[selinux-policy: 402/3172] remove remaining _depend macros to prep for switchover to interface declaration macro
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 19:39:32 UTC 2010
commit cbc9d6951a2aad3816c4263ab7c51cb821b54686
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Wed Jun 22 16:07:14 2005 +0000
remove remaining _depend macros to prep for switchover to interface declaration macro
refpolicy/policy/modules/kernel/bootloader.if | 247 +++-----
refpolicy/policy/modules/kernel/devices.if | 612 +++++++-----------
refpolicy/policy/modules/kernel/filesystem.if | 846 +++++++++----------------
refpolicy/policy/modules/kernel/kernel.if | 586 +++++++-----------
refpolicy/policy/modules/kernel/selinux.if | 157 ++---
refpolicy/policy/modules/system/authlogin.if | 26 +-
refpolicy/policy/modules/system/files.if | 788 +++++++++--------------
refpolicy/policy/modules/system/userdomain.if | 8 +-
8 files changed, 1240 insertions(+), 2030 deletions(-)
---
diff --git a/refpolicy/policy/modules/kernel/bootloader.if b/refpolicy/policy/modules/kernel/bootloader.if
index 5a64873..ee0b515 100644
--- a/refpolicy/policy/modules/kernel/bootloader.if
+++ b/refpolicy/policy/modules/kernel/bootloader.if
@@ -12,7 +12,12 @@
## </interface>
#
define(`bootloader_domtrans',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type bootloader_t;
+ class process sigchld;
+ class fd use;
+ class fifo_file rw_file_perms;
+ ')
domain_auto_trans($1, bootloader_exec_t, bootloader_t)
@@ -22,15 +27,6 @@ define(`bootloader_domtrans',`
allow bootloader_t $1:process sigchld;
')
-define(`bootloader_domtrans_depend',`
- type bootloader_t;
-
- class file { getattr read execute };
- class process { transition noatsecure siginh rlimitinh sigchld };
- class fd use;
- class fifo_file rw_file_perms;
-')
-
########################################
## <interface name="bootloader_run">
## <description>
@@ -49,7 +45,10 @@ define(`bootloader_domtrans_depend',`
## </interface>
#
define(`bootloader_run',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type bootloader_t;
+ class chr_file rw_file_perms;
+ ')
bootloader_domtrans($1)
@@ -57,11 +56,6 @@ define(`bootloader_run',`
allow bootloader_t $3:chr_file rw_file_perms;
')
-define(`bootloader_run_depend',`
- type bootloader_t;
- class chr_file rw_file_perms;
-')
-
########################################
## <interface name="bootloader_search_boot_dir">
## <description>
@@ -73,17 +67,14 @@ define(`bootloader_run_depend',`
## </interface>
#
define(`bootloader_search_boot_dir',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type boot_t;
+ class dir search;
+ ')
allow $1 boot_t:dir search;
')
-define(`bootloader_search_boot_dir_depend',`
- type boot_t;
-
- class dir search;
-')
-
########################################
## <interface name="bootloader_dontaudit_search_boot">
## <description>
@@ -95,17 +86,14 @@ define(`bootloader_search_boot_dir_depend',`
## </interface>
#
define(`bootloader_dontaudit_search_boot',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type boot_t;
+ class dir search;
+ ')
dontaudit $1 boot_t:dir search;
')
-define(`bootloader_dontaudit_search_boot_depend',`
- type boot_t;
-
- class dir search;
-')
-
########################################
## <interface name="bootloader_rw_boot_symlinks">
## <description>
@@ -118,19 +106,16 @@ define(`bootloader_dontaudit_search_boot_depend',`
## </interface>
#
define(`bootloader_rw_boot_symlinks',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type boot_t;
+ class dir r_dir_perms;
+ class lnk_file rw_file_perms;
+ ')
allow $1 boot_t:dir r_dir_perms;
allow $1 boot_t:lnk_file rw_file_perms;
')
-define(`bootloader_rw_boot_symlinks_depend',`
- type boot_t;
-
- class dir r_dir_perms;
- class lnk_file rw_file_perms;
-')
-
########################################
## <interface name="bootloader_create_kernel">
## <description>
@@ -142,21 +127,18 @@ define(`bootloader_rw_boot_symlinks_depend',`
## </interface>
#
define(`bootloader_create_kernel',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type boot_t;
+ class dir ra_dir_perms;
+ class file { getattr read write create };
+ class lnk_file { getattr read create unlink };
+ ')
allow $1 boot_t:dir ra_dir_perms;
allow $1 boot_t:file { getattr read write create };
allow $1 boot_t:lnk_file { getattr read create unlink };
')
-define(`bootloader_create_kernel_depend',`
- type boot_t;
-
- class dir ra_dir_perms;
- class file { getattr read write create };
- class lnk_file { getattr read create unlink };
-')
-
########################################
## <interface name="bootloader_create_kernel_symbol_table">
## <description>
@@ -168,19 +150,16 @@ define(`bootloader_create_kernel_depend',`
## </interface>
#
define(`bootloader_create_kernel_symbol_table',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type boot_t, system_map_t;
+ class dir ra_dir_perms;
+ class file { rw_file_perms create };
+ ')
allow $1 boot_t:dir ra_dir_perms;
allow $1 system_map_t:file { rw_file_perms create };
')
-define(`bootloader_create_kernel_symbol_table_depend',`
- type boot_t, system_map_t;
-
- class dir ra_dir_perms;
- class file { rw_file_perms create };
-')
-
########################################
## <interface name="bootloader_read_kernel_symbol_table">
## <description>
@@ -192,19 +171,16 @@ define(`bootloader_create_kernel_symbol_table_depend',`
## </interface>
#
define(`bootloader_read_kernel_symbol_table',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type boot_t, system_map_t;
+ class dir r_dir_perms;
+ class file r_file_perms;
+ ')
allow $1 boot_t:dir r_dir_perms;
allow $1 system_map_t:file r_file_perms;
')
-define(`bootloader_read_kernel_symbol_table_depend',`
- type boot_t, system_map_t;
-
- class dir r_dir_perms;
- class file r_file_perms;
-')
-
########################################
## <interface name="bootloader_delete_kernel">
## <description>
@@ -216,19 +192,16 @@ define(`bootloader_read_kernel_symbol_table_depend',`
## </interface>
#
define(`bootloader_delete_kernel',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type boot_t;
+ class dir { r_dir_perms write remove_name };
+ class file { getattr unlink };
+ ')
allow $1 boot_t:dir { r_dir_perms write remove_name };
allow $1 boot_t:file { getattr unlink };
')
-define(`bootloader_delete_kernel_depend',`
- type boot_t;
-
- class dir { r_dir_perms write remove_name };
- class file { getattr unlink };
-')
-
########################################
## <interface name="bootloader_delete_kernel_symbol_table">
## <description>
@@ -240,19 +213,16 @@ define(`bootloader_delete_kernel_depend',`
## </interface>
#
define(`bootloader_delete_kernel_symbol_table',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type boot_t, system_map_t;
+ class dir { r_dir_perms write remove_name };
+ class file { getattr unlink };
+ ')
allow $1 boot_t:dir { r_dir_perms write remove_name };
allow $1 system_map_t:file { getattr unlink };
')
-define(`bootloader_delete_kernel_symbol_table_depend',`
- type boot_t, system_map_t;
-
- class dir { r_dir_perms write remove_name };
- class file { getattr unlink };
-')
-
########################################
## <interface name="bootloader_read_config">
## <description>
@@ -264,17 +234,14 @@ define(`bootloader_delete_kernel_symbol_table_depend',`
## </interface>
#
define(`bootloader_read_config',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type bootloader_etc_t;
+ class file r_file_perms;
+ ')
allow $1 bootloader_etc_t:file r_file_perms;
')
-define(`bootloader_read_config_depend',`
- type bootloader_etc_t;
-
- class file r_file_perms;
-')
-
########################################
## <interface name="bootloader_rw_config">
## <description>
@@ -287,17 +254,14 @@ define(`bootloader_read_config_depend',`
## </interface>
#
define(`bootloader_rw_config',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type bootloader_etc_t;
+ class file rw_file_perms;
+ ')
allow $1 bootloader_etc_t:file rw_file_perms;
')
-define(`bootloader_rw_config_depend',`
- type bootloader_etc_t;
-
- class file rw_file_perms;
-')
-
########################################
## <interface name="bootloader_rw_tmp_file">
## <description>
@@ -310,18 +274,15 @@ define(`bootloader_rw_config_depend',`
## </interface>
#
define(`bootloader_rw_tmp_file',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type bootloader_tmp_t;
+ class file rw_file_perms;
+ ')
- # FIXME: read tmp_t
+ # FIXME: read tmp_t dir
allow $1 bootloader_tmp_t:file rw_file_perms;
')
-define(`bootloader_rw_tmp_file_depend',`
- type bootloader_tmp_t;
-
- class file rw_file_perms;
-')
-
########################################
## <interface name="bootloader_create_runtime_file">
## <description>
@@ -334,20 +295,17 @@ define(`bootloader_rw_tmp_file_depend',`
## </interface>
#
define(`bootloader_create_runtime_file',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type boot_t, boot_runtime_t;
+ class dir rw_dir_perms;
+ class file { rw_file_perms create unlink };
+ ')
allow $1 boot_t:dir rw_dir_perms;
allow $1 boot_runtime_t:file { rw_file_perms create unlink };
type_transition $1 boot_t:file boot_runtime_t;
')
-define(`bootloader_create_runtime_file_depend',`
- type boot_t, boot_runtime_t;
-
- class dir rw_dir_perms;
- class file { rw_file_perms create unlink };
-')
-
########################################
## <interface name="bootloader_list_kernel_modules">
## <description>
@@ -359,17 +317,14 @@ define(`bootloader_create_runtime_file_depend',`
## </interface>
#
define(`bootloader_list_kernel_modules',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type modules_object_t;
+ class dir r_dir_perms;
+ ')
allow $1 modules_object_t:dir r_dir_perms;
')
-define(`bootloader_list_kernel_modules_depend',`
- type modules_object_t;
-
- class dir r_dir_perms;
-')
-
########################################
## <interface name="bootloader_read_kernel_modules">
## <description>
@@ -381,21 +336,18 @@ define(`bootloader_list_kernel_modules_depend',`
## </interface>
#
define(`bootloader_read_kernel_modules',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type modules_object_t;
+ class dir r_dir_perms;
+ class lnk_file r_file_perms;
+ class file r_file_perms;
+ ')
allow $1 modules_object_t:dir r_dir_perms;
allow $1 modules_object_t:lnk_file r_file_perms;
allow $1 modules_object_t:file r_file_perms;
')
-define(`bootloader_read_kernel_modules_depend',`
- type modules_object_t;
-
- class dir r_dir_perms;
- class lnk_file r_file_perms;
- class file r_file_perms;
-')
-
########################################
## <interface name="bootloader_write_kernel_modules">
## <description>
@@ -407,7 +359,12 @@ define(`bootloader_read_kernel_modules_depend',`
## </interface>
#
define(`bootloader_write_kernel_modules',`
- gen_require(`$0'_depend)
+ gen_require(`
+ attribute rw_kern_modules;
+ type modules_object_t;
+ class dir r_dir_perms;
+ class file { write append };
+ ')
allow $1 modules_object_t:dir r_dir_perms;
allow $1 modules_object_t:file { write append };
@@ -415,15 +372,6 @@ define(`bootloader_write_kernel_modules',`
typeattribute $1 rw_kern_modules;
')
-define(`bootloader_write_kernel_modules_depend',`
- attribute rw_kern_modules;
-
- type modules_object_t;
-
- class dir r_dir_perms;
- class file { write append };
-')
-
########################################
## <interface name="bootloader_manage_kernel_modules">
## <description>
@@ -436,7 +384,12 @@ define(`bootloader_write_kernel_modules_depend',`
## </interface>
#
define(`bootloader_manage_kernel_modules',`
- gen_require(`$0'_depend)
+ gen_require(`
+ attribute rw_kern_modules;
+ type modules_object_t;
+ class file { getattr create read write setattr unlink };
+ class dir rw_dir_perms;
+ ')
allow $1 modules_object_t:file { rw_file_perms create setattr unlink };
allow $1 modules_object_t:dir rw_dir_perms;
@@ -444,23 +397,17 @@ define(`bootloader_manage_kernel_modules',`
typeattribute $1 rw_kern_modules;
')
-define(`bootloader_manage_kernel_modules_depend',`
- attribute rw_kern_modules;
-
- type modules_object_t;
-
- class file { getattr create read write setattr unlink };
- class dir rw_dir_perms;
-')
-
########################################
#
# bootloader_create_private_module_dir_entry(domain,privatetype,[class(es)])
#
define(`bootloader_create_private_module_dir_entry',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type modules_object_t;
+ class dir rw_dir_perms;
+ ')
- allow $1 modules_object_t:dir { getattr search read write add_name remove_name };
+ allow $1 modules_object_t:dir rw_dir_perms;
# if a class is specified use it, else use file as default
ifelse(`$3',`',`
@@ -470,10 +417,4 @@ define(`bootloader_create_private_module_dir_entry',`
')
')
-define(`bootloader_create_private_module_dir_entry_depend',`
- type modules_object_t;
-
- class dir { getattr search read write add_name remove_name };
-')
-
## </module>
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index 4611ab9..326c70c 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -93,19 +93,16 @@ define(`dev_relabel_all_dev_nodes',`
## </interface>
#
define(`dev_list_all_dev_nodes',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type device_t;
+ class dir r_dir_perms;
+ class lnk_file { getattr read };
+ ')
allow $1 device_t:dir r_dir_perms;
allow $1 device_t:lnk_file { getattr read };
')
-define(`dev_list_all_dev_nodes_depend',`
- type device_t;
-
- class dir r_dir_perms;
- class lnk_file { getattr read };
-')
-
########################################
## <interface name="dev_dontaudit_list_all_dev_nodes">
## <summary>
@@ -117,17 +114,14 @@ define(`dev_list_all_dev_nodes_depend',`
## </interface>
#
define(`dev_dontaudit_list_all_dev_nodes',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type device_t;
+ class dir r_dir_perms;
+ ')
dontaudit $1 device_t:dir r_dir_perms;
')
-define(`dev_dontaudit_list_all_dev_nodes_depend',`
- type device_t;
-
- class dir r_dir_perms;
-')
-
########################################
## <interface name="dev_create_dir">
## <summary>
@@ -139,17 +133,14 @@ define(`dev_dontaudit_list_all_dev_nodes_depend',`
## </interface>
#
define(`dev_create_dir',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type device_t;
+ class dir { ra_dir_perms create };
+ ')
allow $1 device_t:dir { ra_dir_perms create };
')
-define(`dev_create_dir_depend',`
- type device_t;
-
- class dir { ra_dir_perms create };
-')
-
########################################
## <interface name="dev_relabel_dev_dirs">
## <summary>
@@ -161,17 +152,14 @@ define(`dev_create_dir_depend',`
## </interface>
#
define(`dev_relabel_dev_dirs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type device_t;
+ class dir { r_dir_perms relabelfrom relabelto };
+ ')
allow $1 device_t:dir { r_dir_perms relabelfrom relabelto };
')
-define(`dev_relabel_dev_dirs_depend',`
- type device_t;
-
- class dir { r_dir_perms relabelfrom relabelto };
-')
-
########################################
## <interface name="dev_dontaudit_getattr_generic_pipe">
## <summary>
@@ -183,17 +171,14 @@ define(`dev_relabel_dev_dirs_depend',`
## </interface>
#
define(`dev_dontaudit_getattr_generic_pipe',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type device_t;
+ class fifo_file getattr;
+ ')
dontaudit $1 device_t:fifo_file getattr;
')
-define(`dev_dontaudit_getattr_generic_pipe_depend',`
- type device_t;
-
- class fifo_file getattr;
-')
-
########################################
## <interface name="dev_getattr_generic_blk_file">
## <summary>
@@ -205,19 +190,16 @@ define(`dev_dontaudit_getattr_generic_pipe_depend',`
## </interface>
#
define(`dev_getattr_generic_blk_file',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type device_t;
+ class dir r_dir_perms;
+ class blk_file getattr;
+ ')
allow $1 device_t:dir r_dir_perms;
allow $1 device_t:blk_file getattr;
')
-define(`ddev_getattr_generic_blk_file_depend',`
- type device_t;
-
- class dir r_dir_perms;
- class blk_file getattr;
-')
-
########################################
