+# rw_socket_perms
+#
+{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }
+
+#
+# rw_stream_socket_perms
+#
+{ ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }
+
+#
+# rx_file_perms
+#
+{ read getattr lock execute ioctl }
+
+#
+# signal_perms
+#
+{ sigchld sigkill sigstop signull signal }
+
+#
+# stat_file_perms
+#
+{ getattr }
+
+#
+# x_file_perms
+#
+{ getattr execute }
+
+########################################
+#
+# Access macros
+#
+
+#
+# access_terminal():
+#
+allow $1 $2_tty_device_t:chr_file { read write getattr ioctl };
+allow $1 devtty_t:chr_file { read write getattr ioctl };
+allow $1 devpts_t:dir { read search getattr };
+allow $1 $2_devpts_t:chr_file { read write getattr ioctl };
+
+#
+# admin_domain():
+#
+
+#
+# append_log_domain():
+#
+type $1_log_t;
+logging_make_log_file($1_log_t)
+allow $1_t var_log_t:dir ra_dir_perms;
+allow $1_t $1_log_t:file { create ra_file_perms };
+type_transition $1_t var_log_t:file $1_log_t;
+
+#
+# append_logdir_domain():
+#
+type $1_log_t;
+logging_make_log_file($1_log_t)
+allow $1_t var_log_t:dir ra_dir_perms;
+allow $1_t $1_log_t:dir { setattr ra_dir_perms };
+allow $1_t $1_log_t:file { create ra_file_perms };
+type_transition $1_t var_log_t:file $1_log_t;
+
+#
+# application_domain():
+#
+type $1_t;
+type $1_exec_t;
+domain_make_domain($1_t)
+domain_make_entrypoint_file($1_t,$1_exec_t)
+role sysadm_r types $1_t;
+domain_auto_trans(sysadm_t, $1_exec_t, $1_t)
+libraries_use_dynamic_loader($1_t)
+libraries_read_shared_libraries($1_t)
+
+#
+# base_can_network($1,$2):
+#
+allow $1 self:$2_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown };
+corenetwork_network_$2_on_all_interfaces($1)
+corenetwork_network_raw_on_all_interfaces($1)
+corenetwork_network_$2_on_all_nodes($1)
+corenetwork_network_raw_on_all_nodes($1)
+corenetwork_bind_$2_on_all_nodes($1)
+corenetwork_network_$2_on_all_ports($1)
+sysnetwork_read_network_config($1)
+
+#
+# base_can_network($1,$2,$3):
+#
+allow $1 self:$2_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown };
+corenetwork_network_$2_on_all_interfaces($1)
+corenetwork_network_raw_on_all_interfaces($1)
+corenetwork_network_$2_on_all_nodes($1)
+corenetwork_network_raw_on_all_nodes($1)
+corenetwork_bind_$2_on_all_nodes($1)
+corenetwork_network_$2_on_$3_port($1)
+sysnetwork_read_network_config($1)
+
+#
+# base_file_read_access():
+#
+files_list_home_directories($1)
+files_read_general_shared_resources($1)
+allow $1 bin_t:dir r_dir_perms;
+allow $1 bin_t:notdevfile_class_set r_file_perms;
+allow $1 sbin_t:dir r_dir_perms;
+allow $1 sbin_t:notdevfile_class_set r_file_perms;
+kernel_read_kernel_sysctl($1)
+selinux_read_config($1)
+if (read_default_t) {
+allow $1 default_t:dir r_dir_perms;
+allow $1 default_t:notdevfile_class_set r_file_perms;
+}
+
+#
+# base_pty_perms():
+#
+allow $1_t ptmx_t:chr_file rw_file_perms;
+allow $1_t devpts_t:filesystem getattr;
+allow $1_t devpts_t:dir { getattr read search };
