[selinux-policy: 273/3172] add xml
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 19:28:30 UTC 2010
commit 3865d6b95e4354194753578c12872227076b912c
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Tue Jun 7 22:36:07 2005 +0000
add xml
refpolicy/policy/modules/kernel/kernel.if | 946 +++++++++++++++++++++----
refpolicy/policy/modules/system/clock.if | 28 +-
refpolicy/policy/modules/system/getty.if | 58 ++-
refpolicy/policy/modules/system/hostname.if | 14 +-
refpolicy/policy/modules/system/locallogin.if | 28 +-
refpolicy/policy/modules/system/miscfiles.if | 75 ++-
refpolicy/policy/modules/system/mount.if | 27 +-
refpolicy/policy/modules/system/sysnetwork.if | 26 +-
refpolicy/policy/modules/system/udev.if | 39 +-
9 files changed, 1060 insertions(+), 181 deletions(-)
---
diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index a9050a2..1f1dd8d 100644
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -5,8 +5,22 @@
## </summary>
########################################
-#
-# kernel_make_userland_entrypoint(domain,entrypoint)
+## <interface name="kernel_make_userland_entrypoint">
+## <description>
+## Gives kernel an entrypoint to the caller via
+## the entrypoint type.
+## </description>
+## <securitydesc>
+## ...
+## </securitydesc>
+## <parameter name="domain">
+## The process type entered by kernel.
+## </parameter>
+## <parameter name="entrypoint">
+## The executable type for the entrypoint.
+## </parameter>
+## <infoflow type="both" weight="10" />
+## </interface>
#
define(`kernel_make_userland_entrypoint',`
requires_block_template(`$0'_depend)
@@ -33,8 +47,20 @@ define(`kernel_make_userland_entrypoint_depend',`
')
########################################
-#
-# kernel_share_state(domain)
+## <interface name="kernel_share_state">
+## <description>
+## Allows the kernel to share state information with
+## the caller.
+## </description>
+## <securitydesc>
+## Gives a type access to state information about
+## kernel processes
+## </securitydesc>
+## <parameter name="domain">
+## The type of the process with which to share state information.
+## </parameter>
+## <infoflow type="read" weight="7" />
+## </interface>
#
define(`kernel_share_state',`
requires_block_template(`$0'_depend)
@@ -49,8 +75,18 @@ define(`kernel_share_state_depend',`
')
########################################
-#
-# kernel_use_file_descriptors(domain)
+## <interface name="kernel_use_file_descriptors">
+## <description>
+## Permits caller to use kernel file descriptors.
+## </description>
+## <securitydesc>
+## Permits use of kernel file descriptors.
+## </securitydesc>
+## <parameter name="domain">
+## The type of the process using the descriptors.
+## </parameter>
+## <infoflow type="both" weight="1" />
+## </interface>
#
define(`kernel_use_file_descriptors',`
requires_block_template(`$0'_depend)
@@ -65,8 +101,20 @@ define(`kernel_use_file_descriptors_depend',`
')
########################################
-#
-# kernel_ignore_use_file_descriptors(domain)
+## <interface name="kernel_ignore_use_file_descriptors">
+## <description>
+## Do not audit attempts by the caller to use
+## kernel file descriptors.
+## </description>
+## <securitydesc>
+## Causes attempts to use kernel file descriptors
+## to not be audited for caller.
+## </securitydesc>
+## <parameter name="domain">
+## The type of process not to audit.
+## </parameter>
+## <infoflow type="none" />
+## </interface>
#
define(`kernel_ignore_use_file_descriptors',`
requires_block_template(`$0'_depend)
@@ -81,8 +129,20 @@ define(`kernel_ignore_use_file_descriptors_depend',`
')
########################################
-#
-# kernel_make_root_filesystem_mountpoint(domain)
+## <interface name="kernel_make_root_filesystem_mountpoint">
+## <description>
+## Allows the kernel to mount filesystems on
+## the caller.
+## </description>
+## <securitydesc>
+## Givers kernel permission to mount on directories
+## of the calling type.
+## </securitydesc>
+## <parameter name="mountpoint">
+## The type of the directory to use as a mountpoint.
+## </parameter>
+## <infoflow type="both" weight="1"/>
+## </interface>
#
define(`kernel_make_root_filesystem_mountpoint',`
requires_block_template(`$0'_depend)
@@ -97,8 +157,19 @@ define(`kernel_make_root_filesystem_mountpoint_depend',`
')
########################################
-#
-# kernel_make_process_identity_change_constraint_exception(domain)
+## <interface name="kernel_make_process_identity_change_constraint_exception">
+## <description>
+## Makes caller an exception to the constraint preventing
+## changing of user identity.
+## </description>
+## <securitydesc>
+## Allows changing of user identity in context of the calling process.
+## </securitydesc>
+## <parameter name="domain">
+## The process type to make an exception to the constraint.
+## </parameter>
+## <infoflow type="none" />
+## </interface>
#
define(`kernel_make_process_identity_change_constraint_exception',`
requires_block_template(`$0'_depend)
@@ -111,8 +182,19 @@ define(`kernel_make_process_identity_change_constraint_exception_depend',`
')
########################################
-#
-# kernel_make_role_change_constraint_exception(domain)
+## <interface name="kernel_make_role_change_constraint_exception">
+## <description>
+## Makes caller an exception to the constraint preventing
+## changing of role.
+## </description>
+## <securitydesc>
+## Allows changing of role in the context of the calling process.
+## </securitydesc>
+## <parameter name="domain">
+## The process type to make an exception to the constraint.
+## </parameter>
+## <infoflow type="none" />
+## </interface>
#
define(`kernel_make_role_change_constraint_exception',`
requires_block_template(`$0'_depend)
@@ -125,8 +207,19 @@ define(`kernel_make_role_change_constraint_exception_depend',`
')
########################################
-#
-# kernel_make_object_identity_change_constraint_exception(domain)
+## <interface name="kernel_make_object_identity_change_constraint_exception">
+## <description>
+## Makes caller an exception to the constraint preventing
+## changing the user identity in object contexts.
+## </description>
+## <securitydesc>
+## Allows caller to change user identities on objects
+## </securitydesc>
+## <parameter name="domain">
+## The process type to make an exception to the constraint.
+## </parameter>
+## <infoflow type="none" />
+## </interface>
#
define(`kernel_make_object_identity_change_constraint_exception',`
requires_block_template(`$0'_depend)
@@ -139,8 +232,19 @@ define(`kernel_make_object_identity_change_constraint_exception_depend',`
')
########################################
-#
-# kernel_load_module(domain)
+##
+## <interface name="kernel_load_module">
+## <description>
+## Allows caller to load kernel modules
+## </description>
+## <securitydesc>
+## Allows loading of kernel modules.
+## </securitydesc>
+## <parameter name="domain">
+## The process type to allow to load kernel modules.
+## </parameter>
+## <infoflow type="write" weight="10"/>
+## </interface>
#
define(`kernel_load_module',`
requires_block_template(`$0'_depend)
@@ -156,8 +260,20 @@ define(`kernel_load_module_depend',`
')
########################################
-#
-# kernel_get_selinux_enforcement_mode(domain)
+##
+## <interface name="kernel_get_selinux_enforcement_mode">
+## <description>
+## Allows the caller to get the mode of policy enforcement
+## (enforcing or permissive mode).
