[selinux-policy: 389/3172] review of system interfaces
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 19:38:26 UTC 2010
commit 139520a2334dd00c883fe635758509818bd63660
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Fri Jun 17 17:59:26 2005 +0000
review of system interfaces
refpolicy/policy/modules/admin/dmesg.te | 2 +-
refpolicy/policy/modules/system/authlogin.if | 6 +-
refpolicy/policy/modules/system/clock.if | 49 +--
refpolicy/policy/modules/system/clock.te | 2 +-
refpolicy/policy/modules/system/corecommands.if | 161 +++-----
refpolicy/policy/modules/system/files.if | 28 +-
refpolicy/policy/modules/system/getty.if | 60 ++--
refpolicy/policy/modules/system/hostname.if | 48 +--
refpolicy/policy/modules/system/hotplug.if | 82 ++---
refpolicy/policy/modules/system/init.if | 344 ++++++-----------
refpolicy/policy/modules/system/iptables.if | 47 +--
refpolicy/policy/modules/system/libraries.if | 163 ++++----
refpolicy/policy/modules/system/locallogin.if | 23 +-
refpolicy/policy/modules/system/logging.if | 128 +++----
refpolicy/policy/modules/system/lvm.if | 44 +--
refpolicy/policy/modules/system/miscfiles.if | 98 ++---
refpolicy/policy/modules/system/modutils.if | 160 +++-----
refpolicy/policy/modules/system/mount.if | 54 +--
refpolicy/policy/modules/system/selinuxutil.if | 477 +++++++++--------------
refpolicy/policy/modules/system/sysnetwork.if | 63 ++--
refpolicy/policy/modules/system/udev.if | 40 +--
21 files changed, 804 insertions(+), 1275 deletions(-)
---
diff --git a/refpolicy/policy/modules/admin/dmesg.te b/refpolicy/policy/modules/admin/dmesg.te
index 7691ee4..110bd14 100644
--- a/refpolicy/policy/modules/admin/dmesg.te
+++ b/refpolicy/policy/modules/admin/dmesg.te
@@ -31,7 +31,7 @@ term_dontaudit_use_console(dmesg_t)
domain_use_wide_inherit_fd(dmesg_t)
-files_read_generic_etc_files_directory(dmesg_t)
+files_list_etc(dmesg_t)
# for when /usr is not mounted:
files_dontaudit_search_isid_type_dir(dmesg_t)
diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if
index 42fe7ee..7cd0618 100644
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@@ -34,7 +34,7 @@ define(`authlogin_per_userdomain_template',`
allow $1_chkpwd_t self:capability setuid;
allow $1_chkpwd_t self:process getattr;
- files_read_generic_etc_files_directory($1_chkpwd_t)
+ files_list_etc($1_chkpwd_t)
allow $1_chkpwd_t shadow_t:file { getattr read };
# is_selinux_enabled
@@ -276,7 +276,7 @@ define(`auth_dontaudit_getattr_shadow_depend',`
define(`auth_read_shadow',`
gen_require(`$0'_depend)
- files_read_generic_etc_files_directory($1)
+ files_list_etc($1)
allow $1 shadow_t:file r_file_perms;
typeattribute $1 can_read_shadow_passwords;
')
@@ -338,7 +338,7 @@ define(`auth_dontaudit_read_shadow_depend',`
define(`auth_rw_shadow',`
gen_require(`$0'_depend)
- files_read_generic_etc_files_directory($1)
+ files_list_etc($1)
allow $1 shadow_t:file rw_file_perms;
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
')
diff --git a/refpolicy/policy/modules/system/clock.if b/refpolicy/policy/modules/system/clock.if
index 21657ac..45a2245 100644
--- a/refpolicy/policy/modules/system/clock.if
+++ b/refpolicy/policy/modules/system/clock.if
@@ -12,7 +12,11 @@
## </interface>
#
define(`clock_domtrans',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type hwclock_t, hwclock_exec_t;
+ class fd use;
+ class fifo_file rw_file_perms;
+ ')
domain_auto_trans($1,hwclock_exec_t,hwclock_t)
@@ -22,15 +26,6 @@ define(`clock_domtrans',`
allow hwclock_t $1:process sigchld;
')
-define(`clock_domtrans_depend',`
- type hwclock_t, hwclock_exec_t;
-
- class file rx_file_perms;
- class process { transition noatsecure siginh rlimitinh sigchld };
- class fd use;
- class fifo_file rw_file_perms;
-')
-
########################################
## <interface name="clock_run">
## <description>
@@ -49,19 +44,16 @@ define(`clock_domtrans_depend',`
## </interface>
#
define(`clock_run',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type hwclock_t;
+ class chr_file { getattr read write ioctl };
+ ')
clock_domtrans($1)
role $2 types hwclock_t;
allow hwclock_t $3:chr_file { getattr read write ioctl };
')
-define(`clock_run_depend',`
- type hwclock_t;
-
- class chr_file { getattr read write ioctl };
-')
-
########################################
## <interface name="clock_exec">
## <description>
@@ -73,17 +65,13 @@ define(`clock_run_depend',`
## </interface>
#
define(`clock_exec',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type hwclock_exec_t;
+ ')
can_exec($1,hwclock_exec_t)
')
-define(`clock_exec_depend',`
- type hwclock_exec_t;
-
- class file { getattr read execute execute_no_trans };
-')
-
########################################
## <interface name="clock_rw_adjtime">
## <description>
@@ -95,16 +83,13 @@ define(`clock_exec_depend',`
## </interface>
#
define(`clock_rw_adjtime',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type adjtime_t;
+ class file rw_file_perms;
+ ')
allow $1 adjtime_t:file rw_file_perms;
- files_read_generic_etc_files_directory($1)
-')
-
-define(`clock_rw_adjtime_depend',`
- type adjtime_t;
-
- class file rw_file_perms;
+ files_list_etc($1)
')
## </module>
diff --git a/refpolicy/policy/modules/system/clock.te b/refpolicy/policy/modules/system/clock.te
index 50c4cfe..9f884b2 100644
--- a/refpolicy/policy/modules/system/clock.te
+++ b/refpolicy/policy/modules/system/clock.te
@@ -46,7 +46,7 @@ domain_use_wide_inherit_fd(hwclock_t)
init_use_fd(hwclock_t)
init_use_script_pty(hwclock_t)
-files_read_generic_etc_files_directory(hwclock_t)
+files_list_etc(hwclock_t)
# for when /usr is not mounted:
files_dontaudit_search_isid_type_dir(hwclock_t)
diff --git a/refpolicy/policy/modules/system/corecommands.if b/refpolicy/policy/modules/system/corecommands.if
index 6e5b95a..ac9b624 100644
--- a/refpolicy/policy/modules/system/corecommands.if
+++ b/refpolicy/policy/modules/system/corecommands.if
@@ -9,53 +9,49 @@
# corecmd_shell_entry_type(domain)
#
define(`corecmd_shell_entry_type',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type shell_exec_t;
+ ')
domain_entry_file($1,shell_exec_t)
')
-define(`corecmd_shell_entry_type_depend',`
- type shell_exec_t;
-')
-
########################################
#
# corecmd_search_bin(domain)
#
define(`corecmd_search_bin',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type bin_t;
+ class dir search;
+ ')
allow $1 bin_t:dir search;
')
-define(`corecmd_search_bin_depend',`
- type bin_t;
-
- class dir search;
-')
-
########################################
#
# corecmd_list_bin(domain)
#
define(`corecmd_list_bin',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type bin_t;
+ class dir r_dir_perms;
+ ')
allow $1 bin_t:dir r_dir_perms;
')
-define(`corecmd_list_bin_depend',`
- type bin_t;
-
- class dir r_dir_perms;
-')
-
########################################
#
# corecmd_exec_bin(domain)
#
define(`corecmd_exec_bin',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type bin_t;
+ class dir r_dir_perms;
+ class lnk_file r_file_perms;
+ ')
allow $1 bin_t:dir r_dir_perms;
allow $1 bin_t:lnk_file r_file_perms;
@@ -63,68 +59,55 @@ define(`corecmd_exec_bin',`
')
-define(`corecmd_exec_bin_depend',`
- type bin_t;
-
- class dir r_dir_perms;
- class lnk_file r_file_perms;
- class file { getattr read ioctl lock execute execute_no_trans };
-')
-
########################################
#
# corecmd_search_sbin(domain)
#
define(`corecmd_search_sbin',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type sbin_t;
+ class dir search;
+ ')
allow $1 sbin_t:dir search;
')
-define(`corecmd_search_sbin_depend',`
- type sbin_t;
-
- class dir search;
-')
-
########################################
#
# corecmd_list_sbin(domain)
#
define(`corecmd_list_sbin',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type sbin_t;
+ class dir r_dir_perms;
+ ')
allow $1 sbin_t:dir r_dir_perms;
')
-define(`corecmd_list_sbin_depend',`
- type sbin_t;
-
- class dir r_dir_perms;
-')
-
########################################
#
# corecmd_dontaudit_getattr_sbin_file(domain)
#
define(`corecmd_dontaudit_getattr_sbin_file',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type sbin_t;
+ class file getattr;
+ ')
allow $1 sbin_t:file getattr;
')
-define(`corecmd_dontaudit_getattr_sbin_file_depend',`
- type sbin_t;
-
- class file getattr;
-')
-
########################################
#
# corecmd_exec_sbin(domain)
#
define(`corecmd_exec_sbin',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type sbin_t;
+ class dir r_dir_perms;
+ class lnk_file r_file_perms;
+ ')
allow $1 sbin_t:dir r_dir_perms;
allow $1 sbin_t:lnk_file r_file_perms;
@@ -132,54 +115,38 @@ define(`corecmd_exec_sbin',`
')
-define(`corecmd_exec_sbin_depend',`
- type sbin_t;
-
- class dir r_dir_perms;
- class lnk_file r_file_perms;
- class file { getattr read ioctl lock execute execute_no_trans };
-')
-
########################################
#
# corecmd_exec_shell(domain)
#
define(`corecmd_exec_shell',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type bin_t, shell_exec_t;
+ class dir r_dir_perms;
+ class lnk_file r_file_perms;
+ ')
allow $1 bin_t:dir r_dir_perms;
allow $1 bin_t:lnk_file r_file_perms;
can_exec($1,shell_exec_t)
')
-define(`corecmd_exec_shell_depend',`
- type bin_t, shell_exec_t;
-
- class dir r_dir_perms;
- class lnk_file r_file_perms;
- class file { getattr read lock ioctl execute execute_no_trans };
-')
-
########################################
#
# corecmd_exec_ls(domain)
#
define(`corecmd_exec_ls',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type bin_t, ls_exec_t;
+ class dir r_dir_perms;
+ class lnk_file r_file_perms;
+ ')
allow $1 bin_t:dir r_dir_perms;
allow $1 bin_t:lnk_file r_file_perms;
can_exec($1,ls_exec_t)
')
-define(`corecmd_exec_shell_depend',`
- type bin_t, ls_exec_t;
-
- class dir r_dir_perms;
- class lnk_file r_file_perms;
- class file { getattr read lock ioctl execute execute_no_trans };
-')
-
########################################
## <interface name="corecmd_shell_spec_domtrans">
## <description>
@@ -196,7 +163,14 @@ define(`corecmd_exec_shell_depend',`
## </interface>
#
define(`corecmd_shell_spec_domtrans',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type bin_t, shell_exec_t;
+ class dir r_dir_perms;
+ class lnk_file r_file_perms;
+ class fd use;
+ class fifo_file rw_file_perms;
+ class process sigchld;
+ ')
allow $1 bin_t:dir r_dir_perms;
allow $1 bin_t:lnk_file r_file_perms;
@@ -209,17 +183,6 @@ define(`corecmd_shell_spec_domtrans',`
allow $2 $1:process sigchld;
')
-define(`corecmd_shell_spec_domtrans_depend',`
- type bin_t, shell_exec_t;
-
- class dir r_dir_perms;
- class lnk_file r_file_perms;
- class file rx_file_perms
- class process { transition noatsecure siginh rlimitinh sigchld };
- class fd use;
- class fifo_file rw_file_perms;
-')
-
########################################
## <interface name="corecmd_domtrans_shell">
## <description>
@@ -234,32 +197,26 @@ define(`corecmd_shell_spec_domtrans_depend',`
## </interface>
#
define(`corecmd_domtrans_shell',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type shell_exec_t;
+ ')
corecmd_shell_spec_domtrans($1,$2)
type_transition $1 shell_exec_t:process $2;