+dontaudit $1_t bsdpty_device_t:chr_file { getattr read write };
+
+#
+# base_user_domain():
+#
+
+#
+# can_create():
+#
+# for each i in $3
+can_create_internal($1,$2,$i)
+
+#
+# can_create_internal($1,$2,dir):
+#
+allow $1 $2:$3 create_dir_perms;
+
+#
+# can_create_internal($1,$2,lnk_file):
+#
+allow $1 $2:$3 create_lnk_perms;
+
+#
+# can_create_internal($1,$2,[file,chr_file,blk_file,sock_file,fifo_file]):
+#
+allow $1 $2:$3 create_file_perms;
+
+#
+# can_create_other_pty(): complete
+#
+terminal_make_pseudoterminal($1_t,$2_devpts_t)
+allow $1_t $2_devpts_t:chr_file { setattr ioctl read getattr lock write append };
+
+#
+# can_create_pty(): complete
+#
+# $2 may require more conversion
+type $1_devpts_t $2;
+terminal_make_pseudoterminal($1_t,$1_devpts_t)
+allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
+
+#
+# can_exec(): complete
+#
+allow $1 $2:file { getattr read execute execute_no_trans };
+
+#
+# can_exec_any():
+#
+libraries_use_dynamic_loader($1)
+libraries_read_shared_libraries($1)
+files_execute_system_config_script($1)
+libraries_execute_library_scripts($1)
+corecommands_execute_general_programs($1)
+corecommands_execute_system_programs($1)
+domain_execute_all_entrypoint_programs($1)
+can_exec($1, ld_so_t)
+
+#
+# can_getcon():
+#
+allow $1 proc_t:dir search;
+allow $1 proc_t:{ file lnk_file } read;
+allow $1 self:process getattr;
+
+#
+# can_getsecurity():
+#
+kernel_get_selinuxfs_mount_point($1)
+kernel_validate_selinux_context($1)
+kernel_compute_selinux_av($1)
+kernel_compute_create($1)
+kernel_compute_relabel($1)
+kernel_compute_reachable_user_contexts($1)
+
+#
+# can_ldap():
+#
+ifdef(`slapd.te',`
+can_network_client_tcp($1, `ldap_port_t')
+')
+
+#
+# can_loadpol(): complete
+#
+kernel_get_selinuxfs_mount_point($1)
+kernel_load_selinux_policy($1)
+
+#
+# can_network():
+#
+can_network_tcp($1, `$2')
+can_network_udp($1, `$2')
+ifdef(`mount.te', `
+allow $1 mount_t:udp_socket rw_socket_perms;
+')
+
+#
+# can_network_client():
+#
+can_network_client_tcp($1, `$2')
+can_network_udp($1, `$2')
+
+#
+# can_network_client_tcp():
+#
+base_can_network($1, tcp, `$2')
+allow $1 self:tcp_socket { connect };
+
+#
+# can_network_server():
+#
+allow $1 self:tcp_socket { listen accept };
+base_can_network($1, tcp, `$2')
+
+#
+# can_network_server_tcp():
+#
+allow $1 self:tcp_socket { listen accept };
+base_can_network($1, tcp, `$2')
+
+#
+# can_network_tcp(): complete
+#
+can_network_server_tcp($1, `$2')
+can_network_client_tcp($1, `$2')
+
+#
+# can_network_udp(): complete
+#
+base_can_network($1, udp, `$2')
+allow $1 self:udp_socket { connect };
+
+#
+# can_ps():
+#
+allow $1 $2:dir { search getattr read };
+allow $1 $2:{ file lnk_file } { read getattr };
+allow $1 $2:process getattr;
+# We need to suppress this denial because procps tries to access
+# /proc/pid/environ and this now triggers a ptrace check in recent kernels
+# (2.4 and 2.6). Might want to change procps to not do this, or only if
+# running in a privileged domain.