## <interface name="dev_dontaudit_getattr_generic_blk_file">
## <summary>
@@ -229,17 +211,14 @@ define(`ddev_getattr_generic_blk_file_depend',`
## </interface>
#
define(`dev_dontaudit_getattr_generic_blk_file',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type device_t;
+ class blk_file getattr;
+ ')
dontaudit $1 device_t:blk_file getattr;
')
-define(`dev_dontaudit_getattr_generic_blk_file_depend',`
- type device_t;
-
- class blk_file getattr;
-')
-
########################################
## <interface name="dev_dontaudit_setattr_generic_blk_file">
## <summary>
@@ -271,18 +250,15 @@ define(`dev_dontaudit_setattr_generic_blk_file',`
## </interface>
#
define(`dev_manage_generic_blk_file',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type device_t;
+ class blk_file create_file_perms;
+ ')
allow $1 device_t:dir rw_dir_perms;
allow $1 device_t:blk_file create_file_perms;
')
-define(`dev_manage_generic_blk_file_depend',`
- type device_t;
-
- class blk_file create_file_perms;
-')
-
########################################
## <interface name="dev_create_generic_chr_file">
## <summary>
@@ -294,7 +270,12 @@ define(`dev_manage_generic_blk_file_depend',`
## </interface>
#
define(`dev_create_generic_chr_file',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type device_t;
+ class dir ra_dir_perms;
+ class chr_file create;
+ class capability mknod;
+ ')
allow $1 device_t:dir ra_dir_perms;
allow $1 device_t:chr_file create;
@@ -302,14 +283,6 @@ define(`dev_create_generic_chr_file',`
allow $1 self:capability mknod;
')
-define(`dev_create_generic_chr_file_depend',`
- type device_t;
-
- class dir ra_dir_perms;
- class chr_file create;
- class capability mknod;
-')
-
########################################
## <interface name="dev_getattr_generic_chr_file">
## <summary>
@@ -321,19 +294,16 @@ define(`dev_create_generic_chr_file_depend',`
## </interface>
#
define(`dev_getattr_generic_chr_file',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type device_t;
+ class dir r_dir_perms;
+ class chr_file getattr;
+ ')
allow $1 device_t:dir r_dir_perms;
allow $1 device_t:chr_file getattr;
')
-define(`dev_getattr_generic_chr_file_depend',`
- type device_t;
-
- class dir r_dir_perms;
- class chr_file getattr;
-')
-
########################################
## <interface name="dev_dontaudit_getattr_generic_chr_file">
## <summary>
@@ -345,17 +315,14 @@ define(`dev_getattr_generic_chr_file_depend',`
## </interface>
#
define(`dev_dontaudit_getattr_generic_chr_file',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type device_t;
+ class chr_file getattr;
+ ')
dontaudit $1 device_t:chr_file getattr;
')
-define(`dev_dontaudit_getattr_generic_chr_file_depend',`
- type device_t;
-
- class chr_file getattr;
-')
-
########################################
## <interface name="dev_dontaudit_setattr_generic_chr_file">
## <summary>
@@ -428,7 +395,15 @@ define(`dev_manage_generic_symlinks',`
## </interface>
#
define(`dev_manage_dev_nodes',`
- gen_require(`$0'_depend)
+ gen_require(`
+ attribute device_node, memory_raw_read, memory_raw_write;
+ type device_t;
+ class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto };
+ class sock_file { create ioctl read getattr lock write setattr append link unlink rename };
+ class lnk_file { create read getattr setattr link unlink rename };
+ class chr_file { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto };
+ class blk_file { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto };
+ ')
allow $1 device_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto };
allow $1 device_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
@@ -447,18 +422,6 @@ define(`dev_manage_dev_nodes',`
typeattribute $1 memory_raw_write;
')
-define(`dev_manage_dev_nodes_depend',`
- attribute device_node, memory_raw_read, memory_raw_write;
-
- type device_t;
-
- class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto };
- class sock_file { create ioctl read getattr lock write setattr append link unlink rename };
- class lnk_file { create read getattr setattr link unlink rename };
- class chr_file { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto };
- class blk_file { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto };
-')
-
########################################
## <interface name="dev_dontaudit_rw_generic_dev_nodes">
## <summary>
@@ -470,18 +433,15 @@ define(`dev_manage_dev_nodes_depend',`
## </interface>
#
define(`dev_dontaudit_rw_generic_dev_nodes',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type device_t;
+ class chr_file { getattr read write ioctl };
+ class blk_file { getattr read write ioctl };
+ ')
dontaudit $1 device_t:{ chr_file blk_file } { getattr read write ioctl };
')
-define(`dev_dontaudit_rw_generic_dev_nodes_depend',`
- type device_t;
-
- class chr_file { getattr read write ioctl };
- class blk_file { getattr read write ioctl };
-')
-
########################################
## <interface name="dev_manage_generic_blk_file">
## <summary>
@@ -493,19 +453,16 @@ define(`dev_dontaudit_rw_generic_dev_nodes_depend',`
## </interface>
#
define(`dev_manage_generic_blk_file',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type device_t;
+ class dir rw_dir_perms;
+ class blk_file create_file_perms;
+ ')
allow $1 device_t:dir rw_dir_perms;
allow $1 device_t:blk_file create_file_perms;
')
-define(`dev_manage_generic_blk_file_depend',`
- type device_t;
-
- class dir rw_dir_perms;
- class blk_file create_file_perms;
-')
-
########################################
## <interface name="dev_manage_generic_chr_file">
## <summary>
@@ -517,19 +474,16 @@ define(`dev_manage_generic_blk_file_depend',`
## </interface>
#
define(`dev_manage_generic_chr_file',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type device_t;
+ class dir rw_dir_perms;
+ class chr_file create_file_perms;
+ ')
allow $1 device_t:dir rw_dir_perms;
allow $1 device_t:chr_file create_file_perms;
')
-define(`dev_manage_generic_chr_file_depend',`
- type device_t;
-
- class dir rw_dir_perms;
- class chr_file create_file_perms;
-')
-
########################################
## <interface name="dev_create_dev_node">
## <summary>
@@ -549,7 +503,10 @@ define(`dev_manage_generic_chr_file_depend',`
## </interface>
#
define(`dev_create_dev_node',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type device_t;
+ class dir rw_dir_perms;
+ ')
allow $1 device_t:dir rw_dir_perms;
type_transition $1 device_t:$3 $2;
@@ -559,12 +516,6 @@ define(`dev_create_dev_node',`
')
')
-define(`dev_create_dev_node_depend',`
- type device_t;
-
- class dir rw_dir_perms;
-')
-
########################################
## <interface name="dev_getattr_all_blk_files">
## <summary>
@@ -576,19 +527,16 @@ define(`dev_create_dev_node_depend',`
## </interface>
#
define(`dev_getattr_all_blk_files',`
- gen_require(`$0'_depend)
+ gen_require(`
+ attribute device_node;
+ class blk_file getattr;
+ class dir r_dir_perms;
+ ')
allow $1 device_t:dir r_dir_perms;
allow $1 device_node:blk_file getattr;
')
-define(`dev_getattr_all_blk_files_depend',`
- attribute device_node;
-
- class blk_file getattr;
- class dir r_dir_perms;
-')
-
########################################
## <interface name="dev_dontaudit_getattr_all_blk_files">
## <summary>
@@ -600,17 +548,14 @@ define(`dev_getattr_all_blk_files_depend',`
## </interface>
#
define(`dev_dontaudit_getattr_all_blk_files',`
- gen_require(`$0'_depend)
+ gen_require(`
+ attribute device_node;
+ class blk_file getattr;
+ ')
allow $1 device_node:blk_file getattr;
')
-define(`dev_dontaudit_getattr_all_blk_files_depend',`
- attribute device_node;
-
- class blk_file getattr;
-')
-
########################################
## <interface name="dev_getattr_all_chr_files">
## <summary>
@@ -622,19 +567,16 @@ define(`dev_dontaudit_getattr_all_blk_files_depend',`
## </interface>
#
define(`dev_getattr_all_chr_files',`
- gen_require(`$0'_depend)
+ gen_require(`
+ attribute device_node;
+ class chr_file getattr;
+ class dir r_dir_perms;
+ ')
allow $1 device_t:dir r_dir_perms;
allow $1 device_node:chr_file getattr;
')
-define(`dev_getattr_all_chr_files_depend',`
- attribute device_node;
-
- class chr_file getattr;
- class dir r_dir_perms;
-')
-
########################################
## <interface name="dev_dontaudit_getattr_all_chr_files">
## <summary>
@@ -646,17 +588,14 @@ define(`dev_getattr_all_chr_files_depend',`
## </interface>
#
define(`dev_dontaudit_getattr_all_chr_files',`
- gen_require(`$0'_depend)
+ gen_require(`
+ attribute device_node;
+ class chr_file getattr;
+ ')
dontaudit $1 device_node:chr_file getattr;
')
-define(`dev_dontaudit_getattr_all_chr_files_depend',`
- attribute device_node;
-
- class chr_file getattr;
-')
-
########################################
## <interface name="dev_setattr_all_blk_files">
## <summary>
@@ -668,19 +607,16 @@ define(`dev_dontaudit_getattr_all_chr_files_depend',`
## </interface>
#
define(`dev_setattr_all_blk_files',`
- gen_require(`$0'_depend)
+ gen_require(`
+ attribute device_node;
+ class dir r_dir_perms;
+ class blk_file setattr;
+ ')
allow $1 device_t:dir r_dir_perms;
allow $1 device_node:blk_file setattr;
')
-define(`dev_setattr_all_blk_files_depend',`
- attribute device_node;
-
- class dir r_dir_perms;
- class blk_file setattr;
-')
-
########################################
## <interface name="dev_setattr_all_chr_files">
## <summary>
@@ -692,19 +628,16 @@ define(`dev_setattr_all_blk_files_depend',`
## </interface>
#
define(`dev_setattr_all_chr_files',`
- gen_require(`$0'_depend)
+ gen_require(`
+ attribute device_node;
+ class dir r_dir_perms;
+ class chr_file setattr;
+ ')
allow $1 device_t:dir r_dir_perms;
allow $1 device_node:chr_file setattr;
')
-define(`dev_setattr_all_chr_files_depend',`
- attribute device_node;
-
- class dir r_dir_perms;
- class chr_file setattr;
-')
-
########################################
## <interface name="dev_manage_all_blk_files">
## <summary>
@@ -716,7 +649,11 @@ define(`dev_setattr_all_chr_files_depend',`
## </interface>
#
define(`dev_manage_all_blk_files',`
- gen_require(`$0'_depend)
+ gen_require(`
+ attribute device_node;
+ class dir rw_dir_perms;
+ class blk_file create_file_perms;
+ ')
allow $1 device_t:dir rw_dir_perms;
allow $1 device_node:blk_file create_file_perms;
@@ -728,13 +665,6 @@ define(`dev_manage_all_blk_files',`
storage_write_scsi_generic($1)
')
-define(`dev_manage_all_blk_files_depend',`
- attribute device_node;
-
- class dir rw_dir_perms;
- class blk_file create_file_perms;
-')
-
########################################
## <interface name="dev_manage_all_chr_files">
## <summary>
@@ -746,7 +676,11 @@ define(`dev_manage_all_blk_files_depend',`
## </interface>
#
define(`dev_manage_all_chr_files',`
- gen_require(`$0'_depend)
+ gen_require(`
+ attribute device_node, memory_raw_read, memory_raw_write;
+ class dir rw_dir_perms;
+ class chr_file create_file_perms;
+ ')
allow $1 device_t:dir rw_dir_perms;
allow $1 device_node:chr_file create_file_perms;
@@ -754,13 +688,6 @@ define(`dev_manage_all_chr_files',`
typeattribute $1 memory_raw_read, memory_raw_write;
')
-define(`dev_manage_all_chr_files_depend',`
- attribute device_node, memory_raw_read, memory_raw_write;
-
- class dir rw_dir_perms;
- class chr_file create_file_perms;
-')
-
########################################
## <interface name="dev_read_raw_memory">
## <summary>
@@ -772,7 +699,13 @@ define(`dev_manage_all_chr_files_depend',`
## </interface>
#
define(`dev_read_raw_memory',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type device_t, memory_device_t;
+ attribute memory_raw_read;
+ class dir r_dir_perms;
+ class chr_file r_file_perms;
+ class capability sys_rawio;
+ ')
allow $1 device_t:dir r_dir_perms;
allow $1 memory_device_t:chr_file r_file_perms;
@@ -781,14 +714,6 @@ define(`dev_read_raw_memory',`
typeattribute $1 memory_raw_read;
')
-define(`dev_read_raw_memory_depend',`
- type device_t, memory_device_t;
- attribute memory_raw_read;
- class dir r_dir_perms;
- class chr_file r_file_perms;
- class capability sys_rawio;
-')
-
########################################
## <interface name="dev_write_raw_memory">
## <summary>
@@ -800,7 +725,13 @@ define(`dev_read_raw_memory_depend',`
## </interface>
#
define(`dev_write_raw_memory',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type device_t, memory_device_t;
+ attribute memory_raw_write;
+ class dir r_dir_perms;
+ class chr_file write;
+ class capability sys_rawio;
+ ')
allow $1 device_t:dir r_dir_perms;
allow $1 memory_device_t:chr_file write;
@@ -809,14 +740,6 @@ define(`dev_write_raw_memory',`
typeattribute $1 memory_raw_write;
')
-define(`dev_write_raw_memory_depend',`
- type device_t, memory_device_t;
- attribute memory_raw_write;
- class dir r_dir_perms;
- class chr_file write;
- class capability sys_rawio;
-')
-
########################################
## <interface name="dev_rx_raw_memory">
## <summary>
@@ -828,18 +751,15 @@ define(`dev_write_raw_memory_depend',`
## </interface>
#
define(`dev_rx_raw_memory',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type device_t, memory_device_t;
+ class chr_file execute;
+ ')
dev_read_raw_memory($1)
allow $1 memory_device_t:chr_file execute;
')
-define(`dev_rx_raw_memory_depend',`
- type device_t, memory_device_t;
-
- class chr_file execute;
-')
-
########################################
## <interface name="dev_wx_raw_memory">
## <summary>
@@ -851,18 +771,15 @@ define(`dev_rx_raw_memory_depend',`
## </interface>
#
define(`dev_wx_raw_memory',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type device_t, memory_device_t;
+ class chr_file execute;
+ ')
dev_write_raw_memory($1)
allow $1 memory_device_t:chr_file execute;
')
-define(`dev_wx_raw_memory_depend',`
- type device_t, memory_device_t;
-
- class chr_file execute;
-')
-
########################################
## <interface name="dev_read_rand">
## <summary>
@@ -874,19 +791,16 @@ define(`dev_wx_raw_memory_depend',`
## </interface>
#
define(`dev_read_rand',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type device_t, random_device_t;
+ class dir r_dir_perms;
+ class chr_file r_file_perms;
+ ')
allow $1 device_t:dir r_dir_perms;
allow $1 random_device_t:chr_file r_file_perms;
')
-define(`dev_read_rand_depend',`
- type device_t, random_device_t;
-
- class dir r_dir_perms;
- class chr_file r_file_perms;
-')
-
########################################
## <interface name="dev_read_urand">
## <summary>
@@ -898,19 +812,16 @@ define(`dev_read_rand_depend',`
## </interface>
#
define(`dev_read_urand',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type device_t, urandom_device_t;
+ class dir r_dir_perms;
+ class chr_file r_file_perms;
+ ')
allow $1 device_t:dir r_dir_perms;
allow $1 urandom_device_t:chr_file r_file_perms;
')
-define(`dev_read_urand_depend',`
- type device_t, urandom_device_t;
-
- class dir r_dir_perms;
- class chr_file r_file_perms;
-')
-
########################################
## <interface name="dev_write_rand">
## <summary>
@@ -924,19 +835,16 @@ define(`dev_read_urand_depend',`
## </interface>
#
define(`dev_write_rand',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type device_t, random_device_t;
+ class dir r_dir_perms;
+ class chr_file { getattr write ioctl };
+ ')
allow $1 device_t:dir r_dir_perms;
allow $1 random_device_t:chr_file { getattr write ioctl };
')
-define(`dev_write_rand_depend',`
- type device_t, random_device_t;
-
- class dir r_dir_perms;
- class chr_file { getattr write ioctl };
-')
-
########################################
## <interface name="dev_write_urand">
## <summary>
@@ -949,19 +857,16 @@ define(`dev_write_rand_depend',`
## </interface>
#
define(`dev_write_urand',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type device_t, urandom_device_t;
+ class dir r_dir_perms;
+ class chr_file { getattr write ioctl };
+ ')
allow $1 device_t:dir r_dir_perms;
allow $1 urandom_device_t:chr_file { getattr write ioctl };
')
-define(`dev_write_urand_depend',`
- type device_t, urandom_device_t;