')
-define(`corecmd_domtrans_shell_depend',`
- type shell_exec_t;
-')
-
########################################
#
# corecmd_chroot_exec_chroot(domain)
#
define(`corecmd_chroot_exec_chroot',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type chroot_exec_t;
+ class capability sys_chroot;
+ ')
- allow $1 chroot_exec_t:file { getattr read execute execute_no_trans };
+ can_exec($1,chroot_exec_t)
allow $1 self:capability sys_chroot;
')
-define(`corecmd_chroot_exec_chroot_depend',`
- type chroot_exec_t;
-
- class file { getattr read execute execute_no_trans };
- class capability sys_chroot;
-')
-
## </module>
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index ea6d2b6..4f8788a 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -206,7 +206,7 @@ define(`files_manage_all_files',`
allow $1 { file_type $2 }:sock_file create_file_perms;
# satisfy the assertions:
- seutil_write_binary_pol($1)
+ seutil_create_binary_pol($1)
bootloader_manage_kernel_modules($1)
')
@@ -488,33 +488,27 @@ define(`files_unmount_rootfs_depend',`
# files_search_etc(domain)
#
define(`files_search_etc',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type etc_t;
+ class dir search;
+ ')
allow $1 etc_t:dir search;
')
-define(`files_search_etc_depend',`
- type etc_t;
-
- class dir search;
-')
-
########################################
#
-# files_read_generic_etc_files_directory(domain)
+# files_list_etc(domain)
#
-define(`files_read_generic_etc_files_directory',`
- gen_require(`$0'_depend)
+define(`files_list_etc',`
+ gen_require(`
+ type etc_t;
+ class dir r_dir_perms;
+ ')
allow $1 etc_t:dir r_dir_perms;
')
-define(`files_read_generic_etc_files_directory_depend',`
- type etc_t;
-
- class dir r_dir_perms;
-')
-
########################################
#
# files_read_generic_etc_files(domain)
diff --git a/refpolicy/policy/modules/system/getty.if b/refpolicy/policy/modules/system/getty.if
index b76c7b9..51ce7a5 100644
--- a/refpolicy/policy/modules/system/getty.if
+++ b/refpolicy/policy/modules/system/getty.if
@@ -12,12 +12,15 @@
## </interface>
#
define(`getty_domtrans',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type getty_t, getty_exec_t;
+ class process sigchld;
+ class fd use;
+ class fifo_file rw_file_perms;
+ ')
- allow $1 getty_exec_t:file { getattr read execute };
- allow $1 getty_t:process transition;
- type_transition $1 getty_exec_t:process getty_t;
- dontaudit $1 getty_t:process { noatsecure siginh rlimitinh };
+ corecmd_search_sbin($1)
+ domain_auto_trans($1,getty_exec_t,getty_t)
allow $1 getty_t:fd use;
allow getty_t $1:fd use;
@@ -25,15 +28,6 @@ define(`getty_domtrans',`
allow getty_t $1:process sigchld;
')
-define(`getty_domtrans_depend',`
- type getty_t, getty_exec_t;
-
- class file { getattr read execute };
- class process { transition noatsecure siginh rlimitinh sigchld };
- class fd use;
- class fifo_file rw_file_perms;
-')
-
########################################
## <interface name="getty_read_log">
## <description>
@@ -45,17 +39,15 @@ define(`getty_domtrans_depend',`
## </interface>
#
define(`getty_read_log',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type getty_log_t;
+ class file { getattr read };
+ ')
+ logging_search_logs($1)
allow $1 getty_log_t:file { getattr read };
')
-define(`getty_read_log_depend',`
- type getty_log_t;
-
- class file { getattr read };
-')
-
########################################
## <interface name="getty_read_config">
## <description>
@@ -67,17 +59,15 @@ define(`getty_read_log_depend',`
## </interface>
#
define(`getty_read_config',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type getty_etc_t;
+ class file { getattr read };
+ ')
+ files_search_etc($1)
allow $1 getty_etc_t:file { getattr read };
')
-define(`getty_read_config_depend',`
- type getty_etc_t;
-
- class file { getattr read };
-')
-
########################################
## <interface name="getty_modify_config">
## <description>
@@ -89,15 +79,13 @@ define(`getty_read_config_depend',`
## </interface>
#
define(`getty_modify_config',`
- gen_require(`$0'_depend)
-
- allow $1 getty_etc_t:file { getattr read write };
-')
-
-define(`getty_modify_config_depend',`
- type getty_etc_t;
+ gen_require(`
+ type getty_etc_t;
+ class file rw_file_perms;
+ ')
- class file { getattr read write };
+ files_search_etc($1)
+ allow $1 getty_etc_t:file rw_file_perms;
')
## </module>
diff --git a/refpolicy/policy/modules/system/hostname.if b/refpolicy/policy/modules/system/hostname.if
index 10237ff..3a37ecb 100644
--- a/refpolicy/policy/modules/system/hostname.if
+++ b/refpolicy/policy/modules/system/hostname.if
@@ -13,12 +13,15 @@
## </interface>
#
define(`hostname_domtrans',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type hostname_t, hostname_exec_t;
+ class process sigchld;
+ class fd use;
+ class fifo_file rw_file_perms;
+ ')
- allow $1 hostname_exec_t:file rx_file_perms;
- allow $1 hostname_t:process transition;
- type_transition $1 hostname_exec_t:process hostname_t;
- dontaudit $1 hostname_t:process { noatsecure siginh rlimitinh };
+ corecmd_search_bin($1)
+ domain_auto_trans($1,hostname_exec_t,hostname_t)
allow $1 hostname_t:fd use;
allow hostname_t $1:fd use;
@@ -26,15 +29,6 @@ define(`hostname_domtrans',`
allow hostname_t $1:process sigchld;
')
-define(`hostname_domtrans_depend',`
- type hostname_t, hostname_exec_t;
-
- class file rx_file_perms;
- class process { transition noatsecure siginh rlimitinh sigchld };
- class fd use;
- class fifo_file rw_file_perms;
-')
-
########################################
## <interface name="hostname_run">
## <description>
@@ -54,19 +48,16 @@ define(`hostname_domtrans_depend',`
## </interface>
#
define(`hostname_run',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type hostname_t;
+ class chr_file { getattr read write ioctl };
+ ')
hostname_domtrans($1)
role $2 types hostname_t;
allow hostname_t $3:chr_file { getattr read write ioctl };
')
-define(`hostname_run_depend',`
- type hostname_t;
-
- class chr_file { getattr read write ioctl };
-')
-
########################################
## <interface name="hostname_exec">
## <description>
@@ -78,21 +69,12 @@ define(`hostname_run_depend',`
## </parameter>
## </interface>
#
-#######################################
-#
-# hostname_exec(domain)
-#
define(`hostname_exec',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type hostname_exec_t;
+ ')
can_exec($1,hostname_exec_t)
-
-')
-
-define(`hostname_exec_depend',`
- type hostname_exec_t;
-
- class file { getattr read execute execute_no_trans };
')
## </module>
diff --git a/refpolicy/policy/modules/system/hotplug.if b/refpolicy/policy/modules/system/hotplug.if
index f5e9f5b..4007f50 100644
--- a/refpolicy/policy/modules/system/hotplug.if
+++ b/refpolicy/policy/modules/system/hotplug.if
@@ -9,12 +9,15 @@
# hotplug_domtrans(domain)
#
define(`hotplug_domtrans',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type hotplug_t, hotplug_exec_t;
+ class process sigchld;
+ class fd use;
+ class fifo_file rw_file_perms;
+ ')
- allow $1 hotplug_exec_t:file rx_file_perms;
- allow $1 hotplug_t:process transition;
- type_transition $1 hotplug_exec_t:process hotplug_t;
- dontaudit $1 hotplug_t:process { noatsecure siginh rlimitinh };
+ corecmd_search_sbin($1)
+ domain_auto_trans($1,hotplug_exec_t,hotplug_t)
allow $1 hotplug_t:fd use;
allow hotplug_t $1:fd use;
@@ -22,30 +25,17 @@ define(`hotplug_domtrans',`
allow hotplug_t $1:process sigchld;
')
-define(`hotplug_domtrans_depend',`
- type hotplug_t, hotplug_exec_t;
-
- class file rx_file_perms;
- class process { transition noatsecure siginh rlimitinh sigchld };
- class fd use;
- class fifo_file rw_file_perms;
-')
-
#######################################
#
# hotplug_exec(domain)
#
define(`hotplug_exec',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type hotplug_t;
+ ')
+ corecmd_search_sbin($1)
can_exec($1,hotplug_exec_t)
-
-')
-
-define(`hotplug_exec_depend',`
- type hotplug_t;
-
- class file { getattr read execute execute_no_trans };
')
#######################################
@@ -53,49 +43,40 @@ define(`hotplug_exec_depend',`
# hotplug_use_fd(domain)
#
define(`hotplug_use_fd',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type hotplug_t;
+ class fd use;
+ ')
allow $1 hotplug_t:fd use;
')
-define(`hotplug_use_fd_depend',`
- type hotplug_t;
-
- class fd use;
-')
-
#######################################
#
# hotplug_dontaudit_use_fd(domain)
#
define(`hotplug_dontaudit_use_fd',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type hotplug_t;
+ class fd use;
+ ')
dontaudit $1 hotplug_t:fd use;
')
-define(`hotplug_dontaudit_use_fd_depend',`
- type hotplug_t;
-
- class fd use;
-')
-
########################################
#
# hotplug_dontaudit_search_config(domain)
#
define(`hotplug_dontaudit_search_config',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type hotplug_etc_t;
+ class dir search;
+ ')
dontaudit $1 hotplug_etc_t:dir search;
')
-define(`hotplug_dontaudit_search_config_depend',`
- type hotplug_etc_t;
-
- class dir search;
-')
-
########################################
## <interface name="hotplug_read_config">
## <description>
@@ -107,7 +88,12 @@ define(`hotplug_dontaudit_search_config_depend',`
## </interface>
#
define(`hotplug_read_config',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type hotplug_etc_t;
+ class file r_file_perms;
+ class dir r_dir_perms;
+ class lnk_file r_file_perms;
+ ')
files_search_etc($1)
allow $1 hotplug_etc_t:file r_file_perms;
@@ -115,12 +101,4 @@ define(`hotplug_read_config',`
allow $1 hotplug_etc_t:lnk_file r_file_perms;
')
-define(`hotplug_read_config_depend',`
- type hotplug_etc_t;
-
- class file r_file_perms;
- class dir r_dir_perms;
- class lnk_file r_file_perms;
-')
-
## </module>
diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if
index e1c03e3..aa96805 100644
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@@ -6,17 +6,20 @@
# init_domain(domain,entrypointfile)
#
define(`init_domain',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type init_t;
+ role system_r;
+ class fd use;
+ class fifo_file rw_file_perms;
+ class process sigchld;
+ ')
domain_type($1)
domain_entry_file($1,$2)
role system_r types $1;
- allow init_t $1:process transition;
- allow init_t $2:file rx_file_perms;
- dontaudit init_t $1:process { noatsecure siginh rlimitinh };
- type_transition init_t $2:process $1;
+ domain_auto_trans(init_t,$2,$1)
allow $1 init_t:fd use;
allow init_t $1:fd use;
@@ -31,31 +34,25 @@ define(`init_domain',`
')
')
-define(`init_domain_depend',`
- type init_t;
- class file rx_file_perms;
- class fd use;
- class fifo_file rw_file_perms;
- class process { transition noatsecure siginh rlimitinh sigchld };
- role system_r;
-')
-
########################################
#
# init_daemon_domain(domain,entrypointfile)
#
define(`init_daemon_domain',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type initrc_t;
+ role system_r;
+ class fifo_file rw_file_perms;
+ class fd use;
+ class process sigchld;
+ ')
domain_type($1)
domain_entry_file($1,$2)
role system_r types $1;
- allow initrc_t $1:process transition;
- allow initrc_t $2:file rx_file_perms;