+## </description>
+## <securitydesc>
+## Gives caller access to system state data.
+## </securitydesc>
+## <parameter name="domain">
+## The process type to allow to get the enforcing mode.
+## </parameter>
+## <infoflow type="read" weight="10"/>
+## </interface>
#
define(`kernel_get_selinux_enforcement_mode',`
requires_block_template(`$0'_depend)
@@ -174,8 +290,19 @@ define(`kernel_get_selinux_enforcement_mode_depend',`
')
########################################
-#
-# kernel_set_selinux_enforcement_mode(domain)
+## <interface name="kernel_set_selinux_enforcement_mode">
+## <description>
+## Allow caller to set the mode of policy enforcement
+## (enforcing or permissive mode).
+## </description>
+## <securitydesc>
+## Caller becomes able to disable enforcement of policy.
+## </securitydesc>
+## <parameter name="domain">
+## The process type to allow to set the enforcement mode.
+## </parameter>
+## <infoflow type="write" weight="10"/>
+## </interface>
#
define(`kernel_set_selinux_enforcement_mode',`
requires_block_template(`$0'_depend)
@@ -198,8 +325,18 @@ define(`kernel_set_selinux_enforcement_mode_depend',`
')
########################################
-#
-# kernel_load_selinux_policy(domain)
+## <interface name="kernel_load_selinux_policy">
+## <description>
+## Allow caller to load the policy into the kernel.
+## </description>
+## <securitydesc>
+## Caller can replace the policy being enforced.
+## </securitydesc>
+## <parameter name="domain">
+## The process type that will load the policy.
+## </parameter>
+## <infoflow type="write" weight="10"/>
+## </interface>
#
define(`kernel_load_selinux_policy',`
requires_block_template(`$0'_depend)
@@ -222,8 +359,23 @@ define(`kernel_load_selinux_policy_depend',`
')
########################################
-#
-# kernel_set_selinux_boolean(domain,[booltype])
+## <interface name="kernel_set_selinux_boolean">
+## <description>
+## Allow caller to set the state of Booleans to
+## enable or disable conditional portions of the policy.
+## </description>
+## <securitydesc>
+## Caller can change which of the conditional portions of
+## the policy are being enforced.
+## </securitydesc>
+## <parameter name="domain">
+## The process type allowed to set the Boolean.
+## </parameter>
+## <parameter name="booltype" optional="true">
+## The type of Booleans the caller is allowed to set.
+## </parameter>
+## <infoflow type="write" weight="10"/>
+## </interface>
#
define(`kernel_set_selinux_boolean',`
requires_block_template(`$0'_depend)
@@ -250,8 +402,18 @@ define(`kernel_set_selinux_boolean_depend',`
')
########################################
-#
-# kernel_set_selinux_security_parameters(domain)
+## <interface name="kernel_set_selinux_security_parameters">
+## <description>
+## Allow caller to set selinux security parameters.
+## </description>
+## <securitydesc>
+## Caller can change security parameters.
+## </securitydesc>
+## <parameter name="domain">
+## The process type to allow to set security parameters.
+## </parameter>
+## <infoflow type="write" weight="10"/>
+## </interface>
#
define(`kernel_set_selinux_security_parameters',`
requires_block_template(`$0'_depend)
@@ -274,8 +436,18 @@ define(`kernel_set_selinux_security_parameters_depend',`
')
########################################
-#
-# kernel_validate_selinux_context(domain)
+## <interface name="kernel_validate_selinux_context">
+## <description>
+## Allows caller to validate security contexts.
+## </description>
+## <securitydesc>
+##
+## </securitydesc>
+## <parameter name="domain">
+## The process type permitted to validate contexts.
+## </parameter>
+## <infoflow type="both" weight="10"/>
+## </interface>
#
define(`kernel_validate_selinux_context',`
requires_block_template(`$0'_depend)
@@ -294,8 +466,18 @@ define(`kernel_validate_selinux_context_depend',`
')
########################################
-#
-# kernel_compute_selinux_access_vector(domain)
+## <interface name="kernel_compute_selinux_access_vector">
+## <description>
+## Allows caller to compute an access vector.
+## </description>
+## <securitydesc>
+##
+## </securitydesc>
+## <parameter name="domain">
+## The process type allowed to compute an access vector.
+## </parameter>
+## <infoflow type="both" weight="7"/>
+## </interface>
#
define(`kernel_compute_selinux_access_vector',`
requires_block_template(`$0'_depend)
@@ -314,8 +496,18 @@ define(`kernel_compute_selinux_access_vector_depend',`
')
########################################
-#
-# kernel_compute_selinux_create_context(domain)
+## <interface name="kernel_compute_selinux_create_context">
+## <description>
+##
+## </description>
+## <securitydesc>
+##
+## </securitydesc>
+## <parameter name="domain">
+##
+## </parameter>
+## <infoflow type="both" weight="10"/>
+## </interface>
#
define(`kernel_compute_selinux_create_context',`
requires_block_template(`$0'_depend)
@@ -334,8 +526,18 @@ define(`kernel_compute_selinux_create_context_depend',`
')
########################################
-#
-# kernel_compute_selinux_relabel_context(domain)
+## <interface name="kernel_compute_selinux_relabel_context">
+## <description>
+##
+## </description>
+## <securitydesc>
+##
+## </securitydesc>
+## <parameter name="domain">
+## The process type to
+## </parameter>
+## <infoflow type="both" weight="10"/>
+## </interface>
#
define(`kernel_compute_selinux_relabel_context',`
requires_block_template(`$0'_depend)
@@ -354,8 +556,18 @@ define(`kernel_compute_selinux_relabel_context_depend',`
')
########################################
-#
-# kernel_compute_selinux_reachable_user_contexts(domain)
+## <interface name="kernel_compute_selinux_reachable_user_contexts">
+## <description>
+## Allows caller to compute possible contexts for a user.
+## </description>
+## <securitydesc>
+##
+## </securitydesc>
+## <parameter name="domain">
+## The process type allowed to compute user contexts.
+## </parameter>
+## <infoflow type="both" weight="10"/>
+## </interface>
#
define(`kernel_compute_selinux_reachable_user_contexts',`
requires_block_template(`$0'_depend)
@@ -374,8 +586,18 @@ define(`kernel_compute_selinux_reachable_user_contexts_depend',`
')
########################################
-#
-# kernel_read_ring_buffer(domain)
+## <interface name="kernel_read_ring_buffer">
+## <description>
+## Allows caller to read the ring buffer.
+## </description>
+## <securitydesc>
+## Buffer read could have sensitive information from multiple doamins.
+## </securitydesc>
+## <parameter name="domain">
+## The process type allowed to read the ring buffer.