+dontaudit $1 $2:process ptrace;
+
+#
+# can_ptrace():
+#
+allow $1 $2:process ptrace;
+allow $2 $1:process sigchld;
+
+#
+# can_resolve():
+#
+ifdef(`use_dns',`
+can_network_udp($1, `dns_port_t')
+')
+
+#
+# can_setbool(): complete
+#
+kernel_get_selinuxfs_mount_point($1)
+kernel_set_selinux_boolean($1)
+
+#
+# can_setcon():
+#
+allow $1 self:process setcurrent;
+allow $1 proc_t:dir search;
+allow $1 proc_t:{ file lnk_file } read;
+
+
+#
+# can_setenforce(): complete
+#
+kernel_get_selinuxfs_mount_point($1)
+kernel_set_selinux_enforcement_mode($1)
+
+#
+# can_setexec():
+#
+allow $1 self:process setexec;
+allow $1 proc_t:dir search;
+allow $1 proc_t:{ file lnk_file } read;
+
+#
+# can_setfscreate():
+#
+allow $1 self:process setfscreate;
+allow $1 proc_t:dir search;
+allow $1 proc_t:{ file lnk_file } read;
+
+#
+# can_setsecparam():
+#
+kernel_get_selinuxfs_mount_point($1)
+allow $1 security_t:dir { read search getattr };
+allow $1 security_t:file { getattr read write };
+allow $1 security_t:security setsecparam;
+auditallow $1 security_t:security setsecparam;
+
+#
+# can_sysctl(): complete
+#
+kernel_modify_all_sysctl($1)
+
+#
+# can_tcp_connect
+# (policy is commented out)
+# Irrelevant until we have labeled networking.
+#
+#allow $1 $2:tcp_socket { connectto recvfrom };
+#allow $2 $1:tcp_socket { acceptfrom recvfrom };
+#allow $2 kernel_t:tcp_socket recvfrom;
+#allow $1 kernel_t:tcp_socket recvfrom;
+
+#
+# can_udp_send():
+# (policy is commented out)
+# Irrelevant until we have labeled networking.
+#
+#allow $1 $2:udp_socket sendto;
+#allow $2 $1:udp_socket recvfrom;
+
+#
+# can_unix_connect():
+#
+allow $1 $2:unix_stream_socket connectto;
+
+#
+# can_unix_send():
+#
+allow $1 $2:unix_dgram_socket sendto;
+
+#
+# create_append_log_file():
+#
+allow $1 $2:dir { read getattr search add_name write };
+allow $1 $2:file { create ioctl getattr setattr append link };
+
+#
+# create_dir_file():
+#
+allow $1 $2:dir create_dir_perms;
+allow $1 $2:file create_file_perms;
+allow $1 $2:lnk_file create_lnk_perms;
+
+#
+# create_dir_notdevfile():
+#
+allow $1 $2:dir create_dir_perms;
+allow $1 $2:{ file sock_file fifo_file } create_file_perms;
+allow $1 $2:lnk_file create_lnk_perms;
+
+#
+# daemon_domain():
+#
+type $1_t;
+type $1_exec_t;
+domain_make_daemon_domain($1_t,$1_exec_t)
+type $1_var_run_t;
+files_make_file($1_var_run_t)
+allow $1_t $1_var_run_t:file { getattr create read write append setattr unlink };
+files_create_daemon_runtime_data($1_t,$1_var_run_t)
+logging_send_system_log_message($1_t)
+dontaudit $1_t self:capability sys_tty_config;
+allow $1_t init_t:fd use;
+libraries_use_dynamic_loader($1_t)
+libraries_read_shared_libraries($1_t)
+allow $1_t proc_t:dir r_dir_perms;
+allow $1_t proc_t:lnk_file read;
+ifdef(`udev.te', `
+allow $1_t udev_tdb_t:file r_file_perms;
+')dnl end if udev.te
+devices_discard_data_stream($1_t)
+allow $1_t null_device_t:chr_file r_file_perms;
+dontaudit $1_t console_device_t:chr_file rw_file_perms;
+dontaudit $1_t unpriv_userdomain:fd use;
+kernel_read_hardware_state($1_t)
+allow $1_t autofs_t:dir { search getattr };
+ifdef(`targeted_policy', `
+dontaudit $1_t { tty_device_t devpts_t }:chr_file { read write };