- dontaudit initrc_t $1:process { noatsecure siginh rlimitinh };
- type_transition initrc_t $2:process $1;
+ domain_auto_trans(initrc_t,$2,$1)
allow initrc_t $1:fd use;
allow $1 initrc_t:fd use;
@@ -70,33 +67,25 @@ define(`init_daemon_domain',`
')
')
-define(`init_daemon_domain_depend',`
- type initrc_t;
-
- role system_r;
-
- class file rx_file_perms;
- class fifo_file rw_file_perms;
- class fd use;
- class process { transition noatsecure siginh rlimitinh sigchld };
-')
-
########################################
#
# init_system_domain(domain,entrypointfile)
#
define(`init_system_domain',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type initrc_t;
+ role system_r;
+ class fd use;
+ class fifo_file rw_file_perms;
+ class process sigchld;
+ ')
domain_type($1)
domain_entry_file($1,$2)
role system_r types $1;
- allow initrc_t $1:process transition;
- allow initrc_t $2:file rx_file_perms;
- dontaudit initrc_t $1:process { noatsecure siginh rlimitinh };
- type_transition initrc_t $2:process $1;
+ domain_auto_trans(initrc_t,$2,$1)
allow initrc_t $1:fd use;
allow $1 initrc_t:fd use;
@@ -111,27 +100,19 @@ define(`init_system_domain',`
')
')
-define(`init_system_domain_depend',`
- type initrc_t;
- role system_r;
-
- class file rx_file_perms;
- class fd use;
- class fifo_file rw_file_perms;
- class process { transition noatsecure siginh rlimitinh sigchld };
-')
-
########################################
#
# init_domtrans(domain)
#
define(`init_domtrans',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type init_t, init_exec_t;
+ class process sigchld;
+ class fd use;
+ class fifo_file rw_file_perms;
+ ')
- allow $1 init_exec_t:file rx_file_perms;
- allow $1 init_t:process transition;
- type_transition $1 init_exec_t:process init_t;
- dontaudit $1 init_t:process { noatsecure siginh rlimitinh };
+ domain_auto_trans($1,init_exec_t,init_t)
allow $1 init_t:fd use;
allow init_t $1:fd use;
@@ -139,155 +120,125 @@ define(`init_domtrans',`
allow init_t $1:process sigchld;
')
-define(`init_domtrans_depend',`
- type init_t, init_exec_t;
-
- class file rx_file_perms;
- class process { transition noatsecure siginh rlimitinh sigchld };
- class fd use;
- class fifo_file rw_file_perms;
-')
-
########################################
#
# init_get_process_group(domain)
#
define(`init_get_process_group',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type init_t;
+ class process getpgid;
+ ')
allow $1 init_t:process getpgid;
')
-define(`init_get_process_group_depend',`
- type init_t;
-
- class process getpgid;
-')
-
########################################
#
# init_getattr_initctl(domain)
#
define(`init_getattr_initctl',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type initctl_t;
+ class fifo_file getattr;
+ ')
allow $1 initctl_t:fifo_file getattr;
')
-define(`init_getattr_initctl_depend',`
- type initctl_t;
-
- class fifo_file getattr;
-')
-
########################################
#
# init_dontaudit_getattr_initctl(domain)
#
define(`init_dontaudit_getattr_initctl',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type initctl_t;
+ class fifo_file getattr;
+ ')
dontaudit $1 initctl_t:fifo_file getattr;
')
-define(`init_getattr_initctl_depend',`
- type initctl_t;
-
- class fifo_file getattr;
-')
-
########################################
#
# init_use_initctl(domain)
#
define(`init_use_initctl',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type initctl_t;
+ class fifo_file rw_file_perms;
+ ')
dev_list_all_dev_nodes($1)
allow $1 initctl_t:fifo_file rw_file_perms;
')
-define(`init_use_initctl_depend',`
- type initctl_t;
-
- class fifo_file rw_file_perms;
-')
-
########################################
#
# init_dontaudit_use_initctl(domain)
#
define(`init_dontaudit_use_initctl',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type initctl_t;
+ class fifo_file { read write };
+ ')
dontaudit $1 initctl_t:fifo_file { read write };
')
-define(`init_dontaudit_use_initctl_depend',`
- type initctl_t;
-
- class fifo_file { read write };
-')
-
########################################
#
# init_sigchld(domain)
#
define(`init_sigchld',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type init_t;
+ class process sigchld;
+ ')
allow $1 init_t:process sigchld;
')
-define(`init_sigchld_depend',`
- type init_t;
-
- class process sigchld;
-')
-
########################################
#
# init_use_fd(domain)
#
define(`init_use_fd',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type init_t;
+ class fd use;
+ ')
allow $1 init_t:fd use;
')
-define(`init_use_fd_depend',`
- type init_t;
-
- class fd use;
-')
-
########################################
#
# init_dontaudit_use_fd(domain)
#
define(`init_dontaudit_use_fd',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type init_t;
+ class fd use;
+ ')
dontaudit $1 init_t:fd use;
')
-define(`init_dontaudit_use_fd_depend',`
- type init_t;
-
- class fd use;
-')
-
########################################
#
# init_domtrans_script(domain)
#
define(`init_domtrans_script',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type initrc_t, initrc_exec_t;
+ class process sigchld;
+ class fd use;
+ class fifo_file rw_file_perms;
+ ')
- allow $1 initrc_exec_t:file rx_file_perms;
- allow $1 initrc_t:process transition;
- type_transition $1 initrc_exec_t:process init_t;
- dontaudit $1 init_t:process { noatsecure siginh rlimitinh };
+ files_list_etc($1)
+ domain_auto_trans($1,initrc_exec_t,initrc_t)
allow $1 initrc_t:fd use;
allow initrc_t $1:fd use;
@@ -295,30 +246,17 @@ define(`init_domtrans_script',`
allow initrc_t $1:process sigchld;
')
-define(`init_domtrans_script_depend',`
- type initrc_t, initrc_exec_t;
-
- class file rx_file_perms;
- class process { transition noatsecure siginh rlimitinh sigchld };
- class fd use;
- class fifo_file rw_file_perms;
-')
-
########################################
#
# init_exec_script(domain)
#
define(`init_exec_script',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type initrc_exec_t;
+ ')
+ files_list_etc($1)
can_exec($1,initrc_exec_t)
-
-')
-
-define(`init_exec_script_depend',`
- type initrc_exec_t;
-
- class file { getattr read execute execute_no_trans };
')
########################################
@@ -332,8 +270,15 @@ define(`init_exec_script_depend',`
## </interface>
#
define(`init_read_script_process_state',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type initrc_t;
+ class dir r_dir_perms;
+ class file r_file_perms;
+ class lnk_file r_file_perms;
+ class process { getattr ptrace };
+ ')
+ #FIXME: search proc dir
allow $1 initrc_t:dir r_dir_perms;
allow $1 initrc_t:{ file lnk_file } r_file_perms;
allow $1 initrc_t:process getattr;
@@ -345,78 +290,57 @@ define(`init_read_script_process_state',`
dontaudit $1 initrc_t:process ptrace;
')
-define(`init_read_script_process_state_depend',`
- type initrc_t;
-
- class dir r_dir_perms;
- class file r_file_perms;
- class lnk_file r_file_perms;
- class process { getattr ptrace };
-')
-
########################################
#
# init_use_script_fd(domain)
#
define(`init_use_script_fd',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type initrc_t;
+ class fd use;
+ ')
allow $1 initrc_t:fd use;
')
-define(`init_use_script_fd_depend',`
- type initrc_t;
-
- class fd use;
-')
-
########################################
#
# init_dontaudit_use_script_fd(domain)
#
define(`init_dontaudit_use_script_fd',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type initrc_t;
+ class fd use;
+ ')
dontaudit $1 initrc_t:fd use;
')
-define(`init_dontaudit_use_script_fd_depend',`
- type initrc_t;
-
- class fd use;
-')
-
########################################
#
# init_get_script_process_group(domain)
#
define(`init_get_script_process_group',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type initrc_t;
+ class process getpgid;
+ ')
allow $1 initrc_t:process getpgid;
')
-define(`init_get_script_process_group_depend',`
- type initrc_t;
-
- class process getpgid;
-')
-
########################################
#
# init_use_script_pty(domain)
#
define(`init_use_script_pty',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type initrc_devpts_t;
+ class chr_file rw_term_perms;
+ ')
term_list_ptys($1)
- allow $1 initrc_devpts_t:chr_file { getattr read write ioctl };
-')
-
-define(`init_use_script_pty_depend',`
- type initrc_devpts_t;
-
- class chr_file { getattr read write ioctl };
+ allow $1 initrc_devpts_t:chr_file rw_term_perms;
')
########################################
@@ -424,17 +348,14 @@ define(`init_use_script_pty_depend',`
# init_dontaudit_use_script_pty(domain)
#
define(`init_dontaudit_use_script_pty',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type initrc_devpts_t;
+ class chr_file { read write ioctl };
+ ')
dontaudit $1 initrc_devpts_t:chr_file { read write ioctl };
')
-define(`init_dontaudit_use_script_pty_depend',`
- type initrc_devpts_t;
-
- class chr_file { read write ioctl };
-')
-
########################################
## <interface name="init_rw_script_tmp_files">
## <description>
@@ -446,82 +367,67 @@ define(`init_dontaudit_use_script_pty_depend',`
## </interface>
#
define(`init_rw_script_tmp_files',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type initrc_var_run_t;
+ class file rw_file_perms;
+ ')
- # FIXME: read tmp_t
+ # FIXME: read tmp_t dir
allow $1 initrc_tmp_t:file rw_file_perms;
')
-define(`init_rw_script_tmp_files_depend',`
- type initrc_var_run_t;
-
- class file rw_file_perms;
-')
-
########################################
#
# init_read_script_pid(domain)
#
define(`init_read_script_pid',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type initrc_var_run_t;
+ class file r_file_perms;
+ ')
files_list_pids($1)
allow $1 initrc_var_run_t:file r_file_perms;
')
-define(`init_read_script_pid_depend',`
- type initrc_var_run_t;
-
- class file r_file_perms;
-')
-
########################################
#
# init_dontaudit_write_script_pid(domain)
#
define(`init_dontaudit_write_script_pid',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type initrc_var_run_t;
+ class file { write lock };
+ ')
dontaudit $1 initrc_var_run_t:file { write lock };
')
-define(`init_dontaudit_write_script_pid_depend',`
- type initrc_var_run_t;
-
- class file { write lock };
-')
-
########################################
#
# init_rw_script_pid(domain)
#
define(`init_rw_script_pid',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type initrc_var_run_t;
+ class file rw_file_perms;
+ ')
files_list_pids($1)
allow $1 initrc_var_run_t:file rw_file_perms;
')
-define(`init_rw_script_pid_depend',`
- type initrc_var_run_t;
-
- class file rw_file_perms;
-')
-
########################################
#
# init_dontaudit_rw_script_pid(domain)
#
define(`init_dontaudit_rw_script_pid',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type initrc_var_run_t;
+ class file rw_file_perms;
+ ')
dontaudit $1 initrc_var_run_t:file { getattr read write append };
')
-define(`init_dontaudit_rw_script_pid_depend',`
- type initrc_var_run_t;
-
- class file rw_file_perms;
-')
-
## </module>
diff --git a/refpolicy/policy/modules/system/iptables.if b/refpolicy/policy/modules/system/iptables.if