-
- class dir r_dir_perms;
- class chr_file { getattr write ioctl };
-')
-
########################################
## <interface name="dev_rw_null_dev">
## <summary>
@@ -973,19 +878,16 @@ define(`dev_write_urand_depend',`
## </interface>
#
define(`dev_rw_null_dev',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type device_t, null_device_t;
+ class device_t:dir r_dir_perms;
+ class chr_file rw_file_perms;
+ ')
allow $1 device_t:dir r_dir_perms;
allow $1 null_device_t:chr_file rw_file_perms;
')
-define(`dev_rw_null_dev_depend',`
- type device_t, null_device_t;
-
- class device_t:dir r_dir_perms;
- class chr_file rw_file_perms;
-')
-
########################################
## <interface name="dev_rw_zero_dev">
## <summary>
@@ -997,19 +899,16 @@ define(`dev_rw_null_dev_depend',`
## </interface>
#
define(`dev_rw_zero_dev',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type device_t, zero_device_t;
+ class device_t:dir r_dir_perms;
+ class chr_file r_file_perms;
+ ')
allow $1 device_t:dir r_dir_perms;
allow $1 zero_device_t:chr_file rw_file_perms;
')
-define(`dev_rw_zero_dev_depend',`
- type device_t, zero_device_t;
-
- class device_t:dir r_dir_perms;
- class chr_file r_file_perms;
-')
-
########################################
## <interface name="dev_rwx_zero_dev">
## <summary>
@@ -1021,18 +920,15 @@ define(`dev_rw_zero_dev_depend',`
## </interface>
#
define(`dev_rwx_zero_dev',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type zero_device_t;
+ class chr_file execute;
+ ')
dev_rw_zero_dev($1)
allow $1 zero_device_t:chr_file execute;
')
-define(`dev_rwx_zero_dev_depend',`
- type zero_device_t;
-
- class chr_file execute;
-')
-
########################################
## <interface name="dev_read_realtime_clock">
## <summary>
@@ -1044,18 +940,16 @@ define(`dev_rwx_zero_dev_depend',`
## </interface>
#
define(`dev_read_realtime_clock',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type device_t, clock_device_t;
+ class dir r_dir_perms;
+ class chr_file r_file_perms;
+ ')
allow $1 device_t:dir r_dir_perms;
allow $1 clock_device_t:chr_file r_file_perms;
')
-define(`dev_read_realtime_clock_depend',`
-type device_t, clock_device_t;
-class dir r_dir_perms;
-class chr_file r_file_perms;
-')
-
########################################
## <interface name="dev_write_realtime_clock">
## <summary>
@@ -1067,19 +961,16 @@ class chr_file r_file_perms;
## </interface>
#
define(`dev_write_realtime_clock',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type device_t, clock_device_t;
+ class dir r_dir_perms;
+ class chr_file { setattr lock write append ioctl };
+ ')
allow $1 device_t:dir r_dir_perms;
allow $1 clock_device_t:chr_file { setattr lock write append ioctl };
')
-define(`dev_write_realtime_clock_depend',`
- type device_t, clock_device_t;
-
- class dir r_dir_perms;
- class chr_file { setattr lock write append ioctl };
-')
-
########################################
## <interface name="dev_rw_realtime_clock">
## <summary>
@@ -1232,19 +1123,16 @@ define(`dev_write_snd_mixer_dev',`
## </interface>
#
define(`dev_rw_agp_dev',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type device_t, agp_device_t;
+ class dir r_dir_perms;
+ class chr_file rw_file_perms;
+ ')
allow $1 device_t:dir r_dir_perms;
allow $1 agp_device_t:chr_file rw_file_perms;
')
-define(`dev_rw_agp_dev_depend',`
- type device_t, agp_device_t;
-
- class dir r_dir_perms;
- class chr_file rw_file_perms;
-')
-
########################################
## <interface name="dev_getattr_agp_dev">
## <summary>
@@ -1256,19 +1144,16 @@ define(`dev_rw_agp_dev_depend',`
## </interface>
#
define(`dev_getattr_agp_dev',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type device_t, dri_device_t;
+ class dir r_dir_perms;
+ class chr_file getattr;
+ ')
allow $1 device_t:dir r_dir_perms;
allow $1 dri_device_t:chr_file getattr;
')
-define(`dev_getattr_agp_dev_depend',`
- type device_t, dri_device_t;
-
- class dir r_dir_perms;
- class chr_file getattr;
-')
-
########################################
## <interface name="dev_rw_dri_dev">
## <summary>
@@ -1280,19 +1165,16 @@ define(`dev_getattr_agp_dev_depend',`
## </interface>
#
define(`dev_rw_dri_dev',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type device_t, dri_device_t;
+ class dir r_dir_perms;
+ class chr_file rw_file_perms;
+ ')
allow $1 device_t:dir r_dir_perms;
allow $1 dri_device_t:chr_file rw_file_perms;
')
-define(`dev_rw_dri_dev_depend',`
- type device_t, dri_device_t;
-
- class dir r_dir_perms;
- class chr_file rw_file_perms;
-')
-
########################################
## <interface name="dev_dontaudit_rw_dri_dev">
## <summary>
@@ -1304,17 +1186,14 @@ define(`dev_rw_dri_dev_depend',`
## </interface>
#
define(`dev_dontaudit_rw_dri_dev',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type dri_device_t;
+ class chr_file { getattr read write ioctl };
+ ')
dontaudit $1 dri_device_t:chr_file { getattr read write ioctl };
')
-define(`dev_dontaudit_rw_dri_dev_depend',`
- type dri_device_t;
-
- class chr_file { getattr read write ioctl };
-')
-
########################################
## <interface name="dev_read_mtrr">
## <summary>
@@ -1326,19 +1205,16 @@ define(`dev_dontaudit_rw_dri_dev_depend',`
## </interface>
#
define(`dev_read_mtrr',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type device_t, mtrr_device_t;
+ class dir r_dir_perms;
+ class chr_file r_file_perms;
+ ')
allow $1 device_t:dir r_dir_perms;
allow $1 mtrr_device_t:chr_file r_file_perms;
')
-define(`dev_read_mtrr_depend',`
- type device_t, mtrr_device_t;
-
- class dir r_dir_perms;
- class chr_file r_file_perms;
-')
-
########################################
## <interface name="dev_write_mtrr">
## <summary>
@@ -1350,19 +1226,16 @@ define(`dev_read_mtrr_depend',`
## </interface>
#
define(`dev_write_mtrr',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type device_t, mtrr_device_t;
+ class dir r_dir_perms;
+ class chr_file { getattr write ioctl };
+ ')
allow $1 device_t:dir r_dir_perms;
allow $1 mtrr_device_t:chr_file { getattr write ioctl };
')
-define(`dev_write_mtrr_depend',`
- type device_t, mtrr_device_t;
-
- class dir r_dir_perms;
- class chr_file { getattr write ioctl };
-')
-
########################################
## <interface name="dev_getattr_framebuffer">
## <summary>
@@ -1458,19 +1331,16 @@ define(`dev_write_framebuffer',`
## </interface>
#
define(`dev_read_lvm_control',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type device_t, lvm_control_t;
+ class dir r_dir_perms;
+ class chr_file r_file_perms;
+ ')
allow $1 device_t:dir r_dir_perms;
allow $1 lvm_control_t:chr_file r_file_perms;
')
-define(`dev_read_lvm_control_depend',`
- type device_t, lvm_control_t;
-
- class dir r_dir_perms;
- class chr_file r_file_perms;
-')
-
########################################
## <interface name="dev_rw_lvm_control">
## <summary>
@@ -1482,19 +1352,16 @@ define(`dev_read_lvm_control_depend',`
## </interface>
#
define(`dev_rw_lvm_control',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type device_t, lvm_control_t;
+ class dir r_dir_perms;
+ class chr_file rw_file_perms;
+ ')
allow $1 device_t:dir r_dir_perms;
allow $1 lvm_control_t:chr_file rw_file_perms;
')
-define(`dev_rw_lvm_control_depend',`
- type device_t, lvm_control_t;
-
- class dir r_dir_perms;
- class chr_file rw_file_perms;
-')
-
########################################
## <interface name="dev_delete_lvm_control">
## <summary>
@@ -1506,19 +1373,16 @@ define(`dev_rw_lvm_control_depend',`
## </interface>
#
define(`dev_delete_lvm_control',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type device_t, lvm_control_t;
+ class dir { getattr search read write remove_name };
+ class chr_file unlink;
+ ')
allow $1 device_t:dir { getattr search read write remove_name };
allow $1 lvm_control_t:chr_file unlink;
')
-define(`dev_delete_lvm_control_depend',`
- type device_t, lvm_control_t;
-
- class dir { getattr search read write remove_name };
- class chr_file unlink;
-')
-
########################################
## <interface name="dev_getattr_misc">
## <summary>
@@ -1717,19 +1581,16 @@ define(`dev_read_mouse',`
## </interface>
#
define(`dev_read_input',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type device_t, event_device_t;
+ class dir r_dir_perms;
+ class chr_file r_file_perms;
+ ')
allow $1 device_t:dir r_dir_perms;
allow $1 event_device_t:chr_file r_file_perms;
')
-define(`dev_read_input_depend',`
- type device_t, event_device_t;
-
- class dir r_dir_perms;
- class chr_file r_file_perms;
-')
-
########################################
## <interface name="dev_read_cpuid">
## <summary>
@@ -1741,19 +1602,16 @@ define(`dev_read_input_depend',`
## </interface>
#
define(`dev_read_cpuid',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type device_t, cpu_device_t;
+ class dir r_dir_perms;
+ class chr_file r_file_perms;
+ ')
allow $1 device_t:dir r_dir_perms;
allow $1 cpu_device_t:chr_file r_file_perms;
')
-define(`dev_read_cpuid_depend',`
- type device_t, cpu_device_t;
-
- class dir r_dir_perms;
- class chr_file r_file_perms;
-')
-
########################################
## <interface name="dev_rw_cpu_microcode">
## <summary>
diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if
index 4528dc4..8bdc175 100644
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@@ -12,15 +12,13 @@
## </interface>
#
define(`fs_make_fs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ attribute fs_type;
+ ')
typeattribute $1 fs_type;
')
-define(`fs_make_fs_depend',`
- attribute fs_type;
-')
-
########################################
## <interface name="fs_make_noxattr_fs">
## <description>
@@ -34,17 +32,15 @@ define(`fs_make_fs_depend',`
## </interface>
#
define(`fs_make_noxattr_fs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ attribute noxattrfs;
+ ')
fs_make_fs($1)
typeattribute $1 noxattrfs;
')
-define(`fs_make_noxattr_fs_depend',`
- attribute noxattrfs;
-')
-
########################################
## <interface name="fs_associate">
## <description>
@@ -59,17 +55,14 @@ define(`fs_make_noxattr_fs_depend',`
## </interface>
#
define(`fs_associate',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type fs_t;
+ class filesystem associate;
+ ')
allow $1 fs_t:filesystem associate;
')
-define(`fs_associate_depend',`
- type fs_t;
-
- class filesystem associate;
-')
-
########################################
## <interface name="fs_associate_noxattr">
## <description>
@@ -85,17 +78,14 @@ define(`fs_associate_depend',`
## </interface>
#
define(`fs_associate_noxattr',`
- gen_require(`$0'_depend)
+ gen_require(`
+ attribute noxattrfs;
+ class filesystem associate;
+ ')
allow $1 noxattrfs:filesystem associate;
')
-define(`fs_associate_noxattr_depend',`
- attribute noxattrfs;
-
- class filesystem associate;
-')
-
########################################
## <interface name="fs_mount_xattr_fs">
## <description>
@@ -109,17 +99,14 @@ define(`fs_associate_noxattr_depend',`
## </interface>
#
define(`fs_mount_xattr_fs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type fs_t;
+ class filesystem mount;
+ ')
allow $1 fs_t:filesystem mount;
')
-define(`fs_mount_xattr_fs_depend',`
- type fs_t;
-
- class filesystem mount;
-')
-
########################################
## <interface name="fs_remount_xattr_fs">
## <description>
@@ -134,17 +121,14 @@ define(`fs_mount_xattr_fs_depend',`
## </interface>
#
define(`fs_remount_xattr_fs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type fs_t;
+ class filesystem remount;
+ ')
allow $1 fs_t:filesystem remount;
')
-define(`fs_remount_xattr_fs_depend',`
- type fs_t;
-
- class filesystem remount;
-')
-
########################################
## <interface name="fs_unmount_xattr_fs">
## <description>
@@ -158,17 +142,14 @@ define(`fs_remount_xattr_fs_depend',`
## </interface>
#
define(`fs_unmount_xattr_fs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type fs_t;
+ class filesystem unmount;
+ ')
allow $1 fs_t:filesystem mount;
')
-define(`fs_unmount_xattr_fs_depend',`
- type fs_t;
-
- class filesystem unmount;
-')
-
########################################
## <interface name="fs_getattr_xattr_fs">
## <description>
@@ -183,17 +164,14 @@ define(`fs_unmount_xattr_fs_depend',`
## </interface>
#
define(`fs_getattr_xattr_fs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type fs_t;
+ class filesystem getattr;
+ ')
allow $1 fs_t:filesystem getattr;
')
-define(`fs_getattr_xattr_fs_depend',`
- type fs_t;
-
- class filesystem getattr;
-')
-
########################################
## <interface name="fs_dontaudit_getattr_xattr_fs">
## <description>
@@ -208,17 +186,14 @@ define(`fs_getattr_xattr_fs_depend',`
## </interface>
#
define(`fs_dontaudit_getattr_xattr_fs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type fs_t;
+ class filesystem getattr;
+ ')
dontaudit $1 fs_t:filesystem getattr;
')
-define(`fs_dontaudit_getattr_xattr_fs_depend',`
- type fs_t;
-
- class filesystem getattr;
-')
-
########################################
## <interface name="fs_relabelfrom_xattr_fs">
## <description>
@@ -232,17 +207,14 @@ define(`fs_dontaudit_getattr_xattr_fs_depend',`
## </interface>
#
define(`fs_relabelfrom_xattr_fs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type fs_t;
+ class filesystem relabelfrom;
+ ')
allow $1 fs_t:filesystem relabelfrom;
')
-define(`fs_relabelfrom_xattr_fs_depend',`
- type fs_t;
-
- class filesystem relabelfrom;
-')
-
########################################
## <interface name="fs_mount_autofs">
## <description>
@@ -254,16 +226,14 @@ define(`fs_relabelfrom_xattr_fs_depend',`
## </interface>
#
define(`fs_mount_autofs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type autofs_t;
+ class filesystem mount;
+ ')
allow $1 autofs_t:filesystem mount;
')
-define(`fs_mount_autofs_depend',`
- type autofs_t;
- class filesystem mount;
-')
-
########################################
## <interface name="fs_remount_autofs">
@@ -277,17 +247,14 @@ define(`fs_mount_autofs_depend',`
## </interface>
#
define(`fs_remount_autofs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type autofs_t;
+ class filesystem remount;
+ ')
allow $1 autofs_t:filesystem remount;
')
-define(`fs_remount_autofs_depend',`
- type autofs_t;
-
- class filesystem remount;
-')
-
########################################
## <interface name="fs_unmount_autofs">
## <description>
@@ -299,17 +266,14 @@ define(`fs_remount_autofs_depend',`
## </interface>
#
define(`fs_unmount_autofs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type autofs_t;
+ class filesystem unmount;
+ ')
allow $1 autofs_t:filesystem mount;
')
-define(`fs_unmount_autofs_depend',`
- type autofs_t;
-
- class filesystem unmount;
-')
-
########################################
## <interface name="fs_getattr_autofs">
## <description>
@@ -323,17 +287,14 @@ define(`fs_unmount_autofs_depend',`
## </interface>
#
define(`fs_getattr_autofs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type autofs_t;
+ class filesystem getattr;
+ ')
allow $1 autofs_t:filesystem getattr;
')
-define(`fs_getattr_autofs_depend',`
- type autofs_t;
-
- class filesystem getattr;
-')
-
########################################
## <interface name="fs_register_binary_executable_type">
## <description>
@@ -352,19 +313,16 @@ define(`fs_getattr_autofs_depend',`
## </interface>
#
define(`fs_register_binary_executable_type',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type binfmt_misc_fs_t;
+ class dir { getattr search };
+ class file { getattr ioctl write };
+ ')
allow $1 binfmt_misc_fs_t:dir { getattr search };
allow $1 binfmt_misc_fs_t:file { getattr ioctl write };
')
-define(`fs_register_binary_executable_type_depend',`
- type binfmt_misc_fs_t;
-
- class dir { getattr search };
- class file { getattr ioctl write };
-')
-
########################################
## <interface name="fs_mount_cifs">
## <description>
@@ -376,17 +334,14 @@ define(`fs_register_binary_executable_type_depend',`