+## </parameter>
+## <infoflow type="read" weight="10"/>
+## </interface>
#
define(`kernel_read_ring_buffer',`
requires_block_template(`$0'_depend)
@@ -390,8 +612,19 @@ define(`kernel_read_ring_buffer_depend',`
')
########################################
-#
-# kernel_ignore_read_ring_buffer(domain)
+## <interface name="kernel_ignore_read_ring_buffer">
+## <description>
+## Ignore attempts by caller to read the ring buffer.
+## </description>
+## <securitydesc>
+## Causes attepts to read potentially sensitive information
+## from being audited.
+## </securitydesc>
+## <parameter name="domain">
+## The domain to not audit.
+## </parameter>
+## <infoflow type="" weight=""/>
+## </interface>
#
define(`kernel_ignore_read_ring_buffer',`
requires_block_template(`$0'_depend)
@@ -406,8 +639,18 @@ define(`kernel_ignore_read_ring_buffer_depend',`
')
########################################
-#
-# kernel_change_ring_buffer_level(domain)
+## <interface name="kernel_change_ring_buffer_level">
+## <description>
+##
+## </description>
+## <securitydesc>
+##
+## </securitydesc>
+## <parameter name="domain">
+##
+## </parameter>
+## <infoflow type="read" weight="7"/>
+## </interface>
#
define(`kernel_change_ring_buffer_level',`
requires_block_template(`$0'_depend)
@@ -422,8 +665,18 @@ define(`kernel_change_ring_buffer_level_depend',`
')
########################################
-#
-# kernel_clear_ring_buffer(domain)
+## <interface name="kernel_clear_ring_buffer">
+## <description>
+## Allows the caller to clear the ring buffer.
+## </description>
+## <securitydesc>
+##
+## </securitydesc>
+## <parameter name="domain">
+## The process type clearing the buffer.
+## </parameter>
+## <infoflow type="write" weight="8"/>
+## </interface>
#
define(`kernel_clear_ring_buffer',`
requires_block_template(`$0'_depend)
@@ -438,8 +691,18 @@ define(`kernel_clear_ring_buffer_depend',`
')
########################################
-#
-# kernel_get_sysvipc_info(domain)
+## <interface name="kernel_get_sysvipc_info">
+## <description>
+## Allow caller to get information about an ipc socket.
+## </description>
+## <securitydesc>
+##
+## </securitydesc>
+## <parameter name="domain">
+##
+## </parameter>
+## <infoflow type="read" weight="7"/>
+## </interface>
#
define(`kernel_get_sysvipc_info',`
requires_block_template(`$0'_depend)
@@ -454,8 +717,18 @@ define(`kernel_get_sysvipc_info_depend',`
')
########################################
-#
-# kernel_get_selinuxfs_mount_point(domain)
+## <interface name="kernel_get_selinuxfs_mount_point">
+## <description>
+## Gets the caller the mountpoint of the selinuxfs filesystem.
+## </description>
+## <securitydesc>
+##
+## </securitydesc>
+## <parameter name="domain">
+## The process type requesting the selinuxfs mountpoint.
+## </parameter>
+## <infoflow type="read" weight="10"/>
+## </interface>
#
define(`kernel_get_selinuxfs_mount_point',`
requires_block_template(`$0'_depend)
@@ -475,8 +748,18 @@ define(`kernel_get_selinuxfs_mount_point_depend',`
')
########################################
-#
-# kernel_read_system_state(domain)
+## <interface name="kernel_read_system_state">
+## <description>
+## Allows caller to read system state information.
+## </description>
+## <securitydesc>
+## State data contains information about multiple domains and may be privlaged.
+## </securitydesc>
+## <parameter name="domain">
+## The process type reading the system state information.
+## </parameter>
+## <infoflow type="read" weight="10"/>
+## </interface>
#
define(`kernel_read_system_state',`
requires_block_template(`$0'_depend)
@@ -495,8 +778,19 @@ define(`kernel_read_system_state_depend',`
')
########################################
-#
-# kernel_ignore_read_system_state(domain)
+## <interface name="kernel_ignore_read_system_state">
+## <description>
+## Do not audit attempts by caller to
+## read system state information.
+## </description>
+## <securitydesc>
+## Causes attempts to read system state data not to be auditted.
+## </securitydesc>
+## <parameter name="domain">
+## The process type not to audit.
+## </parameter>
+## <infoflow type="none" />
+## </interface>
#
define(`kernel_ignore_read_system_state',`
requires_block_template(`$0'_depend)
@@ -511,8 +805,18 @@ define(`kernel_ignore_read_system_state_depend',`
')
#######################################
-#
-# kernel_read_software_raid_state(domain)
+## <interface name="kernel_read_software_raid_state">
+## <description>
+## Allow caller to read the state information for software raid.
+## </description>
+## <securitydesc>
+##
+## </securitydesc>
+## <parameter name="domain">
+## The process type reading software raid state.
+## </parameter>
+## <infoflow type="read" weight="10"/>
+## </interface>
#
define(`kernel_read_software_raid_state',`
requires_block_template(`$0'_depend)
@@ -529,8 +833,18 @@ define(`kernel_read_software_raid_state_depend',`
')
########################################
-#
-# kernel_get_core_interface_attributes(domain)
+## <interface name="kernel_get_core_interface_attributes">
+## <description>
+## Allows caller to get attribues of core kernel interfaces.
+## </description>
+## <securitydesc>
+##
+## </securitydesc>
+## <parameter name="domain">
+## The process type getting the attibutes.
+## </parameter>
+## <infoflow type="read" weight="7"/>
+## </interface>
#
define(`kernel_get_core_interface_attributes',`
requires_block_template(`$0'_depend)
@@ -547,8 +861,20 @@ define(`kernel_get_core_interface_attributes_depend',`
')
########################################
-#
-# kernel_ignore_get_core_interface_attributes(domain)
+## <interface name="kernel_ignore_get_core_interface_attributes">
+## <description>
+## Do not audit attempts to get the attributes of
+## core kernel interfaces.
+## </description>
+## <securitydesc>
+## Causes attempts to get attributes of kernel interfaces to
+## not be auditted.
+## </securitydesc>
+## <parameter name="domain">
+## The process type to not audit.
+## </parameter>
+## <infoflow type="none" />
+## </interface>
#
define(`kernel_ignore_get_core_interface_attributes',`
requires_block_template(`$0'_depend)
@@ -563,8 +889,18 @@ define(`kernel_ignore_get_core_interface_attributes_depend',`
')
########################################
-#
-# kernel_read_messages(domain)
+## <interface name="kernel_read_messages">
+## <description>
+## Allow caller to receive and read kernel messages.
+## </description>
+## <securitydesc>
+##
+## </securitydesc>
+## <parameter name="domain">
+## The process type reading the messages.
+## </parameter>
+## <infoflow type="read" weight="10"/>
+## </interface>
#
define(`kernel_read_messages',`
requires_block_template(`$0'_depend)
@@ -584,8 +920,19 @@ define(`kernel_read_messages_depend',`
')
########################################
-#
-# kernel_get_message_interface_attributes(domain)
+## <interface name="kernel_get_message_interface_attributes">
+## <description>
+## Allow caller to get the attributes of kernel message
+## interfaces.
+## </description>
+## <securitydesc>
+##
+## </securitydesc>
+## <parameter name="domain">
+## The process type getting the attributes.