index 6e6d6ce..b46ea3c 100644
--- a/refpolicy/policy/modules/system/iptables.if
+++ b/refpolicy/policy/modules/system/iptables.if
@@ -12,12 +12,15 @@
## </interface>
#
define(`iptables_domtrans',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type iptables_t, iptables_exec_t;
+ class process sigchld;
+ class fd use;
+ class fifo_file rw_file_perms;
+ ')
- allow $1 iptables_exec_t:file rx_file_perms;
- allow $1 iptables_t:process transition;
- type_transition $1 iptables_exec_t:process iptables_t;
- dontaudit $1 iptables_t:process { noatsecure siginh rlimitinh };
+ corecmd_search_sbin($1)
+ domain_auto_trans($1,iptables_exec_t,iptables_t)
allow $1 iptables_t:fd use;
allow iptables_t $1:fd use;
@@ -25,15 +28,6 @@ define(`iptables_domtrans',`
allow iptables_t $1:process sigchld;
')
-define(`iptables_domtrans_depend',`
- type iptables_t, iptables_exec_t;
-
- class file rx_file_perms;
- class process { transition noatsecure siginh rlimitinh sigchld };
- class fd use;
- class fifo_file rw_file_perms;
-')
-
########################################
## <interface name="iptables_run">
## <description>
@@ -52,17 +46,14 @@ define(`iptables_domtrans_depend',`
## </interface>
#
define(`iptables_run',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type iptables_t;
+ class chr_file rw_term_perms;
+ ')
iptables_domtrans($1)
role $2 types iptables_t;
- allow iptables_t $3:chr_file { getattr read write ioctl };
-')
-
-define(`iptables_run_depend',`
- type iptables_t;
-
- class chr_file { getattr read write ioctl };
+ allow iptables_t $3:chr_file rw_term_perms;
')
########################################
@@ -76,16 +67,12 @@ define(`iptables_run_depend',`
## </interface>
#
define(`iptables_exec',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type iptables_exec_t;
+ ')
+ corecmd_search_sbin($1)
can_exec($1,iptables_exec_t)
-
-')
-
-define(`iptables_exec_depend',`
- type iptables_t, iptables_exec_t;
-
- class file { getattr read execute execute_no_trans };
')
## </module>
diff --git a/refpolicy/policy/modules/system/libraries.if b/refpolicy/policy/modules/system/libraries.if
index 97207ff..2f7514e 100644
--- a/refpolicy/policy/modules/system/libraries.if
+++ b/refpolicy/policy/modules/system/libraries.if
@@ -12,8 +12,14 @@
## </interface>
#
define(`libs_domtrans_ldconfig',`
- gen_require(`$0'_depend)
-
+ gen_require(`
+ type ldconfig_t, ldconfig_exec_t;
+ class process sigchld;
+ class fd use;
+ class fifo_file rw_file_perms;
+ ')
+
+ corecmd_search_sbin($1)
domain_auto_trans($1,ldconfig_exec_t,ldconfig_t)
allow $1 ldconfig_t:fd use;
@@ -22,15 +28,6 @@ define(`libs_domtrans_ldconfig',`
allow ldconfig_t $1:process sigchld;
')
-define(`libs_domtrans_ldconfig_depend',`
- type ldconfig_t, ldconfig_exec_t;
-
- class file rx_file_perms;
- class process { transition noatsecure siginh rlimitinh sigchld };
- class fd use;
- class fifo_file rw_file_perms;
-')
-
########################################
## <interface name="libs_run_ldconfig">
## <description>
@@ -48,17 +45,14 @@ define(`libs_domtrans_ldconfig_depend',`
## </interface>
#
define(`libs_run_ldconfig',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type ldconfig_t;
+ class chr_file rw_term_perms;
+ ')
libs_domtrans_ldconfig($1)
role $2 types ldconfig_t;
- allow ldconfig_t $3:chr_file { getattr read write ioctl };
-')
-
-define(`libs_run_ldconfig_depend',`
- type ldconfig_t;
-
- class chr_file { getattr read write ioctl };
+ allow ldconfig_t $3:chr_file rw_term_perms;
')
########################################
@@ -73,9 +67,14 @@ define(`libs_run_ldconfig_depend',`
## </interface>
#
define(`libs_use_ld_so',`
- gen_require(`$0'_depend)
-
- files_read_generic_etc_files_directory($1)
+ gen_require(`
+ type lib_t, ld_so_t, ld_so_cache_t;
+ class dir r_dir_perms;
+ class lnk_file r_file_perms;
+ class file rx_file_perms;
+ ')
+
+ files_list_etc($1)
allow $1 lib_t:dir r_dir_perms;
allow $1 lib_t:lnk_file r_file_perms;
allow $1 ld_so_t:lnk_file r_file_perms;
@@ -83,14 +82,6 @@ define(`libs_use_ld_so',`
allow $1 ld_so_cache_t:file r_file_perms;
')
-define(`libs_use_ld_so_depend',`
- type lib_t, ld_so_t, ld_so_cache_t;
-
- class dir r_dir_perms;
- class lnk_file r_file_perms;
- class file rx_file_perms;
-')
-
########################################
## <interface name="libs_legacy_use_ld_so">
## <description>
@@ -103,19 +94,16 @@ define(`libs_use_ld_so_depend',`
## </interface>
#
define(`libs_legacy_use_ld_so',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type ld_so_t, ld_so_cache_t;
+ class file { execute execmod };
+ ')
libs_use_ld_so($1)
allow $1 ld_so_t:file execmod;
allow $1 ld_so_cache_t:file execute;
')
-define(`libs_legacy_use_ld_so_depend',`
- type ld_so_t, ld_so_cache_t;
-
- class file { execute execmod };
-')
-
########################################
## <interface name="libs_exec_ld_so">
## <description>
@@ -132,20 +120,16 @@ define(`libs_legacy_use_ld_so_depend',`
## </interface>
#
define(`libs_exec_ld_so',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type lib_t, ld_so_t;
+ class dir r_dir_perms;
+ class lnk_file r_file_perms;
+ ')
allow $1 lib_t:dir r_dir_perms;
allow $1 lib_t:lnk_file r_file_perms;
allow $1 ld_so_t:lnk_file r_file_perms;
- allow $1 ld_so_t:file { r_file_perms execute execute_no_trans };
-')
-
-define(`libs_exec_ld_so_depend',`
- type lib_t, ld_so_t;
-
- class dir r_dir_perms;
- class lnk_file r_file_perms;
- class file { r_file_perms execute execute_no_trans };
+ can_exec($1,ld_so_t)
')
########################################
@@ -160,16 +144,32 @@ define(`libs_exec_ld_so_depend',`
## </interface>
#
define(`libs_rw_ld_so_cache',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type ld_so_cache_t;
+ class file rw_file_perms;
+ ')
- files_read_generic_etc_files_directory($1)
+ files_list_etc($1)
allow $1 ld_so_cache_t:file rw_file_perms;
')
-define(`libs_rw_ld_so_cache_depend',`
- type ld_so_cache_t;
+########################################
+## <interface name="libs_search_lib">
+## <description>
+## Search lib directories.
+## </description>
+## <parameter name="domain">
+## The type of the process performing this action.
+## </parameter>
+## </interface>
+#
+define(`libs_search_lib',`
+ gen_require(`
+ type lib_t;
+ class dir search;
+ ')
- class file rw_file_perms;
+ allow $1 lib_t:dir search;
')
########################################
@@ -184,20 +184,18 @@ define(`libs_rw_ld_so_cache_depend',`
## </interface>
#
define(`libs_read_lib',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type lib_t;
+ class dir r_dir_perms;
+ class lnk_file r_file_perms;
+ class file r_file_perms;
+ ')
+ files_search_usr($1)
allow $1 lib_t:dir r_dir_perms;
allow $1 lib_t:{ file lnk_file } r_file_perms;
')
-define(`libs_read_lib_depend',`
- type lib_t;
-
- class dir r_dir_perms;
- class lnk_file r_file_perms;
- class file r_file_perms;
-')
-
########################################
## <interface name="libs_exec_lib_files">
## <description>
@@ -209,19 +207,16 @@ define(`libs_read_lib_depend',`
## </interface>
#
define(`libs_exec_lib_files',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type lib_t;
+ class dir r_dir_perms;
+ class lnk_file r_file_perms;
+ ')
+ files_search_usr($1)
allow $1 lib_t:dir r_dir_perms;
allow $1 lib_t:lnk_file r_file_perms;
- allow $1 lib_t:file { getattr read execute execute_no_trans };
-')
-
-define(`libs_exec_lib_files_depend',`
- type lib_t;
-
- class dir r_dir_perms;
- class lnk_file r_file_perms;
- class file { getattr read execute execute_no_trans };
+ can_exec($1,lib_t)
')
########################################
@@ -235,7 +230,12 @@ define(`libs_exec_lib_files_depend',`
## </interface>
#
define(`libs_use_shared_libs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type lib_t, shlib_t, texrel_shlib_t;
+ class dir r_dir_perms;
+ class lnk_file r_file_perms;
+ class file rx_dir_perms;
+ ')
files_search_usr($1)
allow $1 lib_t:dir r_dir_perms;
@@ -244,14 +244,6 @@ define(`libs_use_shared_libs',`
allow $1 { shlib_t texrel_shlib_t }:file rx_file_perms;
')
-define(`libs_use_shared_libs_depend',`
- type lib_t, shlib_t, texrel_shlib_t;
-
- class dir r_dir_perms;
- class lnk_file r_file_perms;
- class file rx_dir_perms;
-')
-
########################################
## <interface name="libs_legacy_use_shared_libs">
## <description>
@@ -264,16 +256,13 @@ define(`libs_use_shared_libs_depend',`
## </interface>
#
define(`libs_legacy_use_shared_libs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type shlib_t, texrel_shlib_t;
+ class file execmod;
+ ')
libs_use_shared_libs($1)
allow $1 { shlib_t texrel_shlib_t }:file execmod;
')
-define(`libs_legacy_use_shared_libs_depend',`
- type shlib_t, texrel_shlib_t;
-
- class file execmod;
-')
-
## </module>
diff --git a/refpolicy/policy/modules/system/locallogin.if b/refpolicy/policy/modules/system/locallogin.if
index 32f8bdd..ef30cb7 100644
--- a/refpolicy/policy/modules/system/locallogin.if
+++ b/refpolicy/policy/modules/system/locallogin.if
@@ -12,15 +12,13 @@
## </interface>
#
define(`locallogin_domtrans',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type local_login_t;
+ ')
auth_domtrans_login_program($1,local_login_t)
')
-define(`locallogin_domtrans_depend',`
- type local_login_t;
-')
-
########################################
## <interface name="locallogin_use_fd">
## <description>
@@ -31,20 +29,13 @@ define(`locallogin_domtrans_depend',`
## </parameter>
## </interface>
#
-########################################
-#
-# locallogin_use_fd(domain)
-#
define(`locallogin_use_fd',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type local_login_t;
+ class fd use;
+ ')
allow $1 local_login_t:fd use;
')
-define(`locallogin_use_fd_depend',`
- type local_login_t;
-
- class fd use;
-')
-
## </module>
diff --git a/refpolicy/policy/modules/system/logging.if b/refpolicy/policy/modules/system/logging.if
index 39e0762..e7e4c4e 100644
--- a/refpolicy/policy/modules/system/logging.if
+++ b/refpolicy/policy/modules/system/logging.if
@@ -6,22 +6,23 @@
# logging_log_file(domain)
#
define(`logging_log_file',`
- gen_require(`$0'_depend)
+ gen_require(`
+ attribute logfile;
+ ')
files_file_type($1)
typeattribute $1 logfile;
')
-define(`logging_log_file_depend',`
- attribute logfile;
-')
-
########################################
#
# logging_create_log(domain,privatetype,[class(es)])
#
define(`logging_create_log',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type var_log_t;
+ class dir rw_dir_perms;
+ ')
allow $1 var_log_t:dir rw_dir_perms;
@@ -32,18 +33,18 @@ define(`logging_create_log',`
')
')
-define(`logging_create_log_depend',`
- type var_log_t;
-
- class dir rw_dir_perms;
-')
-
#######################################
#
# logging_send_syslog_msg(domain)
#
define(`logging_send_syslog_msg',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type syslogd_t, devlog_t;
+ class lnk_file read;
+ class sock_file rw_file_perms;
+ class unix_dgram_socket { create_socket_perms sendto };
+ class unix_stream_socket { create_socket_perms connectto };
+ ')
allow $1 devlog_t:lnk_file read;
allow $1 devlog_t:sock_file rw_file_perms;