## </interface>
#
define(`fs_mount_cifs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type cifs_t;
+ class filesystem mount;
+ ')
allow $1 cifs_t:filesystem mount;
')
-define(`fs_mount_cifs_depend',`
- type cifs_t;
-
- class filesystem mount;
-')
-
########################################
## <interface name="fs_remount_cifs">
## <description>
@@ -522,19 +477,15 @@ define(`fs_read_cifs_symlinks',`
## </interface>
#
define(`fs_execute_cifs_files',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type cifs_t;
+ class dir r_dir_perms;
+ ')
allow $1 cifs_t:dir r_dir_perms;
can_exec($1, cifs_t)
')
-define(`fs_execute_cifs_files_depend',`
- type cifs_t;
-
- class dir r_dir_perms;
- class file { getattr read execute execute_no_trans };
-')
-
########################################
## <interface name="fs_dontaudit_rw_cifs_files">
## <description>
@@ -567,17 +518,14 @@ define(`fs_read_cifs_files',`
## </interface>
#
define(`fs_manage_cifs_dirs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type cifs_t;
+ class dir create_dir_perms;
+ ')
allow $1 cifs_t:dir create_file_perms;
')
-define(`fs_manage_cifs_dirs_depend',`
- type cifs_t;
-
- class dir create_file_perms;
-')
-
########################################
## <interface name="fs_manage_cifs_files">
## <description>
@@ -590,19 +538,16 @@ define(`fs_manage_cifs_dirs_depend',`
## </interface>
#
define(`fs_manage_cifs_files',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type cifs_t;
+ class dir rw_dir_perms;
+ class file create_file_perms;
+ ')
allow $1 cifs_t:dir rw_dir_perms;
allow $1 cifs_t:file create_file_perms;
')
-define(`fs_manage_cifs_files_depend',`
- type cifs_t;
-
- class dir rw_dir_perms;
- class file create_file_perms;
-')
-
########################################
## <interface name="fs_manage_cifs_symlinks">
## <description>
@@ -615,19 +560,16 @@ define(`fs_manage_cifs_files_depend',`
## </interface>
#
define(`fs_manage_cifs_symlinks',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type cifs_t;
+ class dir rw_dir_perms;
+ class lnk_file create_lnk_perms;
+ ')
allow $1 cifs_t:dir rw_dir_perms;
allow $1 cifs_t:lnk_file create_lnk_perms;
')
-define(`fs_manage_cifs_symlinks_depend',`
- type cifs_t;
-
- class dir rw_dir_perms;
- class lnk_file create_lnk_perms;
-')
-
########################################
## <interface name="fs_manage_cifs_named_pipes">
## <description>
@@ -640,19 +582,16 @@ define(`fs_manage_cifs_symlinks_depend',`
## </interface>
#
define(`fs_manage_cifs_named_pipes',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type cifs_t;
+ class dir rw_dir_perms;
+ class fifo_file create_file_perms;
+ ')
allow $1 cifs_t:dir rw_dir_perms;
allow $1 cifs_t:fifo_file create_file_perms;
')
-define(`fs_manage_cifs_named_pipes_depend',`
- type cifs_t;
-
- class dir rw_dir_perms;
- class fifo_file create_file_perms;
-')
-
########################################
## <interface name="fs_manage_cifs_named_sockets">
## <description>
@@ -665,19 +604,16 @@ define(`fs_manage_cifs_named_pipes_depend',`
## </interface>
#
define(`fs_manage_cifs_named_sockets',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type cifs_t;
+ class dir rw_dir_perms;
+ class sock_file create_file_perms;
+ ')
allow $1 cifs_t:dir rw_file_perms;
allow $1 cifs_t:sock_file create_file_perms;
')
-define(`fs_manage_cifs_named_sockets_depend',`
- type cifs_t;
-
- class dir rw_dir_perms;
- class sock_file create_file_perms;
-')
-
########################################
## <interface name="fs_mount_dos_fs">
## <description>
@@ -690,17 +626,14 @@ define(`fs_manage_cifs_named_sockets_depend',`
## </interface>
#
define(`fs_mount_dos_fs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type dosfs_t;
+ class filesystem mount;
+ ')
allow $1 dosfs_t:filesystem mount;
')
-define(`fs_mount_dos_fs_depend',`
- type dosfs_t;
-
- class filesystem mount;
-')
-
########################################
## <interface name="fs_remount_dos_fs">
## <description>
@@ -714,17 +647,14 @@ define(`fs_mount_dos_fs_depend',`
## </interface>
#
define(`fs_remount_dos_fs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type dosfs_t;
+ class filesystem remount;
+ ')
allow $1 dosfs_t:filesystem remount;
')
-define(`fs_remount_dos_fs_depend',`
- type dosfs_t;
-
- class filesystem remount;
-')
-
########################################
## <interface name="fs_unmount_dos_fs">
## <description>
@@ -737,17 +667,14 @@ define(`fs_remount_dos_fs_depend',`
## </interface>
#
define(`fs_unmount_dos_fs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type dosfs_t;
+ class filesystem unmount;
+ ')
allow $1 dosfs_t:filesystem mount;
')
-define(`fs_unmount_dos_fs_depend',`
- type dosfs_t;
-
- class filesystem unmount;
-')
-
########################################
## <interface name="fs_getattr_dos_fs">
## <description>
@@ -761,17 +688,14 @@ define(`fs_unmount_dos_fs_depend',`
## </interface>
#
define(`fs_getattr_dos_fs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type dosfs_t;
+ class filesystem getattr;
+ ')
allow $1 dosfs_t:filesystem getattr;
')
-define(`fs_getattr_dos_fs_depend',`
- type dosfs_t;
-
- class filesystem getattr;
-')
-
########################################
## <interface name="fs_relabelfrom_dos_fs">
## <description>
@@ -784,17 +708,14 @@ define(`fs_getattr_dos_fs_depend',`
## </interface>
#
define(`fs_relabelfrom_dos_fs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type dosfs_t;
+ class filesystem relabelfrom;
+ ')
allow $1 dosfs_t:filesystem relabelfrom;
')
-define(`fs_relabelfrom_dos_fs_depend',`
- type dosfs_t;
-
- class filesystem relabelfrom;
-')
-
########################################
## <interface name="fs_mount_iso9660_fs">
## <description>
@@ -807,17 +728,14 @@ define(`fs_relabelfrom_dos_fs_depend',`
## </interface>
#
define(`fs_mount_iso9660_fs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type iso9660_t;
+ class filesystem mount;
+ ')
allow $1 iso9660_t:filesystem mount;
')
-define(`fs_mount_iso9660_fs_depend',`
- type iso9660_t;
-
- class filesystem mount;
-')
-
########################################
## <interface name="fs_remount_iso9660_fs">
## <description>
@@ -831,17 +749,14 @@ define(`fs_mount_iso9660_fs_depend',`
## </interface>
#
define(`fs_remount_iso9660_fs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type iso9660_t;
+ class filesystem remount;
+ ')
allow $1 iso9660_t:filesystem remount;
')
-define(`fs_remount_iso9660_fs_depend',`
- type iso9660_t;
-
- class filesystem remount;
-')
-
########################################
## <interface name="fs_unmount_iso9660_fs">
## <description>
@@ -854,17 +769,14 @@ define(`fs_remount_iso9660_fs_depend',`
## </interface>
#
define(`fs_unmount_iso9660_fs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type iso9660_t;
+ class filesystem unmount;
+ ')
allow $1 iso9660_t:filesystem mount;
')
-define(`fs_unmount_iso9660_fs_depend',`
- type iso9660_t;
-
- class filesystem unmount;
-')
-
########################################
## <interface name="fs_mount_iso9660_fs">
## <description>
@@ -878,17 +790,14 @@ define(`fs_unmount_iso9660_fs_depend',`
## </interface>
#
define(`fs_getattr_iso9660_fs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type iso9660_t;
+ class filesystem getattr;
+ ')
allow $1 iso9660_t:filesystem getattr;
')
-define(`fs_getattr_iso9660_fs_depend',`
- type iso9660_t;
-
- class filesystem getattr;
-')
-
########################################
## <interface name="fs_mount_nfs">
## <description>
@@ -900,17 +809,14 @@ define(`fs_getattr_iso9660_fs_depend',`
## </interface>
#
define(`fs_mount_nfs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type nfs_t;
+ class filesystem mount;
+ ')
allow $1 nfs_t:filesystem mount;
')
-define(`fs_mount_nfs_depend',`
- type nfs_t;
-
- class filesystem mount;
-')
-
########################################
## <interface name="fs_remount_nfs">
## <description>
@@ -923,17 +829,14 @@ define(`fs_mount_nfs_depend',`
## </interface>
#
define(`fs_remount_nfs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type nfs_t;
+ class filesystem remount;
+ ')
allow $1 nfs_t:filesystem remount;
')
-define(`fs_remount_nfs_depend',`
- type nfs_t;
-
- class filesystem remount;
-')
-
########################################
## <interface name="fs_mount_nfs">
## <description>
@@ -945,17 +848,14 @@ define(`fs_remount_nfs_depend',`
## </interface>
#
define(`fs_unmount_nfs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type nfs_t;
+ class filesystem unmount;
+ ')
allow $1 nfs_t:filesystem mount;
')
-define(`fs_unmount_nfs_depend',`
- type nfs_t;
-
- class filesystem unmount;
-')
-
########################################
## <interface name="fs_getattr_nfs">
## <description>
@@ -968,17 +868,14 @@ define(`fs_unmount_nfs_depend',`
## </interface>
#
define(`fs_getattr_nfs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type nfs_t;
+ class filesystem getattr;
+ ')
allow $1 nfs_t:filesystem getattr;
')
-define(`fs_getattr_nfs_depend',`
- type nfs_t;
-
- class filesystem getattr;
-')
-
########################################
## <interface name="fs_read_nfs_files">
## <description>
@@ -1073,17 +970,14 @@ define(`fs_read_nfs_symlinks',`
## </interface>
#
define(`fs_manage_nfs_dirs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type nfs_t;
+ class dir create_dir_perms;
+ ')
allow $1 nfs_t:dir create_dir_perms;
')
-define(`fs_manage_nfs_dirs_depend',`
- type nfs_t;
-
- class dir create_dir_perms;
-')
-
########################################
## <interface name="fs_manage_nfs_files">
## <description>
@@ -1096,19 +990,16 @@ define(`fs_manage_nfs_dirs_depend',`
## </interface>
#
define(`fs_manage_nfs_files',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type nfs_t;
+ class dir rw_dir_perms;
+ class file create_file_perms;
+ ')
allow $1 nfs_t:dir rw_dir_perms;
allow $1 nfs_t:file create_file_perms;
')
-define(`fs_manage_nfs_files_depend',`
- type nfs_t;
-
- class dir rw_dir_perms;
- class file create_file_perms;
-')
-
#########################################
## <interface name="fs_manage_nfs_symlinks">
## <description>
@@ -1143,19 +1034,16 @@ define(`fs_manage_nfs_symlinks',`
## </interface>
#
define(`fs_manage_nfs_named_pipes',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type nfs_t;
+ class dir rw_dir_perms;
+ class fifo_file create_file_perms;
+ ')
allow $1 nfs_t:dir rw_dir_perms;
allow $1 nfs_t:fifo_file create_file_perms;
')
-define(`fs_manage_nfs_named_pipes_depend',`
- type nfs_t;
-
- class dir rw_dir_perms;
- class fifo_file create_file_perms;
-')
-
#########################################
## <interface name="fs_manage_nfs_named_sockets">
## <description>
@@ -1168,19 +1056,16 @@ define(`fs_manage_nfs_named_pipes_depend',`
## </interface>
#
define(`fs_manage_nfs_named_sockets',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type nfs_t;
+ class dir rw_dir_perms;
+ class sock_file create_file_perms;
+ ')
allow $1 nfs_t:dir rw_dir_perms;
allow $1 nfs_t:sock_file create_file_perms;
')
-define(`fs_manage_nfs_named_sockets_depend',`
- type nfs_t;
-
- class dir rw_dir_perms;
- class sock_file create_file_perms;
-')
-
########################################
## <interface name="fs_mount_nfsd_fs">
## <description>
@@ -1192,17 +1077,14 @@ define(`fs_manage_nfs_named_sockets_depend',`
## </interface>
#
define(`fs_mount_nfsd_fs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type nfsd_fs_t;
+ class filesystem mount;
+ ')
allow $1 nfsd_fs_t:filesystem mount;
')
-define(`fs_mount_nfsd_fs_depend',`
- type nfsd_fs_t;
-
- class filesystem mount;
-')
-
########################################
## <interface name="fs_remount_nfsd_fs">
## <description>
@@ -1215,17 +1097,14 @@ define(`fs_mount_nfsd_fs_depend',`
## </interface>
#
define(`fs_remount_nfsd_fs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type nfsd_fs_t;
+ class filesystem remount;
+ ')
allow $1 nfsd_fs_t:filesystem remount;
')
-define(`fs_remount_nfsd_fs_depend',`
- type nfsd_fs_t;
-
- class filesystem remount;
-')
-
########################################
## <interface name="fs_unmount_nfsd_fs">
## <description>
@@ -1237,17 +1116,14 @@ define(`fs_remount_nfsd_fs_depend',`
## </interface>
#
define(`fs_unmount_nfsd_fs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type nfsd_fs_t;
+ class filesystem unmount;
+ ')
allow $1 nfsd_fs_t:filesystem mount;
')
-define(`fs_unmount_nfsd_fs_depend',`
- type nfsd_fs_t;
-
- class filesystem unmount;
-')
-
########################################
## <interface name="fs_getattr_nfsd_fs">
## <description>
@@ -1261,17 +1137,14 @@ define(`fs_unmount_nfsd_fs_depend',`
## </interface>
#
define(`fs_getattr_nfsd_fs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type nfsd_fs_t;
+ class filesystem getattr;
+ ')
allow $1 nfsd_fs_t:filesystem getattr;
')
-define(`fs_getattr_nfsd_fs_depend',`
- type nfsd_fs_t;
-
- class filesystem getattr;
-')
-
########################################
## <interface name="fs_mount_ramfs">
## <description>
@@ -1283,17 +1156,14 @@ define(`fs_getattr_nfsd_fs_depend',`
## </interface>
#
define(`fs_mount_ramfs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type ramfs_t;
+ class filesystem mount;
+ ')
allow $1 ramfs_t:filesystem mount;
')
-define(`fs_mount_ramfs_depend',`
- type ramfs_t;
-
- class filesystem mount;
-')
-
########################################
## <interface name="fs_remount_ramfs">
## <description>
@@ -1306,17 +1176,14 @@ define(`fs_mount_ramfs_depend',`
## </interface>
#
define(`fs_remount_ramfs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type ramfs_t;
+ class filesystem remount;
+ ')
allow $1 ramfs_t:filesystem remount;
')
-define(`fs_remount_ramfs_depend',`
- type ramfs_t;
-
- class filesystem remount;
-')
-
########################################
## <interface name="fs_unmount_ramfs">
## <description>
@@ -1328,17 +1195,14 @@ define(`fs_remount_ramfs_depend',`
## </interface>
#
define(`fs_unmount_ramfs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type ramfs_t;
+ class filesystem unmount;
+ ')
allow $1 ramfs_t:filesystem mount;
')
-define(`fs_unmount_ramfs_depend',`
- type ramfs_t;
-
- class filesystem unmount;
-')
-
########################################
## <interface name="fs_getattr_ramfs">
## <description>
@@ -1351,17 +1215,14 @@ define(`fs_unmount_ramfs_depend',`
## </interface>
#
define(`fs_getattr_ramfs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type ramfs_t;
+ class filesystem getattr;
+ ')
allow $1 ramfs_t:filesystem getattr;
')
-define(`fs_getattr_ramfs_depend',`
- type ramfs_t;
-
- class filesystem getattr;
-')
-
########################################
## <interface name="fs_mount_romfs">
## <description>
@@ -1373,17 +1234,14 @@ define(`fs_getattr_ramfs_depend',`
## </interface>
#
define(`fs_mount_romfs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type romfs_t;
+ class filesystem mount;
+ ')
allow $1 romfs_t:filesystem mount;
')
-define(`fs_mount_romfs_depend',`
- type romfs_t;
-
- class filesystem mount;
-')
-
########################################
## <interface name="fs_remount_romfs">
## <description>
@@ -1396,17 +1254,14 @@ define(`fs_mount_romfs_depend',`
## </interface>
#
define(`fs_remount_romfs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type romfs_t;
+ class filesystem remount;
+ ')
allow $1 romfs_t:filesystem remount;
')
-define(`fs_remount_romfs_depend',`
- type romfs_t;
-
- class filesystem remount;
-')
-
########################################
## <interface name="fs_unmount_romfs">
## <description>
@@ -1418,17 +1273,14 @@ define(`fs_remount_romfs_depend',`
## </interface>
#
define(`fs_unmount_romfs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type romfs_t;
+ class filesystem unmount;
+ ')
allow $1 romfs_t:filesystem mount;
')
-define(`fs_unmount_romfs_depend',`
- type romfs_t;
-
- class filesystem unmount;
-')
-
########################################
## <interface name="fs_getattr_romfs">
## <description>
@@ -1442,17 +1294,14 @@ define(`fs_unmount_romfs_depend',`