+dontaudit $1_t root_t:file { getattr read };
+')dnl end if targeted_policy
+terminal_use_controlling_terminal($1_t)
+dontaudit $1_t sysadm_home_dir_t:dir search;
+filesystem_get_all_filesystem_attributes($1_t)
+miscfiles_read_localization($1_t)
+rhgb_domain($1_t)
+kernel_read_kernel_sysctl($1_t)
+ifdef(`direct_sysadm_daemon', `
+dontaudit $1_t admin_tty_type:chr_file rw_file_perms;
+')
+ifelse(index(`$2',`transitionbool'), -1, `', `
+bool $1_disable_trans false;
+if ($1_disable_trans) {
+can_exec(initrc_t, $1_exec_t)
+can_exec(sysadm_t, $1_exec_t)
+} else {
+') dnl transitionbool
+domain_auto_trans(initrc_t, $1_exec_t, $1_t)
+allow initrc_t $1_t:process { noatsecure siginh rlimitinh };
+ifdef(`direct_sysadm_daemon', `
+ifelse(`$3', `nosysadm', `', `
+domain_auto_trans(sysadm_t, $1_exec_t, $1_t)
+allow sysadm_t $1_t:process { noatsecure siginh rlimitinh };
+')dnl end direct_sysadm_daemon
+')dnl end nosysadm
+ifelse(index(`$2', `transitionbool'), -1, `', `}') dnl end transitionbool
+ifdef(`direct_sysadm_daemon', `
+ifelse(`$3', `nosysadm', `', `
+role_transition sysadm_r $1_exec_t system_r;
+')dnl end nosysadm
+')dnl end direct_sysadm_daemon
+allow $1_t privfd:fd use;
+ifdef(`newrole.te', `allow $1_t newrole_t:process sigchld;')
+allow $1_t initrc_devpts_t:chr_file rw_file_perms;
+
+#
+# daemon_sub_domain():
+#
+# $1 is the parent domain (or domains), $2_t is the child domain,
+# and $3 is any attributes to apply to the child
+type $2_t, domain, privlog, daemon $3;
+type $2_exec_t, file_type, sysadmfile, exec_type;
+role system_r types $2_t;
+domain_auto_trans($1, $2_exec_t, $2_t)
+allow $2_t $1:fd use;
+allow $2_t $1:process sigchld;
+allow $2_t self:process signal_perms;
+libraries_use_dynamic_loader($2_t)
+libraries_read_shared_libraries($2_t)
+allow $2_t proc_t:dir r_dir_perms;
+allow $2_t proc_t:lnk_file read;
+allow $2_t device_t:dir getattr;
+
+#
+# etc_domain():
+#
+type $1_etc_t; #, usercanread;
+files_make_file($1_etc_t)
+allow $1_t $1_etc_t:file r_file_perms;
+
+#
+# etcdir_domain():
+#
+type $1_etc_t; #, usercanread;
+files_make_file($1_etc_t)
+allow $1_t $1_etc_t:file r_file_perms;
+allow $1_t $1_etc_t:dir r_dir_perms;
+allow $1_t $1_etc_t:lnk_file { getattr read };
+
+#
+# file_type_auto_trans():
+#
+allow $1 $2:dir rw_dir_perms;
+allow $1 $2:file create_file_perms;
+allow $1 $2:lnk_file create_lnk_perms;
+allow $1 $2:sock_file create_file_perms;
+allow $1 $2:fifo_file create_file_perms;
+type_transition $1 $2:dir $3;
+type_transition $1 $2:{ file lnk_file sock_file fifo_file } $3;
+
+#
+# file_type_auto_trans($1,$2,$3,$4):
+#
+# for each i in $4
+allow $1 $2:dir rw_dir_perms;
+can_create_internal($1,$2,$4)
+type_transition $1 $2:$4 $3;
+
+#
+# file_type_trans($1,$2,$3):
+#
+allow $1 $3:dir rw_dir_perms;
+allow $1 $3:file create_file_perms;
+allow $1 $3:lnk_file create_lnk_perms;
+allow $1 $3:sock_file create_file_perms;
+allow $1 $3:fifo_file create_file_perms;
+type_transition $1 $2:{ dir file lnk_file sock_file fifo_file } $3;
+
+#
+# file_type_trans($1,$2,$3,$4):
+#
+# for each i in $4
+allow $1 $2:dir rw_dir_perms;
+can_create_internal($1,$2,$3,$4)
+type_transition $1 $2:$i $3;
+
+#
+# full_user_role():
+#
+
+#
+# general_domain_access():
+#