@@ -58,14 +59,6 @@ define(`logging_send_syslog_msg',`
term_use_console($1)
')
-define(`logging_send_syslog_msg_depend',`
- type syslogd_t, devlog_t;
-
- class sock_file rw_file_perms;
- class unix_dgram_socket { create_socket_perms sendto };
- class unix_stream_socket { create_socket_perms connectto };
-')
-
########################################
## <interface name="logging_search_logs">
## <description>
@@ -79,131 +72,108 @@ define(`logging_send_syslog_msg_depend',`
## </interface>
#
define(`logging_search_logs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type var_log_t;
+ class dir search;
+ ')
files_search_var($1)
allow $1 var_log_t:dir search;
')
-define(`logging_search_logs_depend',`
- type var_log_t;
-
- class dir search;
-')
-
#######################################
#
# logging_dontaudit_getattr_all_logs(domain)
#
define(`logging_dontaudit_getattr_all_logs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ attribute logfile;
+ class file getattr;
+ ')
dontaudit $1 logfile:file getattr;
')
-define(`logging_dontaudit_getattr_all_logs_depend',`
- attribute logfile;
-
- class file getattr;
-')
-
#######################################
#
# logging_append_all_logs(domain)
#
define(`logging_append_all_logs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ attribute logfile;
+ type var_log_t;
+ class dir r_dir_perms;
+ class file { getattr append };
+ ')
files_search_var($1)
allow $1 var_log_t:dir r_dir_perms;
allow $1 logfile:file { getattr append };
')
-define(`logging_append_all_logs_depend',`
- attribute logfile;
-
- type var_log_t;
-
- class dir r_dir_perms;
- class file { getattr append };
-')
-
#######################################
#
# logging_read_all_logs(domain)
#
define(`logging_read_all_logs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ attribute logfile;
+ type var_log_t;
+ class dir r_dir_perms;
+ class file r_file_perms;
+ ')
files_search_var($1)
allow $1 var_log_t:dir r_dir_perms;
allow $1 logfile:file r_file_perms;
')
-define(`logging_read_all_logs_depend',`
- attribute logfile;
-
- type var_log_t;
-
- class dir r_dir_perms;
- class file r_file_perms;
-')
-
#######################################
#
# logging_read_generic_logs(domain)
#
define(`logging_read_generic_logs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type var_log_t;
+ class dir r_dir_perms;
+ class file r_file_perms;
+ ')
files_search_var($1)
allow $1 var_log_t:dir r_dir_perms;
allow $1 var_log_t:file r_file_perms;
')
-define(`logging_read_generic_logs_depend',`
- type var_log_t;
-
- class dir r_dir_perms;
- class file r_file_perms;
-')
-
#######################################
#
# logging_write_generic_logs(domain)
#
define(`logging_write_generic_logs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type var_log_t;
+ class dir r_dir_perms;
+ class file { getattr write };
+ ')
files_search_var($1)
allow $1 var_log_t:dir r_dir_perms;
allow $1 var_log_t:file { getattr write };
')
-define(`logging_write_generic_logs_depend',`
- type var_log_t;
-
- class dir r_dir_perms;
- class file { getattr write };
-')
-
#######################################
#
# logging_rw_generic_logs(domain)
#
define(`logging_rw_generic_logs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type var_log_t;
+ class dir r_dir_perms;
+ class file rw_file_perms;
+ ')
files_search_var($1)
allow $1 var_log_t:dir r_dir_perms;
allow $1 var_log_t:file rw_file_perms;
')
-define(`logging_rw_generic_logs_depend',`
- type var_log_t;
-
- class dir r_dir_perms;
- class file rw_file_perms;
-')
-
## </module>
diff --git a/refpolicy/policy/modules/system/lvm.if b/refpolicy/policy/modules/system/lvm.if
index c16b4bd..fb0c163 100644
--- a/refpolicy/policy/modules/system/lvm.if
+++ b/refpolicy/policy/modules/system/lvm.if
@@ -12,8 +12,14 @@
## </interface>
#
define(`lvm_domtrans',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type lvm_t, lvm_exec_t;
+ class process sigchld;
+ class fd use;
+ class fifo_file rw_file_perms;
+ ')
+ corecmd_search_sbin($1)
domain_auto_trans($1, lvm_exec_t, lvm_t)
allow $1 lvm_t:fd use;
@@ -22,15 +28,6 @@ define(`lvm_domtrans',`
allow lvm_t $1:process sigchld;
')
-define(`lvm_domtrans_depend',`
- type lvm_t, lvm_exec_t;
-
- class file { getattr read execute };
- class process { transition noatsecure siginh rlimitinh sigchld };
- class fd use;
- class fifo_file rw_file_perms;
-')
-
########################################
## <interface name="lvm_run">
## <description>
@@ -48,17 +45,14 @@ define(`lvm_domtrans_depend',`
## </interface>
#
define(`lvm_run',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type lvm_t;
+ class chr_file rw_term_perms;
+ ')
lvm_domtrans($1)
role $2 types lvm_t;
- allow lvm_t $3:chr_file { getattr read write ioctl };
-')
-
-define(`lvm_run_depend',`
- type lvm_t;
-
- class chr_file { getattr read write ioctl };
+ allow lvm_t $3:chr_file rw_term_perms;
')
########################################
@@ -72,17 +66,15 @@ define(`lvm_run_depend',`
## </interface>
#
define(`lvm_read_config',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type lvm_t, lvm_exec_t;
+ class dir r_dir_perms;
+ class file r_file_perms;
+ ')
+ files_search_etc($1)
allow $1 lvm_etc_t:dir r_dir_perms;
allow $1 lvm_etc_t:file r_file_perms;
')
-define(`lvm_read_config_depend',`
- type lvm_t, lvm_exec_t;
-
- class dir r_dir_perms;
- class file r_file_perms;
-')
-
## </module>
diff --git a/refpolicy/policy/modules/system/miscfiles.if b/refpolicy/policy/modules/system/miscfiles.if
index 31c9495..d8d8c60 100644
--- a/refpolicy/policy/modules/system/miscfiles.if
+++ b/refpolicy/policy/modules/system/miscfiles.if
@@ -7,77 +7,69 @@
## Allow process to create files and dirs in /var/cache/man
## and /var/catman/
## </description>
-## <securitydesc>
-## ...
-## </securitydesc>
## <parameter name="domain">
## Type type of the process performing this action.
## </parameter>
## </interface>
#
define(`miscfiles_rw_man_cache',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type catman_t;
+ class dir create_dir_perms;
+ class file create_file_perms;
+ ')
- # FIXME: search var_t dir
+ files_search_var($1)
allow $1 catman_t:dir create_dir_perms;
allow $1 catman_t:file create_file_perms;
')
-define(`miscfiles_rw_man_cache_depend',`
- type catman_t;
-
- class dir create_dir_perms;
- class file create_file_perms;
-')
-
########################################
## <interface name="miscfiles_read_fonts">
## <description>
## Allow process to read fonts files
## </description>
-## <securitydesc>
-## ...
-## </securitydesc>
## <parameter name="domain">
## Type type of the process performing this action.
## </parameter>
## </interface>
#
define(`miscfiles_read_fonts',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type fonts_t;
+ class dir r_dir_perms;
+ class file r_file_perms;
+ ')
+
+ files_search_usr($1)
+ libs_search_lib($1)
- # FIXME: search usr_t dir
- # FIXME: search lib_t dir
# cjp: fonts can be in either of the above dirs
allow $1 fonts_t:dir r_dir_perms;
allow $1 fonts_t:file r_file_perms;
')
-define(`miscfiles_read_fonts_depend',`
- type fonts_t;
-
- class dir r_dir_perms;
- class file r_file_perms;
-')
-
########################################
## <interface name="miscfiles_read_localization">
## <description>
## Allow process to read localization info
## </description>
-## <securitydesc>
-## ...
-## </securitydesc>
## <parameter name="domain">
## Type type of the process performing this action.
## </parameter>
## </interface>
#
define(`miscfiles_read_localization',`
- gen_require(`$0'_depend)
-
+ gen_require(`
+ type locale_t;
+ class dir r_dir_perms;
+ class lnk_file r_file_perms;
+ class file r_file_perms;
+ ')
+
+ files_search_etc($1)
# FIXME: $1 read etc_t:lnk_file here
- # FIXME: $1 search usr_t:dir here
+ files_search_usr($1)
allow $1 locale_t:dir r_dir_perms;
allow $1 locale_t:lnk_file r_file_perms;
allow $1 locale_t:file r_file_perms;
@@ -86,68 +78,48 @@ define(`miscfiles_read_localization',`
libs_read_lib($1)
')
-define(`miscfiles_read_localization_depend',`
- type locale_t;
-
- class dir r_dir_perms;
- class lnk_file r_file_perms;
- class file r_file_perms;
-')
-
########################################
## <interface name="miscfiles_legacy_read_localization">
## <description>
## Allow process to read legacy time localization info
## </description>
-## <securitydesc>
-## ...
-## </securitydesc>
## <parameter name="domain">
## Type type of the process performing this action.
## </parameter>
## </interface>
#
define(`miscfiles_legacy_read_localization',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type locale_t;
+ class file execute;
+ ')
miscfiles_read_localization($1)
allow $1 locale_t:file execute;
')
-define(`miscfiles_read_localization_depend',`
- type locale_t;
-
- class file execute;
-')
-
########################################
## <interface name="miscfiles_read_man_pages">
## <description>
## Allow process to read manpages
## </description>
-## <securitydesc>
-## ...
-## </securitydesc>
## <parameter name="domain">
## Type type of the process performing this action.
## </parameter>
## </interface>
#
define(`miscfiles_read_man_pages',`
- gen_require(`$0'_depend)
-
- # FIXME: search usr_t dir
+ gen_require(`
+ type man_t;
+ class dir r_dir_perms;
+ class file r_file_perms;
+ class lnk_file r_file_perms;
+ ')
+
+ files_search_usr($1)
allow $1 man_t:dir r_dir_perms;
allow $1 man_t:file r_file_perms;
allow $1 man_t:lnk_file r_file_perms;
')
-define(`miscfiles_read_man_pages_depend',`
- type man_t;
-
- class dir r_dir_perms;
- class file r_file_perms;
- class lnk_file r_file_perms;
-')
-
## </module>
diff --git a/refpolicy/policy/modules/system/modutils.if b/refpolicy/policy/modules/system/modutils.if
index 32d2e84..c4cefed 100644
--- a/refpolicy/policy/modules/system/modutils.if
+++ b/refpolicy/policy/modules/system/modutils.if
@@ -12,19 +12,15 @@
## </interface>
#
define(`modutils_read_kernel_module_dependencies',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type modules_dep_t;
+ class file r_file_perms;
+ ')
bootloader_list_kernel_modules($1)
allow $1 modules_dep_t:file r_file_perms;
')
-define(`modutils_read_kernel_module_dependencies_depend',`
- type modules_dep_t;
-
- class file { getattr create read write setattr unlink };
- class dir { search read write add_name remove_name };
-')
-
########################################
## <interface name="modutils_read_module_conf">
## <description>
@@ -37,22 +33,23 @@ define(`modutils_read_kernel_module_dependencies_depend',`
## </interface>
#
define(`modutils_read_module_conf',`
- gen_require(`$0'_depend)
-
- allow $1 modules_conf_t:file r_file_perms;
-')
+ gen_require(`
+ type modules_conf_t;
+ class file r_file_perms;
+ ')
-define(`modutils_read_module_conf_depend',`
- type modules_conf_t;
+ # This file type can be in /etc or
+ # /lib(64)?/modules
+ files_search_etc($1)
+ bootloader_search_boot_dir($1)
- class file r_file_perms;
+ allow $1 modules_conf_t:file r_file_perms;
')
########################################
## <interface name="modutils_domtrans_insmod">
## <description>
-## Execute insmod in the insmod domain. Has a
-## sigchld backchannel.