## </interface>
#
define(`fs_getattr_romfs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type romfs_t;
+ class filesystem getattr;
+ ')
allow $1 romfs_t:filesystem getattr;
')
-define(`fs_getattr_romfs_depend',`
- type romfs_t;
-
- class filesystem getattr;
-')
-
########################################
## <interface name="fs_mount_rpc_pipefs">
## <description>
@@ -1464,17 +1313,14 @@ define(`fs_getattr_romfs_depend',`
## </interface>
#
define(`fs_mount_rpc_pipefs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type rpc_pipefs_t;
+ class filesystem mount;
+ ')
allow $1 rpc_pipefs_t:filesystem mount;
')
-define(`fs_mount_rpc_pipefs_depend',`
- type rpc_pipefs_t;
-
- class filesystem mount;
-')
-
########################################
## <interface name="fs_remount_rpc_pipefs">
## <description>
@@ -1487,17 +1333,14 @@ define(`fs_mount_rpc_pipefs_depend',`
## </interface>
#
define(`fs_remount_rpc_pipefs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type rpc_pipefs_t;
+ class filesystem remount;
+ ')
allow $1 rpc_pipefs_t:filesystem remount;
')
-define(`fs_remount_rpc_pipefs_depend',`
- type rpc_pipefs_t;
-
- class filesystem remount;
-')
-
########################################
## <interface name="fs_unmount_rpc_pipefs">
## <description>
@@ -1509,17 +1352,14 @@ define(`fs_remount_rpc_pipefs_depend',`
## </interface>
#
define(`fs_unmount_rpc_pipefs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type rpc_pipefs_t;
+ class filesystem unmount;
+ ')
allow $1 rpc_pipefs_t:filesystem mount;
')
-define(`fs_unmount_rpc_pipefs_depend',`
- type rpc_pipefs_t;
-
- class filesystem unmount;
-')
-
########################################
## <interface name="fs_getattr_rpc_pipefs">
## <description>
@@ -1533,17 +1373,14 @@ define(`fs_unmount_rpc_pipefs_depend',`
## </interface>
#
define(`fs_getattr_rpc_pipefs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type rpc_pipefs_t;
+ class filesystem getattr;
+ ')
allow $1 rpc_pipefs_t:filesystem getattr;
')
-define(`fs_getattr_rpc_pipefs_depend',`
- type rpc_pipefs_t;
-
- class filesystem getattr;
-')
-
########################################
## <interface name="fs_mount_tmpfs">
## <description>
@@ -1555,17 +1392,14 @@ define(`fs_getattr_rpc_pipefs_depend',`
## </interface>
#
define(`fs_mount_tmpfs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type tmpfs_t;
+ class filesystem mount;
+ ')
allow $1 tmpfs_t:filesystem mount;
')
-define(`fs_mount_tmpfs_depend',`
- type tmpfs_t;
-
- class filesystem mount;
-')
-
########################################
## <interface name="fs_remount_tmpfs">
## <description>
@@ -1577,17 +1411,14 @@ define(`fs_mount_tmpfs_depend',`
## </interface>
#
define(`fs_remount_tmpfs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type tmpfs_t;
+ class filesystem remount;
+ ')
allow $1 tmpfs_t:filesystem remount;
')
-define(`fs_remount_tmpfs_depend',`
- type tmpfs_t;
-
- class filesystem remount;
-')
-
########################################
## <interface name="fs_unmount_tmpfs">
## <description>
@@ -1599,17 +1430,14 @@ define(`fs_remount_tmpfs_depend',`
## </interface>
#
define(`fs_unmount_tmpfs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type tmpfs_t;
+ class filesystem unmount;
+ ')
allow $1 tmpfs_t:filesystem mount;
')
-define(`fs_unmount_tmpfs_depend',`
- type tmpfs_t;
-
- class filesystem unmount;
-')
-
########################################
## <interface name="fs_getattr_tmpfs">
## <description>
@@ -1623,17 +1451,14 @@ define(`fs_unmount_tmpfs_depend',`
## </interface>
#
define(`fs_getattr_tmpfs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type tmpfs_t;
+ class filesystem getattr;
+ ')
allow $1 tmpfs_t:filesystem getattr;
')
-define(`fs_getattr_tmpfs_depend',`
- type tmpfs_t;
-
- class filesystem getattr;
-')
-
########################################
## <interface name="fs_associate_tmpfs">
## <description>
@@ -1645,23 +1470,24 @@ define(`fs_getattr_tmpfs_depend',`
## </interface>
#
define(`fs_associate_tmpfs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type tmpfs_t;
+ class filesystem associate;
+ ')
allow $1 tmpfs_t:filesystem associate;
')
-define(`fs_associate_tmpfs_depend',`
- type tmpfs_t;
-
- class filesystem associate;
-')
-
########################################
#
# fs_create_tmpfs_data(domain,derivedtype,[class])
#
define(`fs_create_tmpfs_data',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type tmpfs_t;
+ class filesystem associate;
+ class dir rw_dir_perms;
+ ')
allow $2 tmpfs_t:filesystem associate;
allow $1 tmpfs_t:dir rw_dir_perms;
@@ -1673,13 +1499,6 @@ define(`fs_create_tmpfs_data',`
')
')
-define(`fs_create_tmpfs_data_depend',`
- type tmpfs_t;
-
- class filesystem associate;
- class dir rw_dir_perms;
-')
-
########################################
## <interface name="fs_use_tmpfs_character_devices">
## <description>
@@ -1691,19 +1510,16 @@ define(`fs_create_tmpfs_data_depend',`
## </interface>
#
define(`fs_use_tmpfs_character_devices',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type tmpfs_t;
+ class dir r_dir_perms;
+ class chr_file rw_file_perms;
+ ')
allow $1 tmpfs_t:dir r_dir_perms;
allow $1 tmpfs_t:chr_file rw_file_perms;
')
-define(`fs_use_tmpfs_character_devices_depend',`
- type tmpfs_t;
-
- class dir r_dir_perms;
- class chr_file rw_file_perms;
-')
-
########################################
## <interface name="fs_relabel_tmpfs_character_devices">
## <description>
@@ -1715,19 +1531,16 @@ define(`fs_use_tmpfs_character_devices_depend',`
## </interface>
#
define(`fs_relabel_tmpfs_character_devices',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type tmpfs_t;
+ class dir r_dir_perms;
+ class chr_file { getattr relabelfrom relabelto };
+ ')
allow $1 tmpfs_t:dir r_dir_perms;
allow $1 tmpfs_t:chr_file { getattr relabelfrom relabelto };
')
-define(`fs_relabel_tmpfs_character_devices_depend',`
- type tmpfs_t;
-
- class dir r_dir_perms;
- class chr_file { getattr relabelfrom relabelto };
-')
-
########################################
## <interface name="fs_use_tmpfs_block_devices">
## <description>
@@ -1739,19 +1552,16 @@ define(`fs_relabel_tmpfs_character_devices_depend',`
## </interface>
#
define(`fs_use_tmpfs_block_devices',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type tmpfs_t;
+ class dir r_dir_perms;
+ class blk_file rw_file_perms;
+ ')
allow $1 tmpfs_t:dir r_dir_perms;
allow $1 tmpfs_t:blk_file rw_file_perms;
')
-define(`fs_use_tmpfs_block_devices_depend',`
- type tmpfs_t;
-
- class dir r_dir_perms;
- class blk_file rw_file_perms;
-')
-
########################################
## <interface name="fs_relabel_tmpfs_block_devices">
## <description>
@@ -1763,19 +1573,16 @@ define(`fs_use_tmpfs_block_devices_depend',`
## </interface>
#
define(`fs_relabel_tmpfs_block_devices',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type tmpfs_t;
+ class dir r_dir_perms;
+ class blk_file { getattr relabelfrom relabelto };
+ ')
allow $1 tmpfs_t:dir r_dir_perms;
allow $1 tmpfs_t:blk_file { getattr relabelfrom relabelto };
')
-define(`fs_use_tmpfs_block_devices_depend',`
- type tmpfs_t;
-
- class dir r_dir_perms;
- class blk_file { getattr relabelfrom relabelto };
-')
-
########################################
## <interface name="fs_manage_tmpfs_character_devices">
## <description>
@@ -1788,19 +1595,16 @@ define(`fs_use_tmpfs_block_devices_depend',`
## </interface>
#
define(`fs_manage_tmpfs_character_devices',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type tmpfs_t;
+ class dir rw_dir_perms;
+ class chr_file create_file_perms;
+ ')
allow $1 tmpfs_t:dir rw_dir_perms;
allow $1 tmpfs_t:chr_file create_file_perms;
')
-define(`fs_manage_tmpfs_character_devices_depend',`
- type tmpfs_t;
-
- class dir rw_dir_perms;
- class chr_file create_file_perms;
-')
-
########################################
## <interface name="fs_manage_tmpfs_block_devices">
## <description>
@@ -1813,19 +1617,16 @@ define(`fs_manage_tmpfs_character_devices_depend',`
## </interface>
#
define(`fs_manage_tmpfs_block_devices',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type tmpfs_t;
+ class dir rw_dir_perms;
+ class blk_file create_file_perms;
+ ')
allow $1 tmpfs_t:dir rw_dir_perms;
allow $1 tmpfs_t:blk_file create_file_perms;
')
-define(`fs_manage_tmpfs_block_devices_depend',`
- type tmpfs_t;
-
- class dir rw_dir_perms;
- class blk_file create_file_perms;
-')
-
########################################
## <interface name="fs_mount_all_fs">
## <description>
@@ -1837,17 +1638,14 @@ define(`fs_manage_tmpfs_block_devices_depend',`
## </interface>
#
define(`fs_mount_all_fs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ attribute fs_type;
+ class filesystem mount;
+ ')
allow $1 fs_type:filesystem mount;
')
-define(`fs_mount_all_fs_depend',`
- attribute fs_type;
-
- class filesystem mount;
-')
-
########################################
## <interface name="fs_remount_all_fs">
## <description>
@@ -1860,17 +1658,14 @@ define(`fs_mount_all_fs_depend',`
## </interface>
#
define(`fs_remount_all_fs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ attribute fs_type;
+ class filesystem remount;
+ ')
allow $1 fs_type:filesystem remount;
')
-define(`fs_remount_all_fs_depend',`
- attribute fs_type;
-
- class filesystem remount;
-')
-
########################################
## <interface name="fs_unmount_all_fs">
## <description>
@@ -1882,17 +1677,14 @@ define(`fs_remount_all_fs_depend',`
## </interface>
#
define(`fs_unmount_all_fs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ attribute fs_type;
+ class filesystem unmount;
+ ')
allow $1 fs_type:filesystem unmount;
')
-define(`fs_mount_all_fs_depend',`
- attribute fs_type;
-
- class filesystem unmount;
-')
-
########################################
## <interface name="fs_getattr_all_fs">
## <description>
@@ -1906,17 +1698,14 @@ define(`fs_mount_all_fs_depend',`
## </interface>
#
define(`fs_getattr_all_fs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ attribute fs_type;
+ class filesystem getattr;
+ ')
allow $1 fs_type:filesystem getattr;
')
-define(`fs_getattr_all_fs_depend',`
- attribute fs_type;
-
- class filesystem getattr;
-')
-
########################################
## <interface name="fs_get_all_fs_quotas">
## <description>
@@ -1928,17 +1717,14 @@ define(`fs_getattr_all_fs_depend',`
## </interface>
#
define(`fs_get_all_fs_quotas',`
- gen_require(`$0'_depend)
+ gen_require(`
+ attribute fs_type;
+ class filesystem quotaget;
+ ')
allow $1 fs_type:filesystem quotaget;
')
-define(`fs_get_all_fs_quotas_depend',`
- attribute fs_type;
-
- class filesystem quotaget;
-')
-
########################################
## <interface name="fs_set_all_quotas">
## <description>
@@ -1950,23 +1736,27 @@ define(`fs_get_all_fs_quotas_depend',`
## </interface>
#
define(`fs_set_all_quotas',`
- gen_require(`$0'_depend)
+ gen_require(`
+ attribute fs_type;
+ class filesystem quotamod;
+ ')
allow $1 fs_type:filesystem quotamod;
')
-define(`fs_set_all_quotas_depend',`
- attribute fs_type;
-
- class filesystem quotamod;
-')
-
########################################
#
# fs_getattr_all_files(type)
#
define(`fs_getattr_all_files',`
- gen_require(`$0'_depend)
+ gen_require(`
+ attribute fs_type;
+ class dir { search getattr };
+ class file getattr;
+ class lnk_file getattr;
+ class fifo_file getattr;
+ class sock_file getattr;
+ ')
allow $1 fs_type:dir { search getattr };
allow $1 fs_type:file getattr;
@@ -1975,14 +1765,4 @@ define(`fs_getattr_all_files',`
allow $1 fs_type:sock_file getattr;
')
-define(`fs_getattr_all_files_depend',`
- attribute fs_type;
-
- class dir { search getattr };
- class file getattr;
- class lnk_file getattr;
- class fifo_file getattr;
- class sock_file getattr;
-')
-
## </module>
diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index df67d3e..e9183db 100644
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -46,17 +46,14 @@ define(`kernel_userland_entry',`
## </interface>
#
define(`kernel_rootfs_mountpoint',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type kernel_t;
+ class dir mounton;
+ ')
allow kernel_t $1:dir mounton;
')
-define(`kernel_rootfs_mountpoint_depend',`
- type kernel_t;
-
- class dir mounton;
-')
-
########################################
## <interface name="kernel_sigchld">
## <description>
@@ -107,17 +104,14 @@ define(`kernel_share_state',`
## </interface>
#
define(`kernel_use_fd',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type kernel_t;
+ class fd use;
+ ')
allow $1 kernel_t:fd use;
')
-define(`kernel_use_fd_depend',`
- type kernel_t;
-
- class fd use;
-')
-
########################################
## <interface name="kernel_dontaudit_use_fd">
## <description>
@@ -130,17 +124,14 @@ define(`kernel_use_fd_depend',`
## </interface>
#
define(`kernel_dontaudit_use_fd',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type kernel_t;
+ class fd use;
+ ')
dontaudit $1 kernel_t:fd use;
')
-define(`kernel_dontaudit_use_fd_depend',`
- type kernel_t;
-
- class fd use;
-')
-
########################################
## <interface name="kernel_load_module">
## <description>
@@ -152,18 +143,15 @@ define(`kernel_dontaudit_use_fd_depend',`
## </interface>
#
define(`kernel_load_module',`
- gen_require(`$0'_depend)
+ gen_require(`
+ attribute can_load_kernmodule;
+ class capability sys_module;
+ ')
allow $1 self:capability sys_module;
typeattribute $1 can_load_kernmodule;
')
-define(`kernel_load_module_depend',`
- attribute can_load_kernmodule;
-
- class capability sys_module;
-')
-
########################################
## <interface name="kernel_read_ring_buffer">
## <description>
@@ -175,17 +163,14 @@ define(`kernel_load_module_depend',`
## </interface>
#
define(`kernel_read_ring_buffer',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type kernel_t;
+ class system syslog_read;
+ ')
allow $1 kernel_t:system syslog_read;
')
-define(`kernel_read_ring_buffer_depend',`
- type kernel_t;
-
- class system syslog_read;
-')
-
########################################
## <interface name="kernel_dontaudit_read_ring_buffer">
## <description>
@@ -197,17 +182,14 @@ define(`kernel_read_ring_buffer_depend',`
## </interface>
#
define(`kernel_dontaudit_read_ring_buffer',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type kernel_t;
+ class system syslog_read;
+ ')
dontaudit $1 kernel_t:system syslog_read;
')
-define(`kernel_dontaudit_read_ring_buffer_depend',`
- type kernel_t;
-
- class system syslog_read;
-')
-
########################################
## <interface name="kernel_change_ring_buffer_level">
## <description>
@@ -219,17 +201,14 @@ define(`kernel_dontaudit_read_ring_buffer_depend',`
## </interface>
#
define(`kernel_change_ring_buffer_level',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type kernel_t;
+ class system syslog_console;
+ ')
allow $1 kernel_t:system syslog_console;
')
-define(`kernel_change_ring_buffer_level_depend',`
- type kernel_t;
-
- class system syslog_console;
-')
-
########################################
## <interface name="kernel_clear_ring_buffer">
## <description>
@@ -241,17 +220,14 @@ define(`kernel_change_ring_buffer_level_depend',`
## </interface>
#
define(`kernel_clear_ring_buffer',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type kernel_t;
+ class system syslog_mod;
+ ')
allow $1 kernel_t:system syslog_mod;
')
-define(`kernel_clear_ring_buffer_depend',`
- type kernel_t;
-
- class system syslog_mod;
-')
-
########################################
## <interface name="kernel_get_sysvipc_info">
## <description>
@@ -263,17 +239,14 @@ define(`kernel_clear_ring_buffer_depend',`
## </interface>
#
define(`kernel_get_sysvipc_info',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type kernel_t;
+ class system ipc_info;
+ ')
allow $1 kernel_t:system ipc_info;
')
-define(`kernel_get_sysvipc_info_depend',`
- type kernel_t;
-
- class system ipc_info;
-')
-
########################################
## <interface name="kernel_read_system_state">
## <description>
@@ -285,21 +258,18 @@ define(`kernel_get_sysvipc_info_depend',`