+allow $1 self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
+allow $1 self:fd use;
+allow $1 self:fifo_file { read getattr lock ioctl write append };
+allow $1 self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
+allow $1 self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
+allow $1 self:unix_dgram_socket sendto;
+allow $1 self:unix_stream_socket connectto;
+allow $1 self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
+allow $1 self:sem { associate getattr setattr create destroy read write unix_read unix_write };
+allow $1 self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
+allow $1 self:msg { send receive };
+allow $1 unpriv_userdomain:fd use;
+can_ypbind($1)
+ifdef(`automount.te', `
+allow $1 autofs_t:dir { search getattr };
+')
+
+#
+# general_proc_read_access(): complete
+#
+kernel_read_system_state($1)
+kernel_read_network_state($1)
+kernel_read_software_raid_state($1)
+kernel_get_core_interface_attributes($1)
+kernel_get_message_interface_attributes($1)
+kernel_read_kernel_sysctl($1)
+
+#
+# home_domain():
+#
+
+#
+# home_domain_access():
+#
+
+#
+# home_domain_ro():
+#
+
+#
+# home_domain_ro_access():
+#
+
+#
+# in_user_role():
+#
+role user_r types $1;
+role staff_r types $1;
+
+#
+# init_service_domain():
+#
+type $1_t;
+type $1_exec_t;
+domain_make_daemon_domain($1_t,$1_exec_t)
+kernel_read_hardware_state($1_t)
+logging_send_system_log_message($1_t)
+libraries_use_dynamic_loader($1_t)
+libraries_read_shared_libraries($1_t)
+devices_discard_data_stream($1_t)
+dontaudit $1_t self:capability sys_tty_config;
+allow $1_t init_t:fd use;
+allow $1_t proc_t:dir r_dir_perms;
+allow $1_t proc_t:lnk_file read;
+ifdef(`udev.te', `
+allow $1_t udev_tdb_t:file r_file_perms;
+')dnl end if udev.te
+allow $1_t null_device_t:chr_file r_file_perms;
+allow $1_t autofs_t:dir { search getattr };
+dontaudit $1_t console_device_t:chr_file rw_file_perms;
+dontaudit $1_t unpriv_userdomain:fd use;
+ifdef(`targeted_policy', `
+dontaudit $1_t { tty_device_t devpts_t }:chr_file { read write };
+dontaudit $1_t root_t:file { getattr read };
+')dnl end if targeted_policy
+
+#
+# legacy_domain(): complete
+#
+allow $1_t self:process execmem;
+libraries_legacy_read_shared_libraries($1_t)
+libraries_legacy_use_dynamic_loader($1_t)
+
+#
+# lock_domain():
+#
+type $1_lock_t, file_type, sysadmfile, lockfile;
+file_type_auto_trans($1_t, var_lock_t, $1_lock_t, file)
+
+#
+# log_domain():
+#
+type $1_log_t, file_type, sysadmfile, logfile;
+file_type_auto_trans($1_t, var_log_t, $1_log_t, file)
+
+#
+# logdir_domain():
+#
+type $1_log_t, file_type, sysadmfile, logfile;
+file_type_auto_trans($1_t, var_log_t, $1_log_t, file)
+allow $1_t $1_log_t:dir { setattr rw_dir_perms };
+
+#
+# mini_user_domain():
+#
+
+#
+# network_home_dir():
+#
+create_dir_file($1, $2)
+can_exec($1, $2)
+allow $1 $2:{ sock_file fifo_file } create_file_perms;
+
+#
+# pty_slave_label():
+#
+type $1_devpts_t, file_type, sysadmfile, ptyfile $2;
+allow $1_devpts_t devpts_t:filesystem associate;
+type_transition $1_t devpts_t:chr_file $1_devpts_t;
+allow $1_t $1_devpts_t:chr_file { setattr rw_file_perms };
+
+#
+# r_dir_file():
+#
+allow $1 $2:dir r_dir_perms;
+allow $1 $2:file r_file_perms;