+## </parameter>
+## <infoflow type="read" weight="7"/>
+## </interface>
#
define(`kernel_get_message_interface_attributes',`
requires_block_template(`$0'_depend)
@@ -602,8 +949,20 @@ define(`kernel_get_message_interface_attributes_depend',`
')
########################################
-#
-# kernel_ignore_get_message_interface_attributes(domain)
+## <interface name="kernel_ignore_get_message_interface_attributes">
+## <description>
+## Do not audit attempts by caller to get the attributes of kernel
+## message interfaces.
+## </description>
+## <securitydesc>
+## Causes attempts by caller to get the attributes of kernel
+## message interfaces not to be auditted.
+## </securitydesc>
+## <parameter name="domain">
+## The process type not to audit.
+## </parameter>
+## <infoflow type="none" />
+## </interface>
#
define(`kernel_ignore_get_message_interface_attributes',`
requires_block_template(`$0'_depend)
@@ -618,8 +977,19 @@ define(`kernel_ignore_get_message_interface_attributes_depend',`
')
########################################
-#
-# kernel_read_network_state(domain)
+## <interface name="kernel_read_network_state">
+## <description>
+## Allow caller to read the network state information.
+## </description>
+## <securitydesc>
+##
+## </securitydesc>
+## <parameter name="domain">
+## The process type reading the state.
+## </parameter>
+## <infoflow type="read" weight="10"/>
+## </interface>
+##
#
define(`kernel_read_network_state',`
requires_block_template(`$0'_depend)
@@ -637,8 +1007,19 @@ define(`kernel_read_network_state_depend',`
')
########################################
-#
-# kernel_ignore_search_sysctl_dir(domain)
+## <interface name="kernel_ignore_search_sysctl_dir">
+## <description>
+## Do not audit attempts by caller to search the sysctl directory.
+## </description>
+## <securitydesc>
+## Causes attempts by caller to search the sysctl directy not to be auditted.
+## </securitydesc>
+## <parameter name="domain">
+## The process type not to audit.
+## </parameter>
+## <infoflow type="none" />
+## </interface>
+##
#
define(`kernel_ignore_search_sysctl_dir',`
requires_block_template(`$0'_depend)
@@ -653,8 +1034,18 @@ define(`kernel_ignore_search_sysctl_dir_depend',`
')
########################################
-#
-# kernel_read_device_sysctl(domain)
+## <interface name="kernel_read_device_sysctl">
+## <description>
+## Allow caller to read the sysctl device.
+## </description>
+## <securitydesc>
+##
+## </securitydesc>
+## <parameter name="domain">
+## The process type to allow to read the sysctl device.
+## </parameter>
+## <infoflow type="read" weight="10"/>
+## </interface>
#
define(`kernel_read_device_sysctl',`
requires_block_template(`$0'_depend)
@@ -673,8 +1064,18 @@ define(`kernel_read_device_sysctl_depend',`
')
########################################
-#
-# kernel_modify_device_sysctl(domain)
+## <interface name="kernel_modify_device_sysctl">
+## <description>
+## Allows the caller to modify the sysctl device file.
+## </description>
+## <securitydesc>
+##
+## </securitydesc>
+## <parameter name="domain">
+## The process type modifying the sysctl device.
+## </parameter>
+## <infoflow type="both" weight="10"/>
+## </interface>
#
define(`kernel_modify_device_sysctl',`
requires_block_template(`$0'_depend)
@@ -692,8 +1093,19 @@ define(`kernel_modify_device_sysctl_depend',`
')
########################################
-#
-# kernel_read_virtual_memory_sysctl(domain)
+## <interface name="kernel_read_virtual_memory_sysctl">
+## <description>
+## Allow caller to read sysctl virtual memory.
+## </description>
+## <securitydesc>
+##
+## </securitydesc>
+## <parameter name="domain">
+##
+## </parameter>
+## <infoflow type="read" weight="10"/>
+## </interface>
+##
#
define(`kernel_read_virtual_memory_sysctl',`
requires_block_template(`$0'_depend)
@@ -711,8 +1123,18 @@ define(`kernel_read_virtual_memory_sysctl_depend',`
')
########################################
-#
-# kernel_modify_virtual_memory_sysctl(domain)
+## <interface name="kernel_modify_virtual_memory_sysctl">
+## <description>
+## Allow caller to modify contents of sysctl virtual memory.
+## </description>
+## <securitydesc>
+## Allows caller to modify sysctl virtual memory.
+## </securitydesc>
+## <parameter name="domain">
+## The process type modifying sysctl virtual memory.
+## </parameter>
+## <infoflow type="both" weight="10"/>
+## </interface>
#
define(`kernel_modify_virtual_memory_sysctl',`
requires_block_template(`$0'_depend)
@@ -730,8 +1152,19 @@ define(`kernel_modify_virtual_memory_sysctl_depend',`
')
########################################
-#
-# kernel_ignore_search_network_sysctl_dir(domain)
+## <interface name="kernel_ignore_search_network_sysctl_dir">
+## <description>
+## Do not audit attempts by caller to search sysctl network directories.
+## </description>
+## <securitydesc>
+## Causes attempts by the caller to search the sysctl network
+## directories not to be audited.
+## </securitydesc>
+## <parameter name="domain">
+## The process type not to audit.
+## </parameter>
+## <infoflow type="none" />
+## </interface>
#
define(`kernel_ignore_search_network_sysctl_dir',`
requires_block_template(`$0'_depend)
@@ -746,8 +1179,19 @@ define(`kernel_ignore_search_network_sysctl_dir_depend',`
')
########################################
-#
-# kernel_read_network_sysctl(domain)
+## <interface name="kernel_read_network_sysctl">
+## <description>
+## Allow caller to read sysctl network files.
+## </description>
+## <securitydesc>
+##
+## </securitydesc>
+## <parameter name="domain">
+## The process type reading sysctl network files.
+## </parameter>
+## <infoflow type="read" weight="10"/>
+## </interface>
+##
#
define(`kernel_read_network_sysctl',`
requires_block_template(`$0'_depend)
@@ -766,8 +1210,19 @@ define(`kernel_read_network_sysctl_depend',`
')
########################################
-#
-# kernel_modify_network_sysctl(domain)
+
+## <interface name="kernel_modify_network_sysctl">
+## <description>
+## Allow caller to modiry contents of sysctl network files.
+## </description>
+## <securitydesc>
+##
+## </securitydesc>
+## <parameter name="domain">
+## The process type modifying sysctl network files.
+## </parameter>
+## <infoflow type="both" weight="10"/>
+## </interface>
#
define(`kernel_modify_network_sysctl',`
requires_block_template(`$0'_depend)
@@ -786,8 +1241,18 @@ define(`kernel_modify_network_sysctl_depend',`
')
########################################
-#
-# kernel_read_unix_sysctl(domain)
+## <interface name="kernel_read_unix_sysctl">
+## <description>
+## Allow caller to read unix sysctl files.
+## </description>
+## <securitydesc>
+##
+## </securitydesc>
+## <parameter name="domain">
+## The process type reading unix sysctl files.