## </interface>
#
define(`kernel_read_system_state',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type proc_t;
+ class dir r_dir_perms;
+ class lnk_file { getattr read };
+ class file r_file_perms;
+ ')
allow $1 proc_t:dir r_dir_perms;
allow $1 proc_t:lnk_file { getattr read };
allow $1 proc_t:file r_file_perms;
')
-define(`kernel_read_system_state_depend',`
- type proc_t;
-
- class dir r_dir_perms;
- class lnk_file { getattr read };
- class file r_file_perms;
-')
-
########################################
## <interface name="kernel_dontaudit_read_system_state">
## <description>
@@ -312,17 +282,14 @@ define(`kernel_read_system_state_depend',`
## </interface>
#
define(`kernel_dontaudit_read_system_state',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type proc_t;
+ class file read;
+ ')
allow $1 proc_t:file read;
')
-define(`kernel_dontaudit_read_system_state_depend',`
- type proc_t;
-
- class file read;
-')
-
#######################################
## <interface name="kernel_read_software_raid_state">
## <description>
@@ -334,19 +301,16 @@ define(`kernel_dontaudit_read_system_state_depend',`
## </interface>
#
define(`kernel_read_software_raid_state',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type proc_t, proc_mdstat_t;
+ class dir r_dir_perms;
+ class file r_file_perms;
+ ')
allow $1 proc_t:dir r_dir_perms;
allow $1 proc_mdstat_t:file r_file_perms;
')
-define(`kernel_read_software_raid_state_depend',`
- type proc_t, proc_mdstat_t;
-
- class dir r_dir_perms;
- class file r_file_perms;
-')
-
########################################
## <interface name="kernel_getattr_core">
## <description>
@@ -358,19 +322,16 @@ define(`kernel_read_software_raid_state_depend',`
## </interface>
#
define(`kernel_getattr_core',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type proc_t, proc_kcore_t;
+ class dir { search getattr read };
+ class file getattr;
+ ')
allow $1 proc_t:dir r_dir_perms;
allow $1 proc_kcore_t:file getattr;
')
-define(`kernel_getattr_core_depend',`
- type proc_t, proc_kcore_t;
-
- class dir { search getattr read };
- class file getattr;
-')
-
########################################
## <interface name="kernel_dontaudit_getattr_core">
## <description>
@@ -383,17 +344,14 @@ define(`kernel_getattr_core_depend',`
## </interface>
#
define(`kernel_dontaudit_getattr_core',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type proc_kcore_t;
+ class file getattr;
+ ')
dontaudit $1 proc_kcore_t:file getattr;
')
-define(`kernel_dontaudit_getattr_core_depend',`
- type proc_kcore_t;
-
- class file getattr;
-')
-
########################################
## <interface name="kernel_read_messages">
## <description>
@@ -406,22 +364,18 @@ define(`kernel_dontaudit_getattr_core_depend',`
## </interface>
#
define(`kernel_read_messages',`
- gen_require(`$0'_depend)
+ gen_require(`
+ attribute can_receive_kernel_messages;
+ type proc_kmsg_t, proc_t;
+ class dir search;
+ class file r_file_perms;
+ ')
allow $1 proc_t:dir search;
allow $1 proc_kmsg_t:file r_file_perms;
typeattribute $1 can_receive_kernel_messages;
')
-define(`kernel_read_messages_depend',`
- attribute can_receive_kernel_messages;
-
- type proc_kmsg_t, proc_t;
-
- class dir search;
- class file r_file_perms;
-')
-
########################################
## <interface name="kernel_getattr_message_if">
## <description>
@@ -434,19 +388,16 @@ define(`kernel_read_messages_depend',`
## </interface>
#
define(`kernel_getattr_message_if',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type proc_kmsg_t, proc_t;
+ class dir search;
+ class file getattr;
+ ')
allow $1 proc_t:dir search;
allow $1 proc_kmsg_t:file getattr;
')
-define(`kernel_getattr_message_if_depend',`
- type proc_kmsg_t, proc_t;
-
- class dir search;
- class file getattr;
-')
-
########################################
## <interface name="kernel_dontaudit_getattr_message_if">
## <description>
@@ -459,17 +410,14 @@ define(`kernel_getattr_message_if_depend',`
## </interface>
#
define(`kernel_dontaudit_getattr_message_if',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type proc_kmsg_t, proc_t;
+ class file getattr;
+ ')
dontaudit $1 proc_kmsg_t:file getattr;
')
-define(`kernel_dontaudit_getattr_message_if_depend',`
- type proc_kmsg_t, proc_t;
-
- class file getattr;
-')
-
########################################
## <interface name="kernel_read_network_state">
## <description>
@@ -482,20 +430,17 @@ define(`kernel_dontaudit_getattr_message_if_depend',`
##
#
define(`kernel_read_network_state',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type proc_t, proc_net_t;
+ class dir r_dir_perms;
+ class file r_file_perms;
+ ')
allow $1 proc_t:dir search;
allow $1 proc_net_t:dir r_dir_perms;
allow $1 proc_net_t:file r_file_perms;
')
-define(`kernel_read_network_state_depend',`
- type proc_t, proc_net_t;
-
- class dir r_dir_perms;
- class file r_file_perms;
-')
-
########################################
## <interface name="kernel_dontaudit_search_sysctl_dir">
## <description>
@@ -508,17 +453,14 @@ define(`kernel_read_network_state_depend',`
##
#
define(`kernel_dontaudit_search_sysctl_dir',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type sysctl_t;
+ class dir search;
+ ')
dontaudit $1 sysctl_t:dir search;
')
-define(`kernel_dontaudit_search_sysctl_dir_depend',`
- type sysctl_t;
-
- class dir search;
-')
-
########################################
## <interface name="kernel_read_device_sysctl">
## <description>
@@ -530,7 +472,11 @@ define(`kernel_dontaudit_search_sysctl_dir_depend',`
## </interface>
#
define(`kernel_read_device_sysctl',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type proc_t, sysctl_t, sysctl_dev_t;
+ class dir r_dir_perms;
+ class file r_file_perms;
+ ')
allow $1 proc_t:dir search;
allow $1 sysctl_t:dir r_dir_perms;
@@ -538,13 +484,6 @@ define(`kernel_read_device_sysctl',`
allow $1 sysctl_dev_t:file r_file_perms;
')
-define(`kernel_read_device_sysctl_depend',`
- type proc_t, sysctl_t, sysctl_dev_t;
-
- class dir r_dir_perms;
- class file r_file_perms;
-')
-
########################################
## <interface name="kernel_rw_device_sysctl">
## <description>
@@ -556,20 +495,17 @@ define(`kernel_read_device_sysctl_depend',`
## </interface>
#
define(`kernel_rw_device_sysctl',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type proc_t, sysctl_t, sysctl_dev_t;
+ class dir r_dir_perms;
+ class file rw_file_perms;
+ ')
allow $1 proc_t:dir search;
allow $1 sysctl_t:dir r_dir_perms;
allow $1 sysctl_dev_t:file rw_file_perms;
')
-define(`kernel_rw_device_sysctl_depend',`
- type proc_t, sysctl_t, sysctl_dev_t;
-
- class dir r_dir_perms;
- class file rw_file_perms;
-')
-
########################################
## <interface name="kernel_read_vm_sysctl">
## <description>
@@ -582,20 +518,17 @@ define(`kernel_rw_device_sysctl_depend',`
##
#
define(`kernel_read_vm_sysctl',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type proc_t, sysctl_t, sysctl_vm_t;
+ class dir r_dir_perms;
+ class file r_file_perms;
+ ')
allow $1 proc_t:dir search;
allow $1 sysctl_t:dir r_dir_perms;
allow $1 sysctl_vm_t:file r_file_perms;
')
-define(`kernel_read_vm_sysctl_depend',`
- type proc_t, sysctl_t, sysctl_vm_t;
-
- class dir r_dir_perms;
- class file r_file_perms;
-')
-
########################################
## <interface name="kernel_rw_vm_sysctl">
## <description>
@@ -607,20 +540,17 @@ define(`kernel_read_vm_sysctl_depend',`
## </interface>
#
define(`kernel_rw_vm_sysctl',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type proc_t, sysctl_t, sysctl_vm_t;
+ class dir r_dir_perms;
+ class file rw_file_perms;
+ ')
allow $1 proc_t:dir search;
allow $1 sysctl_t:dir r_dir_perms;
allow $1 sysctl_vm_t:file rw_file_perms;
')
-define(`kernel_rw_vm_sysctl_depend',`
- type proc_t, sysctl_t, sysctl_vm_t;
-
- class dir r_dir_perms;
- class file rw_file_perms;
-')
-
########################################
## <interface name="kernel_dontaudit_search_network_sysctl_dir">
## <description>
@@ -632,17 +562,14 @@ define(`kernel_rw_vm_sysctl_depend',`
## </interface>
#
define(`kernel_dontaudit_search_network_sysctl_dir',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type sysctl_net_t;
+ class dir search;
+ ')
dontaudit $1 sysctl_net_t:dir search;
')
-define(`kernel_dontaudit_search_network_sysctl_dir_depend',`
- type sysctl_net_t;
-
- class dir search;
-')
-
########################################
## <interface name="kernel_read_net_sysctl">
## <description>
@@ -655,7 +582,11 @@ define(`kernel_dontaudit_search_network_sysctl_dir_depend',`
##
#
define(`kernel_read_net_sysctl',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type proc_t, sysctl_t, sysctl_net_t;
+ class dir r_dir_perms;
+ class file f_file_perms;
+ ')
allow $1 proc_t:dir search;
allow $1 sysctl_t:dir r_dir_perms;
@@ -663,13 +594,6 @@ define(`kernel_read_net_sysctl',`
allow $1 sysctl_net_t:file r_file_perms;
')
-define(`kernel_read_net_sysctl_depend',`
- type proc_t, sysctl_t, sysctl_net_t;
-
- class dir r_dir_perms;
- class file f_file_perms;
-')
-
########################################
## <interface name="kernel_rw_net_sysctl">
## <description>
@@ -681,7 +605,11 @@ define(`kernel_read_net_sysctl_depend',`
## </interface>
#
define(`kernel_rw_net_sysctl',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type proc_t, sysctl_t, sysctl_net_t;
+ class dir r_dir_perms;
+ class file rw_file_perms;
+ ')
allow $1 proc_t:dir search;
allow $1 sysctl_t:dir r_dir_perms;
@@ -689,13 +617,6 @@ define(`kernel_rw_net_sysctl',`
allow $1 sysctl_net_t:file rw_file_perms;
')
-define(`kernel_rw_net_sysctl_depend',`
- type proc_t, sysctl_t, sysctl_net_t;
-
- class dir r_dir_perms;
- class file rw_file_perms;
-')
-
########################################
## <interface name="kernel_read_unix_sysctl">
## <description>
@@ -708,7 +629,11 @@ define(`kernel_rw_net_sysctl_depend',`
## </interface>
#
define(`kernel_read_unix_sysctl',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t;
+ class dir r_dir_perms;
+ class file r_file_perms;
+ ')
allow $1 proc_t:dir search;
allow $1 sysctl_t:dir r_dir_perms;
@@ -716,13 +641,6 @@ define(`kernel_read_unix_sysctl',`
allow $1 sysctl_net_unix_t:file r_file_perms;
')
-define(`kernel_read_unix_sysctl_depend',`
- type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t;
-
- class dir r_dir_perms;
- class file r_file_perms;
-')
-
########################################
## <interface name="kernel_rw_unix_sysctl">
## <description>
@@ -735,7 +653,11 @@ define(`kernel_read_unix_sysctl_depend',`
## </interface>
#
define(`kernel_rw_unix_sysctl',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t;
+ class dir r_dir_perms;
+ class file rw_file_perms;
+ ')
allow $1 proc_t:dir search;
allow $1 sysctl_t:dir r_dir_perms;
@@ -743,13 +665,6 @@ define(`kernel_rw_unix_sysctl',`
allow $1 sysctl_net_unix_t:file rw_file_perms;
')
-define(`kernel_rw_net_sysctl_depend',`
- type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t;
-
- class dir r_dir_perms;
- class file rw_file_perms;
-')
-
########################################
## <interface name="kernel_read_hotplug_sysctl">
## <description>
@@ -761,7 +676,11 @@ define(`kernel_rw_net_sysctl_depend',`
## </interface>
#
define(`kernel_read_hotplug_sysctl',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t;
+ class dir r_dir_perms;
+ class file r_file_perms;
+ ')
allow $1 proc_t:dir search;
allow $1 sysctl_t:dir r_dir_perms;
@@ -769,13 +688,6 @@ define(`kernel_read_hotplug_sysctl',`
allow $1 sysctl_hotplug_t:file r_file_perms;
')
-define(`kernel_read_hotplug_sysctl_depend',`
- type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t;
-
- class dir r_dir_perms;
- class file r_file_perms;
-')
-
########################################
## <interface name="kernel_rw_hotplug_sysctl">
## <description>
@@ -787,7 +699,11 @@ define(`kernel_read_hotplug_sysctl_depend',`
## </interface>
#
define(`kernel_rw_hotplug_sysctl',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t;
+ class dir r_dir_perms;
+ class file rw_file_perms;
+ ')
allow $1 proc_t:dir search;
allow $1 sysctl_t:dir r_dir_perms;
@@ -795,13 +711,6 @@ define(`kernel_rw_hotplug_sysctl',`
allow $1 sysctl_hotplug_t:file rw_file_perms;
')
-define(`kernel_rw_hotplug_sysctl_depend',`
- type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t;
-
- class dir r_dir_perms;
- class file rw_file_perms;
-')
-
########################################
## <interface name="kernel_read_modprobe_sysctl">
## <description>
@@ -813,7 +722,11 @@ define(`kernel_rw_hotplug_sysctl_depend',`
## </interface>
#
define(`kernel_read_modprobe_sysctl',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t;
+ class dir r_dir_perms;
+ class file r_file_perms;
+ ')
allow $1 proc_t:dir search;
allow $1 sysctl_t:dir r_dir_perms;
@@ -821,13 +734,6 @@ define(`kernel_read_modprobe_sysctl',`
allow $1 sysctl_modprobe_t:file r_file_perms;
')
-define(`kernel_read_modprobe_sysctl_depend',`
- type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t;
-
- class dir r_dir_perms;
- class file r_file_perms;
-')
-
########################################
## <interface name="kernel_rw_modprobe_sysctl">
## <description>
@@ -839,7 +745,11 @@ define(`kernel_read_modprobe_sysctl_depend',`
## </interface>
#
define(`kernel_rw_modprobe_sysctl',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t;
+ class dir r_dir_perms;
+ class file rw_file_perms;
+ ')
allow $1 proc_t:dir search;
allow $1 sysctl_t:dir r_dir_perms;
@@ -847,13 +757,6 @@ define(`kernel_rw_modprobe_sysctl',`
allow $1 sysctl_modprobe_t:file rw_file_perms;
')
-define(`kernel_rw_modprobe_sysctl_depend',`
- type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t;
-
- class dir r_dir_perms;
- class file rw_file_perms;
-')
-
########################################
## <interface name="kernel_read_kernel_sysctl">
## <description>
@@ -865,7 +768,11 @@ define(`kernel_rw_modprobe_sysctl_depend',`
## </interface>
#
define(`kernel_read_kernel_sysctl',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type proc_t, sysctl_t, sysctl_kernel_t;
+ class dir r_dir_perms;
+ class file r_file_perms;
+ ')
allow $1 proc_t:dir search;
allow $1 sysctl_t:dir r_dir_perms;
@@ -873,13 +780,6 @@ define(`kernel_read_kernel_sysctl',`
allow $1 sysctl_kernel_t:file r_file_perms;
')
-define(`kernel_read_kernel_sysctl_depend',`
- type proc_t, sysctl_t, sysctl_kernel_t;
-
- class dir r_dir_perms;
- class file r_file_perms;
-')
-
########################################
## <interface name="kernel_rw_kernel_sysctl">
## <description>
@@ -891,7 +791,11 @@ define(`kernel_read_kernel_sysctl_depend',`
## </interface>
#
define(`kernel_rw_kernel_sysctl',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type proc_t, sysctl_t, sysctl_kernel_t;
+ class dir r_dir_perms;
+ class file rw_file_perms;
+ ')
allow $1 proc_t:dir search;
allow $1 sysctl_t:dir r_dir_perms;
@@ -899,13 +803,6 @@ define(`kernel_rw_kernel_sysctl',`
allow $1 sysctl_kernel_t:file rw_file_perms;
')
-define(`kernel_rw_kernel_sysctl_depend',`
- type proc_t, sysctl_t, sysctl_kernel_t;
-
- class dir r_dir_perms;
- class file rw_file_perms;
-')
-
########################################
## <interface name="kernel_read_fs_sysctl">
## <description>
@@ -917,7 +814,11 @@ define(`kernel_rw_kernel_sysctl_depend',`
## </interface>
#
define(`kernel_read_fs_sysctl',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type proc_t, sysctl_t, sysctl_fs_t;
+ class dir r_dir_perms;
+ class file r_file_perms;
+ ')
allow $1 proc_t:dir search;
allow $1 sysctl_t:dir r_dir_perms;
@@ -925,13 +826,6 @@ define(`kernel_read_fs_sysctl',`
allow $1 sysctl_fs_t:file r_file_perms;
')
-define(`kernel_read_fs_sysctl_depend',`
- type proc_t, sysctl_t, sysctl_fs_t;
-
- class dir r_dir_perms;
- class file r_file_perms;
-')
-
########################################
## <interface name="kernel_rw_fs_sysctl">
## <description>
@@ -943,7 +837,11 @@ define(`kernel_read_fs_sysctl_depend',`
