[selinux-policy: 180/3172] add source policy interfaces
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 19:20:33 UTC 2010
commit ef373408a6f74740dd14e9d1ae870eb0ea69de41
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Wed May 18 13:21:28 2005 +0000
add source policy interfaces
refpolicy/policy/modules/system/selinux.if | 58 +++++++++++++++++++++++-
refpolicy/policy/modules/system/selinuxutil.if | 58 +++++++++++++++++++++++-
2 files changed, 114 insertions(+), 2 deletions(-)
---
diff --git a/refpolicy/policy/modules/system/selinux.if b/refpolicy/policy/modules/system/selinux.if
index 99bf89d..ff61c82 100644
--- a/refpolicy/policy/modules/system/selinux.if
+++ b/refpolicy/policy/modules/system/selinux.if
@@ -280,8 +280,64 @@ typeattribute $1 can_write_binary_policy;
')
define(`selinux_write_binary_policy_depend',`
-type policy_config_t;
attribute can_write_binary_policy;
+type policy_config_t;
class dir { getattr search read write add_name remove_name };
class file { getattr create write unlink };
')
+
+########################################
+#
+# selinux_manage_binary_policy(domain)
+#
+define(`selinux_manage_binary_policy',`
+requires_block_template(`$0'_depend)
+# FIXME: search etc_t:dir
+allow $1 selinux_config_t:dir search;
+allow $1 policy_config_t:dir { getattr search read };
+allow $1 policy_config_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+typeattribute $1 can_write_binary_policy;
+')
+
+define(`selinux_manage_binary_policy_depend',`
+attribute can_write_binary_policy;
+type selinux_config_t, policy_config_t;
+class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
+class file { create ioctl read getattr lock write setattr append link unlink rename };
+')
+
+########################################
+#
+# selinux_read_source_policy(domain)
+#
+define(`selinux_read_source_policy',`
+requires_block_template(`$0'_depend)
+# FIXME: search etc_t:dir
+allow $1 selinux_config_t:dir search;
+allow $1 policy_src_t:dir { getattr search read };
+allow $1 policy_src_t:file { getattr read };
+')
+
+define(`selinux_read_source_policy_depend',`
+type selinux_config_t, policy_src_t;
+class dir { getattr search read };
+class file { getattr read };
+')
+
+########################################
+#
+# selinux_manage_source_policy(domain)
+#
+define(`selinux_manage_source_policy',`
+requires_block_template(`$0'_depend)
+# FIXME: search etc_t:dir
+allow $1 selinux_config_t:dir search;
+allow $1 policy_src_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
+allow $1 policy_src_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+')
+
+define(`selinux_manage_source_policy_depend',`
+type selinux_config_t, policy_src_t;
+class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
+class file { create ioctl read getattr lock write setattr append link unlink rename };
+')
diff --git a/refpolicy/policy/modules/system/selinuxutil.if b/refpolicy/policy/modules/system/selinuxutil.if
index 99bf89d..ff61c82 100644
--- a/refpolicy/policy/modules/system/selinuxutil.if
+++ b/refpolicy/policy/modules/system/selinuxutil.if
@@ -280,8 +280,64 @@ typeattribute $1 can_write_binary_policy;
')
define(`selinux_write_binary_policy_depend',`
-type policy_config_t;
attribute can_write_binary_policy;
+type policy_config_t;
class dir { getattr search read write add_name remove_name };
class file { getattr create write unlink };
')
+
+########################################
+#
+# selinux_manage_binary_policy(domain)
+#
+define(`selinux_manage_binary_policy',`
+requires_block_template(`$0'_depend)
+# FIXME: search etc_t:dir
+allow $1 selinux_config_t:dir search;
+allow $1 policy_config_t:dir { getattr search read };
+allow $1 policy_config_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+typeattribute $1 can_write_binary_policy;
+')
+
+define(`selinux_manage_binary_policy_depend',`
+attribute can_write_binary_policy;
+type selinux_config_t, policy_config_t;
+class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
+class file { create ioctl read getattr lock write setattr append link unlink rename };
+')
+
+########################################
+#
+# selinux_read_source_policy(domain)
+#
+define(`selinux_read_source_policy',`
+requires_block_template(`$0'_depend)
+# FIXME: search etc_t:dir
+allow $1 selinux_config_t:dir search;
+allow $1 policy_src_t:dir { getattr search read };
+allow $1 policy_src_t:file { getattr read };
+')
+
+define(`selinux_read_source_policy_depend',`
+type selinux_config_t, policy_src_t;
+class dir { getattr search read };
+class file { getattr read };
+')
+
+########################################
+#
+# selinux_manage_source_policy(domain)
+#
+define(`selinux_manage_source_policy',`
+requires_block_template(`$0'_depend)
+# FIXME: search etc_t:dir
+allow $1 selinux_config_t:dir search;
+allow $1 policy_src_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
+allow $1 policy_src_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+')
+
+define(`selinux_manage_source_policy_depend',`
+type selinux_config_t, policy_src_t;
+class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
+class file { create ioctl read getattr lock write setattr append link unlink rename };
+')
More information about the scm-commits
mailing list