+## Execute insmod in the insmod domain.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
@@ -60,8 +57,14 @@ define(`modutils_read_module_conf_depend',`
## </interface>
#
define(`modutils_domtrans_insmod',`
- gen_require(`$0'_depend)
-
+ gen_require(`
+ type insmod_t, insmod_exec_t;
+ class process sigchld;
+ class fd use;
+ class fifo_file rw_file_perms;
+ ')
+
+ corecmd_search_sbin($1)
domain_auto_trans($1, insmod_exec_t, insmod_t)
allow $1 insmod_t:fd use;
@@ -70,15 +73,6 @@ define(`modutils_domtrans_insmod',`
allow insmod_t $1:process sigchld;
')
-define(`modutils_domtrans_insmod_depend',`
- type insmod_t;
-
- class file { getattr read execute };
- class process { transition noatsecure siginh rlimitinh sigchld };
- class fd use;
- class fifo_file rw_file_perms;
-')
-
########################################
## <interface name="modutils_run_insmod">
## <description>
@@ -99,17 +93,14 @@ define(`modutils_domtrans_insmod_depend',`
## </interface>
#
define(`modutils_run_insmod',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type insmod_t;
+ class chr_file rw_term_perms;
+ ')
modutils_domtrans_insmod($1)
role $2 types insmod_t;
- allow insmod_t $3:chr_file { getattr read write ioctl };
-')
-
-define(`modutils_run_insmod_depend',`
- type insmod_t;
-
- class chr_file { getattr read write ioctl };
+ allow insmod_t $3:chr_file rw_term_perms;
')
########################################
@@ -117,17 +108,14 @@ define(`modutils_run_insmod_depend',`
# modutils_exec_insmod(domain)
#
define(`modutils_exec_insmod',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type insmod_t;
+ ')
+ corecmd_search_sbin($1)
can_exec($1, insmod_exec_t)
')
-define(`modutils_exec_insmod_depend',`
- type insmod_t;
-
- class file { getattr read execute execute_no_trans };
-')
-
########################################
## <interface name="modutils_domtrans_depmod">
## <description>
@@ -139,8 +127,14 @@ define(`modutils_exec_insmod_depend',`
## </interface>
#
define(`modutils_domtrans_depmod',`
- gen_require(`$0'_depend)
-
+ gen_require(`
+ type depmod_t, depmod_exec_t;
+ class process sigchld;
+ class fd use;
+ class fifo_file rw_file_perms;
+ ')
+
+ corecmd_search_sbin($1)
domain_auto_trans($1, depmod_exec_t, depmod_t)
allow $1 depmod_t:fd use;
@@ -149,15 +143,6 @@ define(`modutils_domtrans_depmod',`
allow depmod_t $1:process sigchld;
')
-define(`modutils_domtrans_depmod_depend',`
- type depmod_t;
-
- class file { getattr read execute };
- class process { transition noatsecure siginh rlimitinh sigchld };
- class fd use;
- class fifo_file rw_file_perms;
-')
-
########################################
## <interface name="modutils_run_depmod">
## <description>
@@ -175,17 +160,14 @@ define(`modutils_domtrans_depmod_depend',`
## </interface>
#
define(`modutils_run_depmod',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type depmod_t;
+ class chr_file rw_term_perms;
+ ')
modutils_domtrans_depmod($1)
role $2 types insmod_t;
- allow insmod_t $3:chr_file { getattr read write ioctl };
-')
-
-define(`modutils_run_depmod_depend',`
- type depmod_t;
-
- class chr_file { getattr read write ioctl };
+ allow insmod_t $3:chr_file rw_term_perms;
')
########################################
@@ -193,17 +175,14 @@ define(`modutils_run_depmod_depend',`
# modutils_exec_depmod(domain)
#
define(`modutils_exec_depmod',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type depmod_t;
+ ')
+ corecmd_search_sbin($1)
can_exec($1, depmod_exec_t)
')
-define(`modutils_exec_depmod_depend',`
- type depmod_t;
-
- class file { getattr read execute execute_no_trans };
-')
-
########################################
## <interface name="modutils_domtrans_update_mods">
## <description>
@@ -215,8 +194,14 @@ define(`modutils_exec_depmod_depend',`
## </interface>
#
define(`modutils_domtrans_update_mods',`
- gen_require(`$0'_depend)
-
+ gen_require(`
+ type update_modules_t, update_modules_exec_t;
+ class process signal;
+ class fd use;
+ class fifo_file rw_file_perms;
+ ')
+
+ corecmd_search_sbin($1)
domain_auto_trans($1, update_modules_exec_t, update_modules_t)
allow $1 update_modules_t:fd use;
@@ -225,15 +210,6 @@ define(`modutils_domtrans_update_mods',`
allow update_modules_t $1:process sigchld;
')
-define(`modutils_domtrans_update_mods_depend',`
- type update_modules_t;
-
- class file { getattr read execute };
- class process { transition noatsecure siginh rlimitinh signal };
- class fd use;
- class fifo_file rw_file_perms;
-')
-
########################################
## <interface name="modutils_run_update_mods">
## <description>
@@ -251,17 +227,14 @@ define(`modutils_domtrans_update_mods_depend',`
## </interface>
#
define(`modutils_run_update_mods',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type update_modules_t;
+ class chr_file rw_term_perms;
+ ')
modutils_domtrans_update_mods($1)
role $2 types update_modules_t;
- allow update_modules_t $3:chr_file rw_file_perms;
-')
-
-define(`modutils_run_update_mods_depend',`
- type update_modules_t;
-
- class chr_file rw_file_perms;
+ allow update_modules_t $3:chr_file rw_term_perms;
')
########################################
@@ -269,15 +242,12 @@ define(`modutils_run_update_mods_depend',`
# modutils_exec_update_mods(domain)
#
define(`modutils_exec_update_mods',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type update_modules_t;
+ ')
+ corecmd_search_sbin($1)
can_exec($1, update_modules_exec_t)
')
-define(`modutils_exec_update_mods_depend',`
- type update_modules_t;
-
- class file { getattr read execute execute_no_trans };
-')
-
## </module>
diff --git a/refpolicy/policy/modules/system/mount.if b/refpolicy/policy/modules/system/mount.if
index 31712a2..ac8cd49 100644
--- a/refpolicy/policy/modules/system/mount.if
+++ b/refpolicy/policy/modules/system/mount.if
@@ -12,12 +12,14 @@
## </interface>
#
define(`mount_domtrans',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type mount_t, mount_exec_t;
+ class process sigchld;
+ class fd use;
+ class fifo_file rw_file_perms;
+ ')
- allow $1 mount_exec_t:file rx_file_perms;
- allow $1 mount_t:process transition;
- type_transition $1 mount_exec_t:process mount_t;
- dontaudit $1 mount_t:process { noatsecure siginh rlimitinh };
+ domain_auto_trans($1,mount_exec_t,mount_t)
allow $1 mount_t:fd use;
allow mount_t $1:fd use;
@@ -25,15 +27,6 @@ define(`mount_domtrans',`
allow mount_t $1:process sigchld;
')
-define(`mount_domtrans_depend',`
- type mount_t, mount_exec_t;
-
- class file rx_file_perms;
- class process { transition noatsecure siginh rlimitinh sigchld };
- class fd use;
- class fifo_file rw_file_perms;
-')
-
########################################
## <interface name="mount_run">
## <description>
@@ -53,19 +46,16 @@ define(`mount_domtrans_depend',`
## </interface>
#
define(`mount_run',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type mount_t;
+ class chr_file rw_file_perms;
+ ')
mount_domtrans($1)
role $2 types mount_t;
allow mount_t $3:chr_file rw_file_perms;
')
-define(`mount_run_depend',`
- type mount_t;
-
- class chr_file rw_file_perms;
-')
-
########################################
## <interface name="mount_use_fd">
## <description>
@@ -77,17 +67,14 @@ define(`mount_run_depend',`
## </interface>
#
define(`mount_use_fd',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type mount_t;
+ class fd use;
+ ')
allow $1 mount_t:fd use;
')
-define(`mount_use_fd_depend',`
- type mount_t;
-
- class fd use;
-')
-
########################################
## <interface name="mount_send_nfs_client_request">
## <description>
@@ -100,15 +87,12 @@ define(`mount_use_fd_depend',`
## </interface>
#
define(`mount_send_nfs_client_request',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type mount_t;
+ class udp_socket rw_socket_perms;
+ ')
allow $1 mount_t:udp_socket rw_socket_perms;
')
-define(`mount_send_nfs_client_request_depend',`
- type mount_t;
-
- class udp_socket rw_socket_perms;
-')
-
## </module>
diff --git a/refpolicy/policy/modules/system/selinuxutil.if b/refpolicy/policy/modules/system/selinuxutil.if
index c201b4f..6183f14 100644
--- a/refpolicy/policy/modules/system/selinuxutil.if
+++ b/refpolicy/policy/modules/system/selinuxutil.if
@@ -12,12 +12,16 @@
## </interface>
#
define(`seutil_domtrans_checkpol',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type checkpolicy_t, checkpolicy_exec_t;
+ class process sigchld;
+ class fd use;
+ class fifo_file rw_file_perms;
+ ')
- allow $1 checkpolicy_exec_t:file rx_file_perms;
- allow $1 checkpolicy_t:process transition;
- type_transition $1 checkpolicy_exec_t:process checkpolicy_t;
- dontaudit $1 checkpolicy_t:process { noatsecure siginh rlimitinh };
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domain_auto_trans($1,checkpolicy_exec_t,checkpolicy_t)
allow $1 checkpolicy_t:fd use;
allow checkpolicy_t $1:fd use;
@@ -25,15 +29,6 @@ define(`seutil_domtrans_checkpol',`
allow checkpolicy_t $1:process sigchld;
')
-define(`seutil_domtrans_checkpol_depend',`
- type checkpolicy_t, checkpolicy_exec_t;
-
- class file rx_file_perms
- class process { transition noatsecure siginh rlimitinh sigchld sigchld };
- class fd use;
- class fifo_file rw_file_perms;
-')
-
########################################
## <interface name="seutil_run_checkpol">
## <description>
@@ -54,17 +49,14 @@ define(`seutil_domtrans_checkpol_depend',`
## </interface>
#
define(`seutil_run_checkpol',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type checkpolicy_t;
+ class chr_file rw_term_perms;
+ ')
seutil_domtrans_checkpol($1)
role $2 types checkpolicy_t;
- allow checkpolicy_t $3:chr_file { getattr read write ioctl };
-')
-
-define(`seutil_run_checkpol_depend',`
- type checkpolicy_t;
-
- class chr_file { getattr read write ioctl };
+ allow checkpolicy_t $3:chr_file rw_term_perms;
')
#######################################
@@ -72,17 +64,15 @@ define(`seutil_run_checkpol_depend',`
# seutil_exec_checkpol(domain)
#
define(`seutil_exec_checkpol',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type checkpolicy_exec_t;
+ ')
+ files_search_usr($1)
+ corecmd_search_bin($1)
can_exec($1,checkpolicy_exec_t)
')
-define(`seutil_exec_checkpol_depend',`
- type checkpolicy_exec_t;
-
- class file { rx_file_perms execute_no_trans };
-')
-
#######################################
## <interface name="seutil_domtrans_loadpol">
## <description>
@@ -94,12 +84,15 @@ define(`seutil_exec_checkpol_depend',`
## </interface>
#
define(`seutil_domtrans_loadpol',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type load_policy_t, load_policy_exec_t;
+ class process sigchld;
+ class fd use;
+ class fifo_file rw_file_perms;
+ ')
- allow $1 load_policy_exec_t:file rx_file_perms;
- allow $1 load_policy_t:process transition;
- type_transition $1 load_policy_exec_t:process load_policy_t;