## </interface>
#
define(`kernel_rw_fs_sysctl',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type proc_t, sysctl_t, sysctl_fs_t;
+ class dir r_dir_perms;
+ class file rw_file_perms;
+ ')
allow $1 proc_t:dir search;
allow $1 sysctl_t:dir r_dir_perms;
@@ -951,13 +849,6 @@ define(`kernel_rw_fs_sysctl',`
allow $1 sysctl_fs_t:file rw_file_perms;
')
-define(`kernel_rw_fs_sysctl_depend',`
- type proc_t, sysctl_t, sysctl_fs_t;
-
- class dir r_dir_perms;
- class file rw_file_perms;
-')
-
########################################
## <interface name="kernel_read_irq_sysctl">
## <description>
@@ -969,20 +860,17 @@ define(`kernel_rw_fs_sysctl_depend',`
## </interface>
#
define(`kernel_read_irq_sysctl',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type proc_t, sysctl_irq_t;
+ class dir r_dir_perms;
+ class file r_file_perms;
+ ')
allow $1 proc_t:dir search;
allow $1 sysctl_irq_t:dir r_dir_perms;
allow $1 sysctl_irq_t:file r_file_perms;
')
-define(`kernel_read_irq_sysctl_depend',`
- type proc_t, sysctl_irq_t;
-
- class dir r_dir_perms;
- class file r_file_perms;
-')
-
########################################
## <interface name="kernel_rw_irq_sysctl">
## <description>
@@ -995,26 +883,27 @@ define(`kernel_read_irq_sysctl_depend',`
##
#
define(`kernel_rw_irq_sysctl',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type proc_t, sysctl_irq_t;
+ class dir r_dir_perms;
+ class file rw_file_perms;
+ ')
allow $1 proc_t:dir search;
allow $1 sysctl_irq_t:dir r_dir_perms;
allow $1 sysctl_irq_t:file rw_file_perms;
')
-define(`kernel_rw_irq_sysctl_depend',`
- type proc_t, sysctl_irq_t;
-
- class dir r_dir_perms;
- class file rw_file_perms;
-')
-
########################################
#
# kernel_read_rpc_sysctl(domain)
#
define(`kernel_read_rpc_sysctl',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type proc_t, proc_net_t, sysctl_rpc_t;
+ class dir r_dir_perms;
+ class file r_file_perms;
+ ')
allow $1 proc_t:dir search;
allow $1 proc_net_t:dir search;
@@ -1022,19 +911,16 @@ define(`kernel_read_rpc_sysctl',`
allow $1 sysctl_rpc_t:file r_file_perms;
')
-define(`kernel_read_rpc_sysctl_depend',`
- type proc_t, proc_net_t, sysctl_rpc_t;
-
- class dir r_dir_perms;
- class file r_file_perms;
-')
-
########################################
#
# kernel_rw_rpc_sysctl(domain)
#
define(`kernel_rw_rpc_sysctl',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type proc_t, proc_net_t, sysctl_rpc_t;
+ class dir r_dir_perms;
+ class file rw_file_perms;
+ ')
allow $1 proc_t:dir search;
allow $1 proc_net_t:dir search;
@@ -1042,13 +928,6 @@ define(`kernel_rw_rpc_sysctl',`
allow $1 sysctl_rpc_t:file rw_file_perms;
')
-define(`kernel_rw_rpc_sysctl_depend',`
- type proc_t, proc_net_t, sysctl_rpc_t;
-
- class dir r_dir_perms;
- class file rw_file_perms;
-')
-
########################################
## <interface name="kernel_read_all_sysctl">
## <description>
@@ -1106,17 +985,14 @@ define(`kernel_rw_all_sysctl',`
## </interface>
#
define(`kernel_kill_unlabeled',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type unlabeled_t;
+ class process sigkill;
+ ')
allow $1 unlabeled_t:process sigkill;
')
-define(`kernel_kill_unlabeled_depend',`
- type unlabeled_t;
-
- class process sigkill;
-')
-
########################################
## <interface name="kernel_signal_unlabeled">
## <description>
@@ -1128,17 +1004,14 @@ define(`kernel_kill_unlabeled_depend',`
## </interface>
#
define(`kernel_signal_unlabeled',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type unlabeled_t;
+ class process signal;
+ ')
allow $1 unlabeled_t:process signal;
')
-define(`kernel_signal_unlabeled_depend',`
- type unlabeled_t;
-
- class process signal;
-')
-
########################################
## <interface name="kernel_signull_unlabeled">
## <description>
@@ -1150,17 +1023,14 @@ define(`kernel_signal_unlabeled_depend',`
## </interface>
#
define(`kernel_signull_unlabeled',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type unlabeled_t;
+ class process signull;
+ ')
allow $1 unlabeled_t:process signull;
')
-define(`kernel_signull_unlabeled_depend',`
- type unlabeled_t;
-
- class process signull;
-')
-
########################################
## <interface name="kernel_sigstop_unlabeled">
## <description>
@@ -1172,17 +1042,14 @@ define(`kernel_signull_unlabeled_depend',`
## </interface>
#
define(`kernel_sigstop_unlabeled',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type unlabeled_t;
+ class process sigstop;
+ ')
allow $1 unlabeled_t:process sigstop;
')
-define(`kernel_sigstop_unlabeled_depend',`
- type unlabeled_t;
-
- class process sigstop;
-')
-
########################################
## <interface name="kernel_sigchld_unlabeled">
## <description>
@@ -1194,17 +1061,14 @@ define(`kernel_sigstop_unlabeled_depend',`
## </interface>
#
define(`kernel_sigchld_unlabeled',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type unlabeled_t;
+ class process sigchld;
+ ')
allow $1 unlabeled_t:process sigchld;
')
-define(`kernel_sigchld_unlabeled_depend',`
- type unlabeled_t;
-
- class process sigchld;
-')
-
########################################
## <interface name="kernel_dontaudit_getattr_unlabeled_blk_dev">
## <description>
@@ -1217,17 +1081,14 @@ define(`kernel_sigchld_unlabeled_depend',`
## </interface>
#
define(`kernel_dontaudit_getattr_unlabeled_blk_dev',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type unlabeled_t;
+ class process getattr;
+ ')
allow $1 unlabeled_t:blk_file getattr;
')
-define(`kernel_dontaudit_getattr_unlabeled_blk_dev_depend',`
- type unlabeled_t;
-
- class process getattr;
-')
-
########################################
## <interface name="kernel_relabel_unlabeled">
## <description>
@@ -1239,21 +1100,18 @@ define(`kernel_dontaudit_getattr_unlabeled_blk_dev_depend',`
## </interface>
#
define(`kernel_relabel_unlabeled',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type unlabeled_t;
+ class dir { getattr relabelfrom };
+ class file { getattr relabelfrom };
+ class lnk_file { getattr relabelfrom };
+ class fifo_file { getattr relabelfrom };
+ class sock_file { getattr relabelfrom };
+ class chr_file { getattr relabelfrom };
+ class blk_file { getattr relabelfrom };
+ ')
allow $1 unlabeled_t:dir_file_class_set { getattr relabelfrom };
')
-define(`kernel_relabel_unlabeled_depend',`
- type unlabeled_t;
-
- class dir { getattr relabelfrom };
- class file { getattr relabelfrom };
- class lnk_file { getattr relabelfrom };
- class fifo_file { getattr relabelfrom };
- class sock_file { getattr relabelfrom };
- class chr_file { getattr relabelfrom };
- class blk_file { getattr relabelfrom };
-')
-
## </module>
diff --git a/refpolicy/policy/modules/kernel/selinux.if b/refpolicy/policy/modules/kernel/selinux.if
index 307e28a..9ca08fd 100644
--- a/refpolicy/policy/modules/kernel/selinux.if
+++ b/refpolicy/policy/modules/kernel/selinux.if
@@ -31,19 +31,16 @@ define(`selinux_get_fs_mount',`
## </interface>
#
define(`selinux_get_enforce_mode',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type security_t;
+ class dir { read search getattr };
+ class file { getattr read };
+ ')
allow $1 security_t:dir { read search getattr };
allow $1 security_t:file { getattr read };
')
-define(`selinux_get_enforce_mode_depend',`
- type security_t;
-
- class dir { read search getattr };
- class file { getattr read };
-')
-
########################################
## <interface name="selinux_set_enforce_mode">
## <description>
@@ -56,7 +53,13 @@ define(`selinux_get_enforce_mode_depend',`
## </interface>
#
define(`selinux_set_enforce_mode',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type security_t;
+ attribute can_setenforce;
+ class dir { read search getattr };
+ class file { getattr read write };
+ class security setenforce;
+ ')
allow $1 security_t:dir { read search getattr };
allow $1 security_t:file { getattr read write };
@@ -65,16 +68,6 @@ define(`selinux_set_enforce_mode',`
typeattribute $1 can_setenforce;
')
-define(`selinux_set_enforce_mode_depend',`
- type security_t;
-
- attribute can_setenforce;
-
- class dir { read search getattr };
- class file { getattr read write };
- class security setenforce;
-')
-
########################################
## <interface name="selinux_load_policy">
## <description>
@@ -86,7 +79,13 @@ define(`selinux_set_enforce_mode_depend',`
## </interface>
#
define(`selinux_load_policy',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type security_t;
+ attribute can_load_policy;
+ class dir { read search getattr };
+ class file { getattr read write };
+ class security load_policy;
+ ')
allow $1 security_t:dir { read search getattr };
allow $1 security_t:file { getattr read write };
@@ -95,16 +94,6 @@ define(`selinux_load_policy',`
typeattribute $1 can_load_policy;
')
-define(`selinux_load_policy_depend',`
- type security_t;
-
- attribute can_load_policy;
-
- class dir { read search getattr };
- class file { getattr read write };
- class security load_policy;
-')
-
########################################
## <interface name="selinux_set_boolean">
## <description>
@@ -120,7 +109,12 @@ define(`selinux_load_policy_depend',`
## </interface>
#
define(`selinux_set_boolean',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type security_t;
+ class dir { read search getattr };
+ class file { getattr read write };
+ class security setbool;
+ ')
ifelse(`$2',`',`
allow $1 security_t:dir { getattr search read };
@@ -135,14 +129,6 @@ define(`selinux_set_boolean',`
auditallow $1 security_t:security setbool;
')
-define(`selinux_set_boolean_depend',`
- type security_t;
-
- class dir { read search getattr };
- class file { getattr read write };
- class security setbool;
-')
-
########################################
## <interface name="selinux_set_parameters">
## <description>
@@ -154,7 +140,13 @@ define(`selinux_set_boolean_depend',`
## </interface>
#
define(`selinux_set_parameters',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type security_t;
+ attribute can_setsecparam;
+ class dir { read search getattr };
+ class file { getattr read write };
+ class security setsecparam;
+ ')
allow $1 security_t:dir { read search getattr };
allow $1 security_t:file { getattr read write };
@@ -163,16 +155,6 @@ define(`selinux_set_parameters',`
typeattribute $1 can_setsecparam;
')
-define(`selinux_set_parameters_depend',`
- type security_t;
-
- attribute can_setsecparam;
-
- class dir { read search getattr };
- class file { getattr read write };
- class security setsecparam;
-')
-
########################################
## <interface name="selinux_validate_context">
## <description>
@@ -184,21 +166,18 @@ define(`selinux_set_parameters_depend',`
## </interface>
#
define(`selinux_validate_context',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type security_t;
+ class dir { read search getattr };
+ class file { getattr read write };
+ class security check_context;
+ ')
allow $1 security_t:dir { read search getattr };
allow $1 security_t:file { getattr read write };
allow $1 security_t:security check_context;
')
-define(`selinux_validate_context_depend',`
- type security_t;
-
- class dir { read search getattr };
- class file { getattr read write };
- class security check_context;
-')
-
########################################
## <interface name="selinux_compute_access_vector">
## <description>
@@ -210,21 +189,18 @@ define(`selinux_validate_context_depend',`
## </interface>
#
define(`selinux_compute_access_vector',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type security_t;
+ class dir { read search getattr };
+ class file { getattr read write };
+ class security compute_av;
+ ')
allow $1 security_t:dir { read search getattr };
allow $1 security_t:file { getattr read write };
allow $1 security_t:security compute_av;
')
-define(`selinux_compute_access_vector_depend',`
- type security_t;
-
- class dir { read search getattr };
- class file { getattr read write };
- class security compute_av;
-')
-
########################################
## <interface name="selinux_compute_create_context">
## <description>
@@ -236,21 +212,18 @@ define(`selinux_compute_access_vector_depend',`
## </interface>
#
define(`selinux_compute_create_context',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type security_t;
+ class dir { read search getattr };
+ class file { getattr read write };
+ class security compute_create;
+ ')
allow $1 security_t:dir { read search getattr };
allow $1 security_t:file { getattr read write };
allow $1 security_t:security compute_create;
')
-define(`selinux_compute_create_context_depend',`
- type security_t;
-
- class dir { read search getattr };
- class file { getattr read write };
- class security compute_create;
-')
-
########################################
## <interface name="selinux_compute_relabel_context">
## <description>
@@ -262,21 +235,18 @@ define(`selinux_compute_create_context_depend',`
## </interface>
#
define(`selinux_compute_relabel_context',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type security_t;
+ class dir { read search getattr };
+ class file { getattr read write };
+ class security compute_relabel;
+ ')
allow $1 security_t:dir { read search getattr };
allow $1 security_t:file { getattr read write };
allow $1 security_t:security compute_relabel;
')
-define(`selinux_compute_relabel_context_depend',`
- type security_t;
-
- class dir { read search getattr };
- class file { getattr read write };
- class security compute_relabel;
-')
-
########################################
## <interface name="selinux_compute_user_contexts">
## <description>
@@ -288,19 +258,16 @@ define(`selinux_compute_relabel_context_depend',`
## </interface>
#
define(`selinux_compute_user_contexts',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type security_t;
+ class dir { read search getattr };
+ class file { getattr read write };
+ class security compute_user;
+ ')
allow $1 security_t:dir { read search getattr };
allow $1 security_t:file { getattr read write };
allow $1 security_t:security compute_user;
')
-define(`selinux_compute_user_contexts_depend',`
- type security_t;
-
- class dir { read search getattr };
- class file { getattr read write };
- class security compute_user;
-')
-
## </module>
diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if
index 740a2b1..26f39f5 100644
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@@ -8,7 +8,17 @@
# authlogin_per_userdomain_template(userdomain_prefix)
#
define(`authlogin_per_userdomain_template',`
- gen_require(`$0'_depend)
+ gen_require(`
+ attribute can_read_shadow_passwords;
+ type chkpwd_exec_t, system_chkpwd_t, shadow_t;
+ class file rx_file_perms;
+ class process { getattr transition sigchld };
+ class capability setuid;
+ class unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown };
+ class unix_dgram_socket { create read getattr write setattr append bind connect getopt setopt shutdown };
+ class fd use;
+ class fifo_file rw_file_perms;
+ ')
type $1_chkpwd_t, can_read_shadow_passwords; # , nscd_client_domain;
domain_type($1_chkpwd_t)
@@ -78,20 +88,6 @@ define(`authlogin_per_userdomain_template',`
') dnl end authlogin_per_userdomain_template
-define(`authlogin_per_userdomain_template_depend',`
- attribute can_read_shadow_passwords;
-
- type chkpwd_exec_t, system_chkpwd_t, shadow_t;
-
- class file rx_file_perms;
- class process { getattr transition sigchld };
- class capability setuid;
- class unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown };
- class unix_dgram_socket { create read getattr write setattr append bind connect getopt setopt shutdown };
- class fd use;
- class fifo_file rw_file_perms;
-')
-
########################################
## <interface name="auth_login_entry_type">
## <description>
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index e91e72c..e99eb53 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -21,77 +21,67 @@
# files_file_type(type)
#
define(`files_file_type',`
- gen_require(`$0'_depend)
+ gen_require(`