+## </parameter>
+## <infoflow type="read" weight="10"/>
+## </interface>
#
define(`kernel_read_unix_sysctl',`
requires_block_template(`$0'_depend)
@@ -806,8 +1271,18 @@ define(`kernel_read_net_sysctl_depend',`
')
########################################
-#
-# kernel_modify_unix_sysctl(domain)
+## <interface name="kernel_modify_unix_sysctl">
+## <description>
+## Allow caller to modify contents of unix sysctl files.
+## </description>
+## <securitydesc>
+##
+## </securitydesc>
+## <parameter name="domain">
+## The process type modifying contents of unix sysctl files.
+## </parameter>
+## <infoflow type="both" weight="10"/>
+## </interface>
#
define(`kernel_modify_unix_sysctl',`
requires_block_template(`$0'_depend)
@@ -826,8 +1301,18 @@ define(`kernel_modify_net_sysctl_depend',`
')
########################################
-#
-# kernel_read_hotplug_sysctl(domain)
+## <interface name="kernel_read_hotplug_sysctl">
+## <description>
+## Allow caller to read data from hotplug.
+## </description>
+## <securitydesc>
+##
+## </securitydesc>
+## <parameter name="domain">
+## The process type reading hotplug data.
+## </parameter>
+## <infoflow type="read" weight="10"/>
+## </interface>
#
define(`kernel_read_hotplug_sysctl',`
requires_block_template(`$0'_depend)
@@ -846,8 +1331,18 @@ define(`kernel_read_hotplug_sysctl_depend',`
')
########################################
-#
-# kernel_modify_hotplug_sysctl(domain)
+## <interface name="kernel_modify_hotplug_sysctl">
+## <description>
+## Allow caller to modify hotplug sysctl data.
+## </description>
+## <securitydesc>
+##
+## </securitydesc>
+## <parameter name="domain">
+## The process type modifying hotplug sysctl data.
+## </parameter>
+## <infoflow type="both" weight="10"/>
+## </interface>
#
define(`kernel_modify_hotplug_sysctl',`
requires_block_template(`$0'_depend)
@@ -866,8 +1361,18 @@ define(`kernel_modify_hotplug_sysctl_depend',`
')
########################################
-#
-# kernel_read_modprobe_sysctl(domain)
+## <interface name="kernel_read_modprobe_sysctl">
+## <description>
+## Allow caller to read files containing modprobe information.
+## </description>
+## <securitydesc>
+##
+## </securitydesc>
+## <parameter name="domain">
+## The process domian reading modprobe information files.
+## </parameter>
+## <infoflow type="read" weight="10"/>
+## </interface>
#
define(`kernel_read_modprobe_sysctl',`
requires_block_template(`$0'_depend)
@@ -886,8 +1391,18 @@ define(`kernel_read_modprobe_sysctl_depend',`
')
########################################
-#
-# kernel_modify_modprobe_sysctl(domain)
+## <interface name="kernel_modify_modprobe_sysctl">
+## <description>
+## Allow caller to modify files containing modprobe information.
+## </description>
+## <securitydesc>
+##
+## </securitydesc>
+## <parameter name="domain">
+## The process domian modifying modprobe information files.
+## </parameter>
+## <infoflow type="both" weight="10"/>
+## </interface>
#
define(`kernel_modify_modprobe_sysctl',`
requires_block_template(`$0'_depend)
@@ -906,8 +1421,18 @@ define(`kernel_modify_modprobe_sysctl_depend',`
')
########################################
-#
-# kernel_read_kernel_sysctl(domain)
+## <interface name="kernel_read_kernel_sysctl">
+## <description>
+## Allow caller to read kernel sysctl files.
+## </description>
+## <securitydesc>
+##
+## </securitydesc>
+## <parameter name="domain">
+## The process type reading kernel sysctl files.
+## </parameter>
+## <infoflow type="read" weight="10"/>
+## </interface>
#
define(`kernel_read_kernel_sysctl',`
requires_block_template(`$0'_depend)
@@ -926,8 +1451,18 @@ define(`kernel_read_kernel_sysctl_depend',`
')
########################################
-#
-# kernel_modify_kernel_sysctl(domain)
+## <interface name="kernel_modify_kernel_sysctl">
+## <description>
+## Allow caller to modify kernel sysctl files.
+## </description>
+## <securitydesc>
+##
+## </securitydesc>
+## <parameter name="domain">
+## The process type modifying kernel sysctl files.
+## </parameter>
+## <infoflow type="both" weight="10"/>
+## </interface>
#
define(`kernel_modify_kernel_sysctl',`
requires_block_template(`$0'_depend)
@@ -946,8 +1481,18 @@ define(`kernel_modify_kernel_sysctl_depend',`
')
########################################
-#
-# kernel_read_filesystem_sysctl(domain)
+## <interface name="kernel_read_filesystem_sysctl">
+## <description>
+## Allow caller to read filesystem information.
+## </description>
+## <securitydesc>
+##
+## </securitydesc>
+## <parameter name="domain">
+## The process type reading filesystem information.
+## </parameter>
+## <infoflow type="read" weight="10"/>
+## </interface>
#
define(`kernel_read_filesystem_sysctl',`
requires_block_template(`$0'_depend)
@@ -968,6 +1513,18 @@ define(`kernel_read_filesystem_sysctl_depend',`
########################################
#
# kernel_modify_filesystem_sysctl(domain)
+## <interface name="kernel_modify_filesystem_sysctl">
+## <description>
+## Allow caller to modify filesystem information.
+## </description>
+## <securitydesc>
+##
+## </securitydesc>
+## <parameter name="domain">
+## The process type modifying filesystem information.
+## </parameter>
+## <infoflow type="both" weight="10"/>
+## </interface>
#
define(`kernel_modify_filesystem_sysctl',`
requires_block_template(`$0'_depend)
@@ -986,8 +1543,18 @@ define(`kernel_modify_filesystem_sysctl_depend',`
')
########################################
-#
-# kernel_read_irq_sysctl(domain)
+## <interface name="kernel_read_irq_sysctl">
+## <description>
+## Allows caller to read interrupt request information.
+## </description>
+## <securitydesc>
+##
+## </securitydesc>
+## <parameter name="domain">
+## The process type reading interrupt request information.
+## </parameter>
+## <infoflow type="read" weight="10"/>
+## </interface>
#
define(`kernel_read_irq_sysctl',`
requires_block_template(`$0'_depend)
@@ -1005,8 +1572,19 @@ define(`kernel_read_irq_sysctl_depend',`
')
########################################
-#
-# kernel_modify_irq_sysctl(domain)
+## <interface name="kernel_modify_irq_sysctl">
+## <description>
+## Allows caller to modify interrupt request information.
+## </description>
+## <securitydesc>
+##
+## </securitydesc>
+## <parameter name="domain">
+## The process type modifying interrupt request information.
+## </parameter>
+## <infoflow type="both" weight="10"/>
+## </interface>
+##
#
define(`kernel_modify_irq_sysctl',`
requires_block_template(`$0'_depend)
@@ -1064,8 +1642,18 @@ define(`kernel_modify_rpc_sysctl_depend',`
')
########################################
-#
-# kernel_read_all_sysctl(domain)
+## <interface name="kernel_read_all_sysctl">
+## <description>
+## Allow caller to read all sysctl information.