- dontaudit $1 load_policy_t:process { noatsecure siginh rlimitinh };
+ corecmd_search_sbin($1)
+ domain_auto_trans($1,load_policy_exec_t,load_policy_t)
allow $1 load_policy_t:fd use;
allow load_policy_t $1:fd use;
@@ -107,15 +100,6 @@ define(`seutil_domtrans_loadpol',`
allow load_policy_t $1:process sigchld;
')
-define(`seutil_domtrans_loadpol_depend',`
- type load_policy_t, load_policy_exec_t;
-
- class file rx_file_perms;
- class process { transition noatsecure siginh rlimitinh sigchld };
- class fd use;
- class fifo_file rw_file_perms;
-')
-
########################################
## <interface name="seutil_run_loadpol">
## <description>
@@ -136,17 +120,14 @@ define(`seutil_domtrans_loadpol_depend',`
## </interface>
#
define(`seutil_run_loadpol',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type load_policy_t;
+ class chr_file rw_term_perms;
+ ')
seutil_domtrans_loadpol($1)
role $2 types load_policy_t;
- allow load_policy_t $3:chr_file { getattr read write ioctl };
-')
-
-define(`seutil_run_loadpol_depend',`
- type load_policy_t;
-
- class chr_file { getattr read write ioctl };
+ allow load_policy_t $3:chr_file rw_term_perms;
')
#######################################
@@ -154,33 +135,28 @@ define(`seutil_run_loadpol_depend',`
# seutil_exec_loadpol(domain)
#
define(`seutil_exec_loadpol',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type load_policy_exec_t;
+ ')
+ corecmd_search_sbin($1)
can_exec($1,load_policy_exec_t)
')
-define(`seutil_exec_loadpol_depend',`
- type load_policy_exec_t;
-
- class file { rx_file_perms execute_no_trans };
-')
-
#######################################
#
# seutil_read_loadpol(domain)
#
define(`seutil_read_loadpol',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type load_policy_exec_t;
+ class file r_file_perms
+ ')
+ corecmd_search_sbin($1)
allow $1 load_policy_exec_t:file r_file_perms;
')
-define(`seutil_read_loadpol_depend',`
- type load_policy_exec_t;
-
- class file r_file_perms
-')
-
#######################################
## <interface name="seutil_domtrans_newrole">
## <description>
@@ -192,12 +168,16 @@ define(`seutil_read_loadpol_depend',`
## </interface>
#
define(`seutil_domtrans_newrole',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type newrole_t, newrole_exec_t;
+ class process sigchld;
+ class fd use;
+ class fifo_file rw_file_perms;
+ ')
- allow $1 newrole_exec_t:file rx_file_perms;
- allow $1 newrole_t:process transition;
- type_transition $1 newrole_exec_t:process newrole_t;
- dontaudit $1 newrole_t:process { noatsecure siginh rlimitinh };
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domain_auto_trans($1,newrole_exec_t,newrole_t)
allow $1 newrole_t:fd use;
allow newrole_t $1:fd use;
@@ -205,15 +185,6 @@ define(`seutil_domtrans_newrole',`
allow newrole_t $1:process sigchld;
')
-define(`seutil_domtrans_newrole_depend',`
- type newrole_t, newrole_exec_t;
-
- class file rx_file_perms;
- class process { transition noatsecure siginh rlimitinh sigchld };
- class fd use;
- class fifo_file rw_file_perms;
-')
-
########################################
## <interface name="seutil_run_newrole">
## <description>
@@ -233,17 +204,14 @@ define(`seutil_domtrans_newrole_depend',`
## </interface>
#
define(`seutil_run_newrole',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type newrole_t;
+ class chr_file rw_term_perms;
+ ')
seutil_domtrans_newrole($1)
role $2 types newrole_t;
- allow newrole_t $3:chr_file { getattr read write ioctl };
-')
-
-define(`seutil_run_newrole_depend',`
- type newrole_t;
-
- class chr_file { getattr read write ioctl };
+ allow newrole_t $3:chr_file rw_term_perms;
')
#######################################
@@ -251,17 +219,15 @@ define(`seutil_run_newrole_depend',`
# seutil_exec_newrole(domain)
#
define(`seutil_exec_newrole',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type newrole_t, newrole_exec_t;
+ ')
+ files_search_usr($1)
+ corecmd_search_bin($1)
can_exec($1,newrole_exec_t)
')
-define(`seutil_exec_newrole_depend',`
- type newrole_t, newrole_exec_t;
-
- class file { rx_file_perms execute_no_trans };
-')
-
########################################
## <interface name="seutil_dontaudit_newrole_signal">
## <description>
@@ -274,49 +240,40 @@ define(`seutil_exec_newrole_depend',`
## </interface>
#
define(`seutil_dontaudit_newrole_signal',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type newrole_t;
+ class process signal;
+ ')
dontaudit $1 newrole_t:process signal;
')
-define(`seutil_dontaudit_newrole_signal_depend',`
- type newrole_t;
-
- class process signal;
-')
-
#######################################
#
# seutil_newrole_sigchld(domain)
#
define(`seutil_newrole_sigchld',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type newrole_t;
+ class process sigchld;
+ ')
allow $1 newrole_t:process sigchld;
')
-define(`seutil_newrole_sigchld_depend',`
- type newrole_t;
-
- class process sigchld;
-')
-
#######################################
#
# seutil_use_newrole_fd(domain)
#
define(`seutil_use_newrole_fd',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type newrole_t;
+ class fd use;
+ ')
allow $1 newrole_t:fd use;
')
-define(`seutil_use_newrole_fd_depend',`
- type newrole_t;
-
- class fd use;
-')
-
#######################################
## <interface name="seutil_domtrans_restorecon">
## <description>
@@ -328,12 +285,15 @@ define(`seutil_use_newrole_fd_depend',`
## </interface>
#
define(`seutil_domtrans_restorecon',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type restorecon_t, restorecon_exec_t;
+ class process sigchld;
+ class fd use;
+ class fifo_file rw_file_perms;
+ ')
- allow $1 restorecon_exec_t:file rx_file_perms;
- allow $1 restorecon_t:process transition;
- type_transition $1 restorecon_exec_t:process restorecon_t;
- dontaudit $1 restorecon_t:process { noatsecure siginh rlimitinh };
+ corecmd_search_sbin($1)
+ domain_auto_trans($1,restorecon_exec_t,restorecon_t)
allow $1 restorecon_t:fd use;
allow restorecon_t $1:fd use;
@@ -341,15 +301,6 @@ define(`seutil_domtrans_restorecon',`
allow restorecon_t $1:process sigchld;
')
-define(`seutil_domtrans_restorecon_depend',`
- type restorecon_t, restorecon_exec_t;
-
- class file rx_file_perms;
- class process { transition noatsecure siginh rlimitinh sigchld };
- class fd use;
- class fifo_file rw_file_perms;
-')
-
########################################
## <interface name="seutil_run_restorecon">
## <description>
@@ -369,17 +320,14 @@ define(`seutil_domtrans_restorecon_depend',`
## </interface>
#
define(`seutil_run_restorecon',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type restorecon_t;
+ class chr_file rw_term_perms;
+ ')
seutil_domtrans_restorecon($1)
role $2 types restorecon_t;
- allow restorecon_t $3:chr_file { getattr read write ioctl };
-')
-
-define(`seutil_run_restorecon_depend',`
- type restorecon_t;
-
- class chr_file { getattr read write ioctl };
+ allow restorecon_t $3:chr_file rw_term_perms;
')
#######################################
@@ -387,14 +335,12 @@ define(`seutil_run_restorecon_depend',`
# seutil_exec_restorecon(domain)
#
define(`seutil_exec_restorecon',`
-gen_require(`$0'_depend)
- can_exec($1,restorecon_exec_t)
-')
-
-define(`seutil_exec_restorecon_depend',`
- type restorecon_t, restorecon_exec_t;
+ gen_require(`
+ type restorecon_t, restorecon_exec_t;
+ ')
- class file { rx_file_perms execute_no_trans };
+ corecmd_search_sbin($1)
+ can_exec($1,restorecon_exec_t)
')
########################################
@@ -408,12 +354,16 @@ define(`seutil_exec_restorecon_depend',`
## </interface>
#
define(`seutil_domtrans_runinit',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type run_init_t, run_init_exec_t;
+ class process sigchld;
+ class fd use;
+ class fifo_file rw_file_perms;
+ ')
- allow $1 run_init_exec_t:file rx_file_perms;
- allow $1 run_init_t:process transition;
- type_transition $1 run_init_exec_t:process run_init_t;
- dontaudit $1 run_init_t:process { noatsecure siginh rlimitinh };
+ files_search_usr($1)
+ corecmd_search_sbin($1)
+ domain_auto_trans($1,run_init_exec_t,run_init_t)
allow $1 run_init_t:fd use;
allow run_init_t $1:fd use;
@@ -421,15 +371,6 @@ define(`seutil_domtrans_runinit',`
allow run_init_t $1:process sigchld;
')
-define(`seutil_domtrans_runinit_depend',`
- type run_init_t, run_init_exec_t;
-
- class file rx_file_perms;
- class process { transition noatsecure siginh rlimitinh sigchld };
- class fd use;
- class fifo_file rw_file_perms;
-')
-
########################################
## <interface name="seutil_run_runinit">
## <description>
@@ -449,17 +390,14 @@ define(`seutil_domtrans_runinit_depend',`
## </interface>
#
define(`seutil_run_runinit',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type run_init_t;
+ class chr_file rw_term_perms;
+ ')
seutil_domtrans_runinit($1)
role $2 types run_init_t;
- allow run_init_t $3:chr_file { getattr read write ioctl };
-')
-
-define(`seutil_run_runinit_depend',`
- type run_init_t;
-
- class chr_file { getattr read write ioctl };
+ allow run_init_t $3:chr_file rw_term_perms;
')
########################################
@@ -467,17 +405,14 @@ define(`seutil_run_runinit_depend',`
# seutil_use_runinit_fd(domain)
#
define(`seutil_use_runinit_fd',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type run_init_t;
+ class fd use;
+ ')
allow $1 run_init_t:fd use;
')
-define(`seutil_use_runinit_fd_depend',`
- type run_init_t;
-
- class fd use;
-')
-
########################################
## <interface name="seutil_domtrans_setfiles">
## <description>
@@ -489,12 +424,16 @@ define(`seutil_use_runinit_fd_depend',`
## </interface>
#
define(`seutil_domtrans_setfiles',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type setfiles_t, setfiles_exec_t;
+ class process sigchld;
+ class fd use;
+ class fifo_file rw_file_perms;
+ ')
- allow $1 setfiles_exec_t:file rx_file_perms;
- allow $1 setfiles_t:process transition;
- type_transition $1 setfiles_exec_t:process setfiles_t;
- dontaudit $1 setfiles_t:process { noatsecure siginh rlimitinh };
+ files_search_usr($1)
+ corecmd_search_sbin($1)
+ domain_auto_trans($1,setfiles_exec_t,setfiles_t)
allow $1 setfiles_t:fd use;
allow setfiles_t $1:fd use;
@@ -502,15 +441,6 @@ define(`seutil_domtrans_setfiles',`
allow setfiles_t $1:process sigchld;
')
-define(`seutil_domtrans_setfiles_depend',`
- type setfiles_t, setfiles_exec_t;
-
- class file rx_file_perms;
- class process { transition noatsecure siginh rlimitinh sigchld };
- class fd use;
- class fifo_file rw_file_perms;
-')
-
########################################
## <interface name="seutil_run_setfiles">
## <description>
@@ -530,17 +460,14 @@ define(`seutil_domtrans_setfiles_depend',`
## </interface>
#
define(`seutil_run_setfiles',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type setfiles_t;
+ class chr_file rw_term_perms;
+ ')