+allow $1 $2:lnk_file { getattr read };
+
+#
+# ra_dir_create_file():
+#
+allow $1 $2:dir ra_dir_perms;
+allow $1 $2:file { create ra_file_perms };
+allow $1 $2:lnk_file { create read getattr };
+
+#
+# ra_dir_file():
+#
+allow $1 $2:dir ra_dir_perms;
+allow $1 $2:file ra_file_perms;
+allow $1 $2:lnk_file { getattr read };
+
+#
+# read_locale(): complete
+#
+miscfiles_read_localization($1)
+
+#
+# read_sysctl($1): complete
+#
+kernel_read_kernel_sysctl($1)
+
+#
+# read_sysctl($1,full): complete
+#
+kernel_read_all_sysctl($1)
+
+#
+# rhgb_domain():
+#
+ifdef(`rhgb.te', `
+allow $1 rhgb_t:process sigchld;
+allow $1 rhgb_t:fd use;
+allow $1 rhgb_t:fifo_file { read write };
+')
+
+#
+# rw_dir_create_file():
+#
+allow $1 $2:dir rw_dir_perms;
+allow $1 $2:file create_file_perms;
+allow $1 $2:lnk_file create_lnk_perms;
+
+#
+# rw_dir_file():
+#
+allow $1 $2:dir rw_dir_perms;
+allow $1 $2:file rw_file_perms;
+allow $1 $2:lnk_file { getattr read };
+
+#
+# system_domain():
+#
+type $1_t, domain, privlog $2;
+type $1_exec_t, file_type, sysadmfile, exec_type;
+role system_r types $1_t;
+libraries_use_dynamic_loader($1_t)
+libraries_read_shared_libraries($1_t)
+allow $1_t etc_t:dir r_dir_perms;
+
+#
+# tmp_domain(): complete
+#
+# $2 may need more handling
+#
+type $1_tmp_t $2;
+files_make_file($1_tmp_t)
+# no class specified:
+allow $1_t $1_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
+allow $1_t $1_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+files_create_private_tmp_data($1_t, $1_tmp_t, { file dir })
+# class specified:
+files_create_private_tmp_data($1_t, $1_tmp_t, $3)
+# $3 manage object perms here
+
+#
+# tmpfs_domain():
+#
+type $1_tmpfs_t, file_type, sysadmfile, tmpfsfile;
+file_type_auto_trans($1_t, tmpfs_t, $1_tmpfs_t)
+allow $1_tmpfs_t tmpfs_t:filesystem associate;
+
+#
+# unconfined_domain():
+#
+
+#
+# user_application_domain():
+#
+type $1_t, domain, privlog $2;
+type $1_exec_t, file_type, sysadmfile, exec_type;
+role sysadm_r types $1_t;
+domain_auto_trans(sysadm_t, $1_exec_t, $1_t)
+libraries_use_dynamic_loader($1_t)
+libraries_read_shared_libraries($1_t)
+in_user_role($1_t)
+domain_auto_trans(userdomain, $1_exec_t, $1_t)
+
+#
+# user_domain():
+#
+
+#
+# uses_authbind():
+#
+domain_auto_trans($1, authbind_exec_t, authbind_t)
+allow authbind_t $1:process sigchld;
+allow authbind_t $1:fd use;
+allow authbind_t $1:{ tcp_socket udp_socket } rw_socket_perms;
+
+#
+# uses_shlib(): complete
+#
+libraries_use_dynamic_loader($1)
+libraries_read_shared_libraries($1)
+
+#
+# var_lib_domain():
+#
+type $1_var_lib_t, file_type, sysadmfile;
+typealias $1_var_lib_t alias var_lib_$1_t;
+file_type_auto_trans($1_t, var_lib_t, $1_var_lib_t, file)
+allow $1_t $1_var_lib_t:dir rw_dir_perms;
+
+#
+# var_run_domain($1):
+#
+type $1_var_run_t, file_type, sysadmfile, pidfile;
+file_type_auto_trans($1_t, var_run_t, $1_var_run_t, file)
+allow $1_t var_t:dir search;
+allow $1_t $1_var_run_t:dir rw_dir_perms;
+
+#
+# var_run_domain($1,$2):
+#
+type $1_var_run_t, file_type, sysadmfile, pidfile;
+file_type_auto_trans($1_t, var_run_t, $1_var_run_t, $2)
+allow $1_t var_t:dir search;
+allow $1_t $1_var_run_t:dir rw_dir_perms;
More information about the scm-commits
mailing list