+## </description>
+## <securitydesc>
+##
+## </securitydesc>
+## <parameter name="domain">
+## The process type reading the information.
+## </parameter>
+## <infoflow type="read" weight="10"/>
+## </interface>
#
define(`kernel_read_all_sysctl',`
kernel_read_device_sysctl($1)
@@ -1081,8 +1669,18 @@ define(`kernel_read_all_sysctl',`
')
########################################
-#
-# kernel_modify_all_sysctl(domain)
+## <interface name="kernel_modify_all_sysctl">
+## <description>
+## Allow caller to modify all sysctl information.
+## </description>
+## <securitydesc>
+##
+## </securitydesc>
+## <parameter name="domain">
+## The process type modifying the information.
+## </parameter>
+## <infoflow type="both" weight="10"/>
+## </interface>
#
define(`kernel_modify_all_sysctl',`
kernel_modify_device_sysctl($1)
@@ -1121,8 +1719,18 @@ define(`kernel_search_hardware_state_dir_depend',`
')
########################################
-#
-# kernel_read_hardware_state(domain)
+## <interface name="kernel_read_hardware_state">
+## <description>
+## Allow caller to read hardware state information.
+## </description>
+## <securitydesc>
+##
+## </securitydesc>
+## <parameter name="domain">
+## The process type reading hardware state information.
+## </parameter>
+## <infoflow type="read" weight="10"/>
+## </interface>
#
define(`kernel_read_hardware_state',`
requires_block_template(`$0'_depend)
@@ -1140,8 +1748,18 @@ define(`kernel_read_hardware_state_depend',`
')
########################################
-#
-# kernel_modify_hardware_config_option(domain)
+## <interface name="kernel_modify_hardware_state">
+## <description>
+## Allow caller to modify hardware state information.
+## </description>
+## <securitydesc>
+##
+## </securitydesc>
+## <parameter name="domain">
+## The process type modifying hardware state information.
+## </parameter>
+## <infoflow type="both" weight="10"/>
+## </interface>
#
define(`kernel_modify_hardware_config_option',`
requires_block_template(`$0'_depend)
@@ -1275,8 +1893,20 @@ define(`kernel_sigchld_unlabeled_process_depend',`
')
########################################
-#
-# kernel_ignore_get_unlabeled_block_device_attributes(domain)
+## <interface name="kernel_ignore_get_unlabeled_block_device_attributes">
+## <description>
+## Do not audit attempts by caller to get attributes for
+## unlabeled block devices.
+## </description>
+## <securitydesc>
+## Causes attempts by caller to get attributes on unlabeled
+## block devices to not be auditted.
+## </securitydesc>
+## <parameter name="domain">
+## The process type not to audit.
+## </parameter>
+## <infoflow type="none" />
+## </interface>
#
define(`kernel_ignore_get_unlabeled_block_device_attributes',`
requires_block_template(`$0'_depend)
@@ -1291,8 +1921,18 @@ define(`kernel_ignore_get_unlabeled_block_device_attributes_depend',`
')
########################################
-#
-# kernel_relabel_unlabeled_object(domain)
+## <interface name="kernel_relabel_unlabeled_object">
+## <description>
+## Allow caller to relabel unlabeled objects.
+## </description>
+## <securitydesc>
+##
+## </securitydesc>
+## <parameter name="domain">
+## The process type relabeling the objects.
+## </parameter>
+## <infoflow type="read" weight=""/>
+## </interface>
#
define(`kernel_relabel_unlabeled_object',`
requires_block_template(`$0'_depend)
@@ -1336,8 +1976,18 @@ define(`kernel_search_usb_hardware_state_dir_depend',`
')
########################################
-#
-# kernel_list_usb_hardware(domain)
+## <interface name="kernel_list_usb_hardware">
+## <description>
+## Allow caller to get a list of usb hardware.
+## </description>
+## <securitydesc>
+##
+## </securitydesc>
+## <parameter name="domain">
+## The process type getting the list.
+## </parameter>
+## <infoflow type="read" weight="10"/>
+## </interface>
#
define(`kernel_list_usb_hardware',`
requires_block_template(`$0'_depend)
@@ -1383,8 +2033,18 @@ define(`kernel_read_usb_hardware_state_depend',`
')
########################################
-#
-# kernel_modify_usb_hardware_config_option(domain)
+## <interface name="kernel_modify_usb_hardware_config_option">
+## <description>
+## Allow caller to modify usb hardware configuration files.
+## </description>
+## <securitydesc>
+##
+## </securitydesc>
+## <parameter name="domain">
+## The process type modifying the options.
+## </parameter>
+## <infoflow type="both" weight="10"/>
+## </interface>
#
define(`kernel_modify_usb_hardware_config_option',`
requires_block_template(`$0'_depend)
@@ -1412,8 +2072,18 @@ define(`kernel_modify_usb_hardware_config_option_depend',`
###################################################################
########################################
-#
-# kernel_sigchld_from(domain)
+## <interface name="kernel_sigchld_from">
+## <description>
+## Receive sigchild from kernel.
+## </description>
+## <securitydesc>
+##
+## </securitydesc>
+## <parameter name="domain">
+## The process type receiving the signal.
+## </parameter>
+## <infoflow type="read" weight="1"/>
+## </interface>
#
define(`kernel_sigchld_from',`
requires_block_template(`$0'_depend)
@@ -1428,8 +2098,18 @@ define(`kernel_sigchld_from_depend',`
')
########################################
-#
-# kernel_unlabeled_sigchld_from(domain)
+## <interface name="kernel_unlabeled_sigchld_from">
+## <description>
+## Receive sigchld from unlabeled processes.
+## </description>
+## <securitydesc>
+##
+## </securitydesc>
+## <parameter name="domain">
+## The process type receiving the signal.
+## </parameter>
+## <infoflow type="read" weight="1"/>
+## </interface>
#
define(`kernel_unlabeled_sigchld_from',`
requires_block_template(`$0'_depend)
@@ -1444,8 +2124,18 @@ define(`kernel_unlabeled_sigchld_from_depend',`
')
########################################
-#
-# kernel_read_directory_from(domain)
+## <interface name="kernel_read_directory_from">
+## <description>
+## XXX FIXME
+## </description>
+## <securitydesc>
+##
+## </securitydesc>
+## <parameter name="domain">
+##
+## </parameter>
+## <infoflow type="write" weight="10"/>
+## </interface>
#
define(`kernel_read_directory_from',`
requires_block_template(`$0'_depend)
diff --git a/refpolicy/policy/modules/system/clock.if b/refpolicy/policy/modules/system/clock.if
index 078b1e0..fa75c75 100644
--- a/refpolicy/policy/modules/system/clock.if
+++ b/refpolicy/policy/modules/system/clock.if
@@ -1,4 +1,4 @@
-## <module name="clock" layer="keyservices">
+## <module name="clock" layer="system">
## <summary>Policy for reading and setting the hardware clock.</summary>
########################################
@@ -67,9 +67,16 @@ define(`clock_transition_add_role_use_terminal_depend',`
class chr_file { getattr read write ioctl };
')
-#######################################
-#
-# clock_execute(domain)
+########################################
+## <interface name="clock_execute">
+## <description>
+## Execute hwclock
+## </description>
+## <parameter name="domain">
+## The type of the process performing this action.