seutil_domtrans_setfiles($1)
role $2 types setfiles_t;
- allow setfiles_t $3:chr_file { getattr read write ioctl };
-')
-
-define(`seutil_run_setfiles_depend',`
- type setfiles_t;
-
- class chr_file { getattr read write ioctl };
+ allow setfiles_t $3:chr_file rw_term_perms;
')
#######################################
@@ -548,112 +475,101 @@ define(`seutil_run_setfiles_depend',`
# seutil_exec_setfiles(domain)
#
define(`seutil_exec_setfiles',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type setfiles_exec_t;
+ ')
+ files_search_usr($1)
+ corecmd_search_sbin($1)
can_exec($1,setfiles_exec_t)
')
-define(`seutil_exec_setfiles_depend',`
- type setfiles_exec_t;
-
- class file { rx_file_perms execute_no_trans };
-')
-
########################################
#
# seutil_read_config(domain)
#
define(`seutil_read_config',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type selinux_config_t;
+ class dir r_dir_perms;
+ class file r_file_perms;
+ ')
+ files_search_etc($1)
allow $1 selinux_config_t:dir r_dir_perms;
allow $1 selinux_config_t:file r_file_perms;
')
-define(`seutil_read_config_depend',`
- type selinux_config_t;
-
- class dir r_dir_perms;
- class file r_file_perms;
-')
-
########################################
#
# seutil_read_default_contexts(domain)
#
define(`seutil_read_default_contexts',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type selinux_config_t, default_context_t;
+ class dir r_dir_perms;
+ class file r_file_perms;
+ ')
+ files_search_etc($1)
allow $1 selinux_config_t:dir search;
allow $1 default_context_t:dir r_dir_perms;
allow $1 default_context_t:file r_file_perms;
')
-define(`seutil_read_default_contexts_depend',`
- type selinux_config_t, default_context_t;
-
- class dir r_dir_perms;
- class file r_file_perms;
-')
-
########################################
#
# seutil_read_file_contexts(domain)
#
define(`seutil_read_file_contexts',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type selinux_config_t, file_context_t;
+ class dir r_dir_perms;
+ class file r_file_perms;
+ ')
+ files_search_etc($1)
allow $1 selinux_config_t:dir search;
allow $1 file_context_t:dir r_dir_perms;
allow $1 file_context_t:file r_file_perms;
')
-define(`seutil_read_file_contexts_depend',`
- type selinux_config_t, file_context_t;
-
- class dir r_dir_perms;
- class file r_file_perms;
-')
-
########################################
#
# seutil_read_binary_pol(domain)
#
define(`seutil_read_binary_pol',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type selinux_config_t, policy_config_t;
+ class dir r_dir_perms;
+ class file r_file_perms;
+ ')
+ files_search_etc($1)
+ allow $1 selinux_config_t:dir search;
allow $1 policy_config_t:dir r_dir_perms;
allow $1 policy_config_t:file r_file_perms;
')
-define(`seutil_read_binary_pol_depend',`
- type policy_config_t;
-
- class dir r_dir_perms;
- class file r_file_perms;
-')
-
########################################
#
-# seutil_write_binary_pol(domain)
+# seutil_create_binary_pol(domain)
#
-define(`seutil_write_binary_pol',`
- gen_require(`$0'_depend)
+define(`seutil_create_binary_pol',`
+ gen_require(`
+ attribute can_write_binary_policy;
+ type selinux_config_t, policy_config_t;
+ class dir ra_dir_perms;
+ class file { getattr create write };
+ ')
- allow $1 policy_config_t:dir rw_dir_perms;
- allow $1 policy_config_t:file { getattr create write unlink };
+ files_search_etc($1)
+ allow $1 selinux_config_t:dir search;
+ allow $1 policy_config_t:dir ra_dir_perms;
+ allow $1 policy_config_t:file { getattr create write };
typeattribute $1 can_write_binary_policy;
')
-define(`seutil_write_binary_pol_depend',`
- attribute can_write_binary_policy;
-
- type policy_config_t;
-
- class dir rw_dir_perms;
- class file { getattr create write unlink };
-')
-
########################################
## <interface name="seutil_relabelto_binary_pol">
## <description>
@@ -665,80 +581,67 @@ define(`seutil_write_binary_pol_depend',`
## </interface>
#
define(`seutil_relabelto_binary_pol',`
- gen_require(`$0'_depend)
+ gen_require(`
+ attribute can_relabelto_binary_policy;
+ type policy_config_t;
+ class file relabelto;
+ ')
allow $1 policy_config_t:file relabelto;
typeattribute $1 can_relabelto_binary_policy;
')
-define(`seutil_relabelto_binary_pol_depend',`
- attribute can_relabelto_binary_policy;
-
- type policy_config_t;
-
- class file relabelto;
-')
-
########################################
#
# seutil_manage_binary_pol(domain)
#
define(`seutil_manage_binary_pol',`
- gen_require(`$0'_depend)
-
- # FIXME: search etc_t:dir
+ gen_require(`
+ attribute can_write_binary_policy;
+ type selinux_config_t, policy_config_t;
+ class dir rw_dir_perms;
+ class file create_file_perms;
+ ')
+
+ files_search_etc($1)
allow $1 selinux_config_t:dir search;
- allow $1 policy_config_t:dir r_dir_perms;
+ allow $1 policy_config_t:dir rw_dir_perms;
allow $1 policy_config_t:file create_file_perms;
typeattribute $1 can_write_binary_policy;
')
-define(`seutil_manage_binary_pol_depend',`
- attribute can_write_binary_policy;
-
- type selinux_config_t, policy_config_t;
- class dir create_dir_perms;
- class file create_file_perms;
-')
-
########################################
#
# seutil_read_src_pol(domain)
#
define(`seutil_read_src_pol',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type selinux_config_t, policy_src_t;
+ class dir r_dir_perms;
+ class file r_file_perms;
+ ')
- # FIXME: search etc_t:dir
+ files_search_etc($1)
allow $1 selinux_config_t:dir search;
allow $1 policy_src_t:dir r_dir_perms;
allow $1 policy_src_t:file r_file_perms;
')
-define(`seutil_read_src_pol_depend',`
- type selinux_config_t, policy_src_t;
-
- class dir r_dir_perms;
- class file r_file_perms;
-')
-
########################################
#
# seutil_manage_src_pol(domain)
#
define(`seutil_manage_src_pol',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type selinux_config_t, policy_src_t;
+ class dir create_dir_perms;
+ class file create_file_perms;
+ ')
- # FIXME: search etc_t:dir
+ files_search_etc($1)
allow $1 selinux_config_t:dir search;
allow $1 policy_src_t:dir create_dir_perms;
allow $1 policy_src_t:file create_file_perms;
')
-define(`seutil_manage_src_pol_depend',`
- type selinux_config_t, policy_src_t;
-
- class dir create_dir_perms;
- class file create_file_perms;
-')
-
## </module>
diff --git a/refpolicy/policy/modules/system/sysnetwork.if b/refpolicy/policy/modules/system/sysnetwork.if
index e3f1109..08ee021 100644
--- a/refpolicy/policy/modules/system/sysnetwork.if
+++ b/refpolicy/policy/modules/system/sysnetwork.if
@@ -12,8 +12,14 @@
## </interface>
#
define(`sysnet_domtrans_dhcpc',`
- gen_require(`$0'_depend)
-
+ gen_require(`
+ type dhcpc_t, dhcpc_exec_t;
+ class process sigchld;
+ class fd use;
+ class fifo_file rw_file_perms;
+ ')
+
+ corecmd_search_sbin($1)
domain_auto_trans($1, dhcpc_exec_t, dhcpc_t)
allow $1 dhcpc_t:fd use;
@@ -22,15 +28,6 @@ define(`sysnet_domtrans_dhcpc',`
allow dhcpc_t $1:process sigchld;
')
-define(`sysnet_domtrans_dhcpc_depend',`
- type dhcpc_t, dhcpc_exec_t;
-
- class file { getattr read execute };
- class process { transition noatsecure siginh rlimitinh sigchld };
- class fd use;
- class fifo_file rw_file_perms;
-')
-
#######################################
## <interface name="sysnet_domtrans_ifconfig">
## <description>
@@ -42,8 +39,14 @@ define(`sysnet_domtrans_dhcpc_depend',`
## </interface>
#
define(`sysnet_domtrans_ifconfig',`
- gen_require(`$0'_depend)
-
+ gen_require(`
+ type ifconfig_t, ifconfig_exec_t;
+ class process sigchld;
+ class fd use;
+ class fifo_file rw_file_perms;
+ ')
+
+ corecmd_search_sbin($1)
domain_auto_trans($1, ifconfig_exec_t, ifconfig_t)
allow $1 ifconfig_t:fd use;
@@ -52,15 +55,6 @@ define(`sysnet_domtrans_ifconfig',`
allow ifconfig_t $1:process sigchld;
')
-define(`sysnet_domtrans_ifconfig_depend',`
- type ifconfig_t, ifconfig_exec_t;
-
- class file { getattr read execute };
- class process { transition noatsecure siginh rlimitinh sigchld };
- class fd use;
- class fifo_file rw_file_perms;
-')
-
########################################
## <interface name="sysnet_run_ifconfig">
## <description>
@@ -80,17 +74,15 @@ define(`sysnet_domtrans_ifconfig_depend',`
## </interface>
#
define(`sysnet_run_ifconfig',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type ifconfig_t;
+ class chr_file rw_term_perms;
+ ')
+ corecmd_search_sbin($1)
sysnet_domtrans_ifconfig($1)
role $2 types ifconfig_t;
- allow ifconfig_t $3:chr_file { getattr read write ioctl };
-')
-
-define(`sysnet_run_ifconfig_depend',`
- type ifconfig_t;
-
- class chr_file { getattr read write ioctl };
+ allow ifconfig_t $3:chr_file rw_term_perms;
')
#######################################
@@ -104,16 +96,13 @@ define(`sysnet_run_ifconfig_depend',`
## </interface>
#
define(`sysnet_read_config',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type net_conf_t;
+ class file r_file_perms;
+ ')
files_search_etc($1)
allow $1 net_conf_t:file r_file_perms;
')
-define(`sysnet_read_config_depend',`
- type net_conf_t;
-
- class file r_file_perms;
-')
-
## </module>
diff --git a/refpolicy/policy/modules/system/udev.if b/refpolicy/policy/modules/system/udev.if
index af6a47a..c1eccd0 100644
--- a/refpolicy/policy/modules/system/udev.if
+++ b/refpolicy/policy/modules/system/udev.if
@@ -12,7 +12,12 @@
## </interface>
#
define(`udev_domtrans',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type udev_t, udev_exec_t;
+ class process sigchld;
+ class fd use;
+ class fifo_file rw_file_perms;
+ ')
domain_auto_trans($1, udev_exec_t, udev_t)
@@ -22,15 +27,6 @@ define(`udev_domtrans',`
allow udev_t $1:process sigchld;
')
-define(`udev_domtrans_depend',`
- type udev_t, udev_exec_t;
-
- class file { getattr read execute };
- class process { transition noatsecure siginh rlimitinh sigchld };
- class fd use;
- class fifo_file rw_file_perms;
-')
-
########################################
## <interface name="udev_read_db">
## <description>
@@ -42,17 +38,15 @@ define(`udev_domtrans_depend',`
## </interface>
#
define(`udev_read_db',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type udev_tdb_t;
+ class file r_file_perms;
+ ')
+ dev_list_all_dev_nodes($1)
allow $1 udev_tdb_t:file r_file_perms;
')
-define(`udev_read_db_depend',`
- type udev_tdb_t;
-
- class file r_file_perms;
-')
-
########################################
## <interface name="udev_rw_db">
## <description>
@@ -64,15 +58,13 @@ define(`udev_read_db_depend',`
## </interface>
#
define(`udev_rw_db',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type udev_tdb_t;
+ class file rw_file_perms;
+ ')
+ dev_list_all_dev_nodes($1)
allow $1 udev_tdb_t:file rw_file_perms;
')
-define(`udev_rw_db_depend',`
- type udev_tdb_t;
-
- class file rw_file_perms;
-')
-
## </module>
More information about the scm-commits
mailing list