+## </parameter>
+## <infoflow type="execute" weight="10"/>
+## </interface>
#
define(`clock_execute',`
requires_block_template(`$0'_depend)
@@ -83,9 +90,16 @@ define(`clock_execute_depend',`
class file { getattr read execute execute_no_trans };
')
-#######################################
-#
-# clock_modify_drift_records(domain)
+########################################
+## <interface name="clock_modify_drift_records">
+## <description>
+## Allow executing domain to modify clock drift
+## </description>
+## <parameter name="domain">
+## The type of the process performing this action.
+## </parameter>
+## <infoflow type="write" weight="10"/>
+## </interface>
#
define(`clock_modify_drift_records',`
requires_block_template(`$0'_depend)
diff --git a/refpolicy/policy/modules/system/getty.if b/refpolicy/policy/modules/system/getty.if
index ce27732..d7a84f6 100644
--- a/refpolicy/policy/modules/system/getty.if
+++ b/refpolicy/policy/modules/system/getty.if
@@ -1,7 +1,16 @@
-
-#######################################
-#
-# getty_transition(domain)
+## <module name="getty" layer="system">
+## <summary>Policy for getty.</summary>
+
+########################################
+## <interface name="getty_transition">
+## <description>
+## Execute gettys in the getty domain.
+## </description>
+## <parameter name="domain">
+## The type of the process performing this action.
+## </parameter>
+## <infoflow type="read" weight="10"/>
+## </interface>
#
define(`getty_transition',`
requires_block_template(`$0'_depend)
@@ -26,9 +35,16 @@ define(`getty_transition_depend',`
class fifo_file rw_file_perms;
')
-#######################################
-#
-# getty_read_log_file(domain)
+########################################
+## <interface name="getty_read_log_file">
+## <description>
+## Allow process to read getty log file.
+## </description>
+## <parameter name="domain">
+## The type of the process performing this action.
+## </parameter>
+## <infoflow type="read" weight="10"/>
+## </interface>
#
define(`getty_read_log_file',`
requires_block_template(`$0'_depend)
@@ -42,9 +58,16 @@ define(`getty_read_log_file_depend',`
class file { getattr read };
')
-#######################################
-#
-# getty_read_config_file(domain)
+########################################
+## <interface name="getty_read_config_file">
+## <description>
+## Allow process to read getty config file.
+## </description>
+## <parameter name="domain">
+## The type of the process performing this action.
+## </parameter>
+## <infoflow type="read" weight="10"/>
+## </interface>
#
define(`getty_read_config_file',`
requires_block_template(`$0'_depend)
@@ -58,9 +81,16 @@ define(`getty_read_config_file_depend',`
class file { getattr read };
')
-#######################################
-#
-# getty_modify_config_file(domain)
+########################################
+## <interface name="getty_modify_config_file">
+## <description>
+## Allow process to edit getty config file.
+## </description>
+## <parameter name="domain">
+## The type of the process performing this action.
+## </parameter>
+## <infoflow type="read write" weight="10"/>
+## </interface>
#
define(`getty_modify_config_file',`
requires_block_template(`$0'_depend)
@@ -73,3 +103,5 @@ define(`getty_modify_config_file_depend',`
class file { getattr read write };
')
+
+## </module>
diff --git a/refpolicy/policy/modules/system/hostname.if b/refpolicy/policy/modules/system/hostname.if
index a1144fd..4efe979 100644
--- a/refpolicy/policy/modules/system/hostname.if
+++ b/refpolicy/policy/modules/system/hostname.if
@@ -1,4 +1,4 @@
-## <module name="hostname" layer="keyservices">
+## <module name="hostname" layer="system">
## <summary>Policy for changing the system host name.</summary>
########################################
@@ -69,6 +69,18 @@ define(`hostname_transition_add_role_use_terminal_depend',`
class chr_file { getattr read write ioctl };
')
+########################################
+## <interface name="hostname_execute">
+## <description>
+## Execute hostname in the hostname domain, and
+## Has a sigchld signal backchannel.
+## </description>
+## <parameter name="domain">
+## The type of the process performing this action.
+## </parameter>
+## <infoflow type="write" weight="10"/>
+## </interface>
+#
#######################################
#
# hostname_execute(domain)
diff --git a/refpolicy/policy/modules/system/locallogin.if b/refpolicy/policy/modules/system/locallogin.if
index 66ee967..688e183 100644
--- a/refpolicy/policy/modules/system/locallogin.if
+++ b/refpolicy/policy/modules/system/locallogin.if
@@ -1,7 +1,16 @@
+## <module name="locallogin" layer="system">
+## <summary>Policy for local logins.</summary>
-#######################################
-#
-# locallogin_transition(domain)
+########################################
+## <interface name="locallogin_transition">
+## <description>
+## Execute local logins in the locallogin domain.
+## </description>
+## <parameter name="domain">
+## The type of the process performing this action.
+## </parameter>
+## <infoflow type="read" weight="10"/>
+## </interface>
#
define(`locallogin_transition',`
requires_block_template(`$0'_depend)
@@ -14,6 +23,17 @@ define(`locallogin_transition_depend',`
')
########################################
+## <interface name="locallogin_use_file_descriptors">
+## <description>
+## Allow processes to inherit local login file descriptors
+## </description>
+## <parameter name="domain">
+## The type of the process performing this action.
+## </parameter>
+## <infoflow type="read" weight="10"/>
+## </interface>
+#
+########################################
#
# locallogin_use_file_descriptors(domain)
#
@@ -28,3 +48,5 @@ define(`locallogin_use_file_descriptors_depend',`
class fd use;
')
+
+## </module>
diff --git a/refpolicy/policy/modules/system/miscfiles.if b/refpolicy/policy/modules/system/miscfiles.if
index 63c6501..d55dbe6 100644
--- a/refpolicy/policy/modules/system/miscfiles.if
+++ b/refpolicy/policy/modules/system/miscfiles.if
@@ -1,7 +1,20 @@
+## <module name="miscfiles" layer="system">
+## <summary>Miscelaneous files.</summary>
########################################
-#
-# miscfiles_manage_man_page_cache(domain)
+## <interface name="miscfiles_manage_man_page_cache">
+## <description>
+## Allow process to create files and dirs in /var/cache/man
+## and /var/catman/
+## </description>
+## <securitydesc>
+## ...
+## </securitydesc>
+## <parameter name="domain">
+## Type type of the process performing this action.
+## </parameter>
+## <infoflow type="write" weight="10"/>
+## </interface>
#
define(`miscfiles_manage_man_page_cache',`
requires_block_template(`$0'_depend)
@@ -19,8 +32,18 @@ define(`miscfiles_manage_man_page_cache_depend',`
')
########################################
-#
-# miscfiles_read_fonts(domain)
+## <interface name="miscfiles_read_fonts">
+## <description>
+## Allow process to read fonts files
+## </description>
+## <securitydesc>
+## ...
+## </securitydesc>
+## <parameter name="domain">
+## Type type of the process performing this action.
+## </parameter>
+## <infoflow type="read" weight="10"/>
+## </interface>
#
define(`miscfiles_read_fonts',`
requires_block_template(`$0'_depend)
@@ -40,8 +63,18 @@ define(`miscfiles_read_fonts_depend',`
')
########################################
-#
-# miscfiles_read_localization(domain)
+## <interface name="miscfiles_read_localization">
+## <description>
+## Allow process to read localization info
+## </description>
+## <securitydesc>
+## ...
+## </securitydesc>
+## <parameter name="domain">
+## Type type of the process performing this action.
+## </parameter>
+## <infoflow type="read" weight="10"/>
+## </interface>
#
define(`miscfiles_read_localization',`
requires_block_template(`$0'_depend)
@@ -65,8 +98,18 @@ define(`miscfiles_read_localization_depend',`
')
########################################
-#
-# miscfiles_legacy_read_localization(domain)
+## <interface name="miscfiles_legacy_read_localization">
+## <description>
+## Allow process to read legacy time localization info
+## </description>
+## <securitydesc>
+## ...
+## </securitydesc>
+## <parameter name="domain">
+## Type type of the process performing this action.
+## </parameter>
+## <infoflow type="write" weight="10"/>
+## </interface>
#
define(`miscfiles_legacy_read_localization',`
requires_block_template(`$0'_depend)
@@ -82,8 +125,18 @@ define(`miscfiles_read_localization_depend',`
')
########################################
-#
-# miscfiles_read_man_pages(domain)
+## <interface name="miscfiles_read_man_pages">
+## <description>
+## Allow process to read manpages
+## </description>
+## <securitydesc>
+## ...
+## </securitydesc>
+## <parameter name="domain">
+## Type type of the process performing this action.
+## </parameter>
+## <infoflow type="read" weight="10"/>
+## </interface>
#
define(`miscfiles_read_man_pages',`
requires_block_template(`$0'_depend)
@@ -101,3 +154,5 @@ define(`miscfiles_read_man_pages_depend',`
class file { getattr read };
class lnk_file { getattr read };
')
+
+## </module>
diff --git a/refpolicy/policy/modules/system/mount.if b/refpolicy/policy/modules/system/mount.if
index 413bc8b..11bcc8f 100644
--- a/refpolicy/policy/modules/system/mount.if
+++ b/refpolicy/policy/modules/system/mount.if
@@ -68,9 +68,16 @@ define(`mount_transition_add_role_use_terminal_depend',`
class chr_file { getattr read write ioctl };
')
-#######################################
-#
-# mount_use_file_descriptors(domain)
+########################################
+## <interface name="mount_use_file_descriptors">
+## <description>
+## Use file descriptors for mount.
+## </description>
+## <parameter name="domain">
+## The type of the process performing this action.
+## </parameter>
+## <infoflow type="use" weight="4"/>
+## </interface>
#
define(`mount_use_file_descriptors',`
requires_block_template(`$0'_depend)
@@ -84,9 +91,17 @@ define(`mount_use_file_descriptors_depend',`
class fd use;
')
-#######################################
-#
-# mount_send_nfs_client_request(domain)
+########################################
+## <interface name="mount_send_nfs_client_request">
+## <description>
+## Allow the mount domain to send nfs requests for mounting
+## network drives
+## </description>
+## <parameter name="domain">
+## The type of the process performing this action.
+## </parameter>
+## <infoflow type="write read " weight="10"/>
+## </interface>
#
define(`mount_send_nfs_client_request',`
requires_block_template(`$0'_depend)
diff --git a/refpolicy/policy/modules/system/sysnetwork.if b/refpolicy/policy/modules/system/sysnetwork.if
index ad35f94..3a2a61c 100644
--- a/refpolicy/policy/modules/system/sysnetwork.if
+++ b/refpolicy/policy/modules/system/sysnetwork.if
@@ -1,9 +1,16 @@
## <module name="sysnetwork" layer="system">
## <summary>Policy for network configuration: ifconfig and dhcp client.</summary>
-########################################
-#
-# sysnetwork_dhcpc_transition(domain)
+#######################################
+## <interface name="sysnetwork_dhcpc_transition">
+## <description>
+## Execute dhcp client in dhcpc domain.
+## </description>
+## <parameter name="domain">
+## The type of the process performing this action.
+## </parameter>
+## <infoflow type="read" weight="3"/>
+## </interface>
#
define(`sysnetwork_dhcpc_transition',`
requires_block_template(`$0'_depend)
@@ -95,9 +102,16 @@ define(`sysnetwork_ifconfig_transition_add_role_use_terminal_depend',`
class chr_file { getattr read write ioctl };
')
-########################################
-#
-# sysnetwork_read_network_config(domain)
+#######################################
+## <interface name="sysnetwork_read_network_config">
+## <description>
+## Allow network init to read network config files.
+## </description>
+## <parameter name="domain">
+## The type of the process performing this action.
+## </parameter>
+## <infoflow type="read" weight="3"/>
+## </interface>
#
define(`sysnetwork_read_network_config',`
requires_block_template(`$0'_depend)
diff --git a/refpolicy/policy/modules/system/udev.if b/refpolicy/policy/modules/system/udev.if
index 2beaa00..87313f3 100644
--- a/refpolicy/policy/modules/system/udev.if
+++ b/refpolicy/policy/modules/system/udev.if
@@ -1,7 +1,16 @@
+## <module name="udev" layer="system">
+## <summary>Policy for udev.</summary>
-#######################################
-#
-# udev_transition(domain)
+########################################
+## <interface name="udev_transition">
+## <description>
+## Execute udev in the udev domain.
+## </description>
+## <parameter name="domain">
+## The type of the process performing this action.
+## </parameter>
+## <infoflow type="execute" weight="10"/>
+## </interface>
#
define(`udev_transition',`
requires_block_template(`$0'_depend)
@@ -27,8 +36,15 @@ define(`udev_transition_depend',`
')
########################################
-#
-# udev_read_database(domain)
+## <interface name="udev_read_database">
+## <description>
+## Allow process to read list of devices.
+## </description>
+## <parameter name="domain">
+## The type of the process performing this action.
+## </parameter>
+## <infoflow type="read" weight="3"/>
+## </interface>
#
define(`udev_read_database',`
requires_block_template(`$0'_depend)
@@ -43,8 +59,15 @@ define(`udev_read_database_depend',`
')
########################################
-#
-# udev_modify_database(domain)
+## <interface name="udev_modify_database">
+## <description>
+## Allow process to modify list of devices.
+## </description>
+## <parameter name="domain">
+## The type of the process performing this action.
+## </parameter>
+## <infoflow type="write" weight="10"/>
+## </interface>
#
define(`udev_modify_database',`
requires_block_template(`$0'_depend)
@@ -57,3 +80,5 @@ define(`udev_modify_database_depend',`
class file { getattr read write append };
')
+
+## </module>
More information about the scm-commits
mailing list