+ attribute file_type;
+ ')
fs_associate($1)
fs_associate_noxattr($1)
typeattribute $1 file_type;
')
-define(`files_file_type_depend',`
- attribute file_type;
-')
-
########################################
#
# files_lock_file(type)
#
define(`files_lock_file',`
- gen_require(`$0'_depend)
+ gen_require(`
+ attribute lockfile;
+ ')
files_file_type($1)
typeattribute $1 lockfile;
')
-define(`files_lock_file_depend',`
- attribute lockfile;
-')
-
########################################
#
# files_mountpoint(type)
#
define(`files_mountpoint',`
- gen_require(`$0'_depend)
+ gen_require(`
+ attribute mountpoint;
+ ')
files_file_type($1)
typeattribute $1 mountpoint;
')
-define(`files_mountpoint_depend',`
- attribute mountpoint;
-')
-
########################################
#
# files_pid_file(type)
#
define(`files_pid_file',`
- gen_require(`$0'_depend)
+ gen_require(`
+ attribute pidfile;
+ ')
files_file_type($1)
typeattribute $1 pidfile;
')
-define(`files_pid_file_depend',`
- attribute pidfile;
-')
-
########################################
#
# files_tmp_file(type)
#
define(`files_tmp_file',`
- gen_require(`$0'_depend)
+ gen_require(`
+ attribute tmpfile;
+ ')
files_file_type($1)
typeattribute $1 tmpfile;
')
-define(`files_tmp_file_depend',`
- attribute tmpfile;
-')
-
########################################
## <interface name="files_tmpfs_file">
## <description>
@@ -104,23 +94,28 @@ define(`files_tmp_file_depend',`
## </interface>
#
define(`files_tmpfs_file',`
- gen_require(`$0'_depend)
+ gen_require(`
+ attribute tmpfsfile;
+ ')
files_file_type($1)
fs_associate_tmpfs($1)
typeattribute $1 tmpfsfile;
')
-define(`files_tmpfs_file_depend',`
- attribute tmpfsfile;
-')
-
########################################
#
# files_getattr_all_files(domain)
define(`files_getattr_all_files',`
- gen_require(`$0'_depend)
+ gen_require(`
+ attribute file_type;
+ class dir { search getattr };
+ class file getattr;
+ class lnk_file getattr;
+ class fifo_file getattr;
+ class sock_file getattr;
+ ')
allow $1 file_type:dir { search getattr };
allow $1 file_type:file getattr;
@@ -129,16 +124,6 @@ define(`files_getattr_all_files',`
allow $1 file_type:sock_file getattr;
')
-define(`files_getattr_all_files_depend',`
- attribute file_type;
-
- class dir { search getattr };
- class file getattr;
- class lnk_file getattr;
- class fifo_file getattr;
- class sock_file getattr;
-')
-
########################################
## <interface name="files_relabel_all_files">
## <description>
@@ -155,7 +140,16 @@ define(`files_getattr_all_files_depend',`
## </interface>
#
define(`files_relabel_all_files',`
- gen_require(`$0'_depend)
+ gen_require(`
+ attribute file_type;
+ class dir { r_dir_perms relabelfrom relabelto };
+ class file { relabelfrom relabelto };
+ class lnk_file { relabelfrom relabelto };
+ class fifo_file { relabelfrom relabelto };
+ class sock_file { relabelfrom relabelto };
+ class blk_file relabelfrom;
+ class chr_file relabelfrom;
+ ')
allow $1 { file_type $2 }:dir { r_dir_perms relabelfrom relabelto };
allow $1 { file_type $2 }:file { getattr relabelfrom relabelto };
@@ -169,18 +163,6 @@ define(`files_relabel_all_files',`
seutil_relabelto_binary_pol($1)
')
-define(`files_relabel_all_files_depend',`
- attribute file_type;
-
- class dir { r_dir_perms relabelfrom relabelto };
- class file { relabelfrom relabelto };
- class lnk_file { relabelfrom relabelto };
- class fifo_file { relabelfrom relabelto };
- class sock_file { relabelfrom relabelto };
- class blk_file relabelfrom;
- class chr_file relabelfrom;
-')
-
########################################
## <interface name="files_manage_all_files">
## <description>
@@ -197,7 +179,14 @@ define(`files_relabel_all_files_depend',`
## </interface>
#
define(`files_manage_all_files',`
- gen_require(`$0'_depend)
+ gen_require(`
+ attribute file_type;
+ class dir create_dir_perms;
+ class file create_file_perms;
+ class lnk_file create_lnk_perms;
+ class fifo_file create_file_perms;
+ class sock_file create_file_perms;
+ ')
allow $1 { file_type $2 }:dir create_dir_perms;
allow $1 { file_type $2 }:file create_file_perms;
@@ -210,146 +199,112 @@ define(`files_manage_all_files',`
bootloader_manage_kernel_modules($1)
')
-define(`files_manage_all_files_depend',`
- attribute file_type;
-
- class dir create_dir_perms;
- class file create_file_perms;
- class lnk_file create_lnk_perms;
- class fifo_file create_file_perms;
- class sock_file create_file_perms;
-')
-
########################################
#
# files_search_all_dirs(domain)
#
define(`files_search_all_dirs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ attribute file_type;
+ class dir search;
+ ')
allow $1 file_type:dir search;
')
-define(`files_search_all_dirs_depend',`
- attribute file_type;
-
- class dir search;
-')
-
########################################
#
# files_list_all_dirs(domain)
#
define(`files_list_all_dirs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ attribute file_type;
+ class dir r_dir_perms;
+ ')
allow $1 file_type:dir r_dir_perms;
')
-define(`files_list_all_dirs_depend',`
- attribute file_type;
-
- class dir r_dir_perms;
-')
-
########################################
#
# files_dontaudit_search_all_dirs(domain)
#
define(`files_dontaudit_search_all_dirs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ attribute file_type;
+ class dir search;
+ ')
dontaudit $1 file_type:dir search;
')
-define(`files_dontaudit_search_all_dirs_depend',`
- attribute file_type;
-
- class dir search;
-')
-
#######################################
#
# files_relabelto_all_file_type_fs(domain)
#
define(`files_relabelto_all_file_type_fs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ attribute file_type;
+ filesystem relabelto;
+ ')
allow $1 file_type:filesystem relabelto;
')
-define(`files_relabelto_all_file_type_fs_depend',`
- attribute file_type;
-
- filesystem relabelto;
-')
-
#######################################
#
# files_mount_all_file_type_fs(domain)
#
define(`files_mount_all_file_type_fs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ attribute file_type;
+ filesystem mount;
+ ')
allow $1 file_type:filesystem mount;
')
-define(`files_mount_all_file_type_fs_depend',`
- attribute file_type;
-
- filesystem mount;
-')
-
#######################################
#
# files_unmount_all_file_type_fs(domain)
#
define(`files_unmount_all_file_type_fs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ attribute file_type;
+ filesystem mount;
+ ')
allow $1 file_type:filesystem mount;
')
-define(`files_unmount_all_file_type_fs_depend',`
- attribute file_type;
-
- filesystem mount;
-')
-
########################################
#
# files_mounton_all_mountpoints(domain)
#
define(`files_mounton_all_mountpoints',`
- gen_require(`$0'_depend)
+ gen_require(`
+ attribute mountpoint;
+ class dir { getattr search mounton };
+ ')
allow $1 mountpoint:dir { getattr search mounton };
')
-define(`files_mounton_all_mountpoints_depend',`
- attribute mountpoint;
-
- class dir { getattr search mounton };
-')
-
########################################
#
# files_list_root(domain)
#
define(`files_list_root',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type root_t;
+ class dir r_dir_perms;
+ class lnk_file r_file_perms;
+ ')
allow $1 root_t:dir r_dir_perms;
allow $1 root_t:lnk_file r_file_perms;
')
-define(`files_list_root_depend',`
- type root_t;
-
- class dir r_dir_perms;
- class lnk_file r_file_perms;
-')
-
########################################
## <interface name="files_create_root">
## <description>
@@ -372,7 +327,16 @@ define(`files_list_root_depend',`
## </interface>
#
define(`files_create_root',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type root_t;
+ class dir create_dir_perms;
+ class file create_file_perms;
+ class lnk_file create_lnk_perms;
+ class fifo_file create_file_perms;
+ class sock_file create_file_perms;
+ class blk_file create_file_perms;
+ class chr_file create_file_perms;
+ ')
allow $1 root_t:dir rw_dir_perms;
@@ -391,98 +355,71 @@ define(`files_create_root',`
')
')
-define(`files_create_root_depend',`
- type root_t;
-
- class dir create_dir_perms;
- class file create_file_perms;
- class lnk_file create_lnk_perms;
- class fifo_file create_file_perms;
- class sock_file create_file_perms;
- class blk_file create_file_perms;
- class chr_file create_file_perms;
-')
-
########################################
#
# files_dontaudit_read_root_file(domain)
#
define(`files_dontaudit_read_root_file',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type root_t;
+ class file read;
+ ')
dontaudit $1 root_t:file read;
')
-define(`files_dontaudit_read_root_file_depend',`
- type root_t;
-
- class file read;
-')
-
########################################
#
# files_dontaudit_rw_root_file(domain)
#
define(`files_dontaudit_rw_root_file',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type root_t;
+ class file { read write };
+ ')
dontaudit $1 root_t:file { read write };
')
-define(`files_dontaudit_rw_root_file_depend',`
- type root_t;
-
- class file { read write };
-')
-
########################################
#
# files_dontaudit_rw_root_chr_dev(domain)
#
define(`files_dontaudit_rw_root_chr_dev',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type root_t;
+ class chr_file { read write };
+ ')
dontaudit $1 root_t:chr_file { read write };
')
-define(`files_dontaudit_rw_root_chr_dev_depend',`
- type root_t;
-
- class chr_file { read write };
-')
-
########################################
#
# files_delete_root_dir_entry(domain)
#
define(`files_delete_root_dir_entry',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type root_t;
+ class dir rw_dir_perms;
+ ')
allow $1 root_t:dir rw_dir_perms;
')
-define(`files_delete_root_dir_entry_depend',`
- type root_t;
-
- class dir rw_dir_perms;
-')
-
########################################
#
# files_unmount_rootfs(domain)
#
define(`files_unmount_rootfs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type root_t;
+ class filesystem unmount;
+ ')
allow $1 root_t:filesystem unmount;
')
-define(`files_unmount_rootfs_depend',`
- type root_t;
-
- class filesystem unmount;
-')
-
########################################
#
# files_search_etc(domain)
@@ -514,61 +451,52 @@ define(`files_list_etc',`
# files_read_generic_etc_files(domain)
#
define(`files_read_generic_etc_files',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type etc_t;
+ class dir r_dir_perms;
+ class file r_file_perms;
+ class lnk_file r_file_perms;
+ ')
allow $1 etc_t:dir r_dir_perms;
allow $1 etc_t:file r_file_perms;
allow $1 etc_t:lnk_file r_file_perms;
')
-define(`files_read_generic_etc_files_depend',`
- type etc_t;
-
- class dir r_dir_perms;
- class file r_file_perms;
- class lnk_file r_file_perms;
-')
-
########################################
#
# files_rw_generic_etc_files(domain)
#
define(`files_rw_generic_etc_files',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type etc_t;
+ class dir r_dir_perms;
+ class file rw_file_perms;
+ class lnk_file r_file_perms;
+ ')
allow $1 etc_t:dir r_dir_perms;
allow $1 etc_t:file rw_file_perms;
allow $1 etc_t:lnk_file r_file_perms;
')
-define(`files_rw_generic_etc_files_depend',`
- type etc_t;
-
- class dir r_dir_perms;
- class file rw_file_perms;
- class lnk_file r_file_perms;
-')
-
########################################
#
# files_manage_generic_etc_files(domain)
#
define(`files_manage_generic_etc_files',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type etc_t;
+ class dir rw_dir_perms;
+ class file create_file_perms;
+ class lnk_file r_file_perms;
+ ')
allow $1 etc_t:dir rw_dir_perms;
allow $1 etc_t:file create_file_perms;
allow $1 etc_t:lnk_file r_file_perms;
')
-define(`files_manage_generic_etc_files_depend',`
- type etc_t;
-
- class dir rw_dir_perms;
- class file create_file_perms;
- class lnk_file r_file_perms;
-')
-
########################################
## <interface name="files_delete_generic_etc_files">
## <description>
@@ -580,25 +508,26 @@ define(`files_manage_generic_etc_files_depend',`
## </interface>
#
define(`files_delete_generic_etc_files',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type etc_t;
+ class dir rw_dir_perms;
+ class file unlink;
+ ')
allow $1 etc_t:dir rw_dir_perms;
allow $1 etc_t:file unlink;
')
-define(`files_delete_generic_etc_files_depend',`
- type etc_t;
-
- class dir rw_dir_perms;
- class file unlink;
-')
-
########################################
#
# files_exec_generic_etc_files(domain)
#
define(`files_exec_generic_etc_files',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type etc_t;
+ class dir r_dir_perms;
+ class lnk_file r_file_perms;
+ ')
allow $1 etc_t:dir r_dir_perms;
allow $1 etc_t:lnk_file r_file_perms;
@@ -606,14 +535,6 @@ define(`files_exec_generic_etc_files',`
')
-define(`files_exec_generic_etc_files_depend',`
- type etc_t;
-
- class dir r_dir_perms;
- class lnk_file r_file_perms;
- class file { getattr read execute execute_no_trans };
-')
-
########################################
#
# files_create_boot_flag(domain)
@@ -621,63 +542,57 @@ define(`files_exec_generic_etc_files_depend',`
# /halt, /.autofsck, etc
#
define(`files_create_boot_flag',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type root_t, etc_runtime_t;
+ class dir rw_dir_perms;
+ class file { create read write setattr unlink};
+ ')
allow $1 root_t:dir rw_dir_perms;
allow $1 etc_runtime_t:file { create read write setattr unlink };
type_transition $1 root_t:file etc_runtime_t;
')
-define(`files_create_boot_flag_depend',`
- type root_t, etc_runtime_t;
-
- class dir rw_dir_perms;
- class file { create read write setattr unlink};
-')
-
########################################
#
# files_manage_etc_runtime_files(type)
#
define(`files_manage_etc_runtime_files',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type etc_t, etc_runtime_t;
+ class dir rw_dir_perms;
+ class file create_file_perms;
+ ')
allow $1 etc_t:dir rw_dir_perms;
allow $1 etc_runtime_t:file create_file_perms;
type_transition $1 etc_t:file etc_runtime_t;
')
-define(`files_manage_etc_runtime_files_depend',`
- type etc_t, etc_runtime_t;
-
- class dir rw_dir_perms;
- class file create_file_perms;
-')
-
########################################
#
# files_read_etc_runtime_files(domain)
#
define(`files_read_etc_runtime_files',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type etc_t, etc_runtime_t;
+ class dir r_dir_perms;
+ class file r_file_perms;
+ ')
allow $1 etc_t:dir r_dir_perms;
allow $1 etc_runtime_t:file r_file_perms;
')
-define(`files_read_etc_runtime_files_depend',`
- type etc_t, etc_runtime_t;
-
- class dir r_dir_perms;
- class file r_file_perms;
-')
-
########################################
#
# files_create_etc_config(domain,privatetype,[class(es)])
#
define(`files_create_etc_config',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type etc_t;
+ class dir rw_dir_perms;
+ ')
allow $1 etc_t:dir rw_dir_perms;
ifelse(`$3',`',`
@@ -687,60 +602,45 @@ define(`files_create_etc_config',`
')
')
-define(`files_create_etc_config_depend',`
-type etc_t;
-
-class dir rw_dir_perms;
-')
-
########################################
#
# files_rw_isid_type_dir(domain)
#
define(`files_rw_isid_type_dir',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type file_t;
+ class dir rw_dir_perms;
+ ')
allow $1 file_t:dir rw_dir_perms;
')
-define(`files_rw_isid_type_dir_depend',`
- type file_t;
-
- class dir rw_dir_perms;
-')
-
########################################
#
# files_dontaudit_getattr_isid_type_dir(domain)
#
define(`files_dontaudit_getattr_isid_type_dir',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type file_t;
+ class dir search;
+ ')
dontaudit $1 file_t:dir search;
')
-define(`files_dontaudit_getattr_isid_type_dir_depend',`
- type file_t;
-
- class dir search;
-')
-
########################################
#
# files_dontaudit_search_isid_type_dir(domain)
#
define(`files_dontaudit_search_isid_type_dir',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type file_t;
+ class dir search;
+ ')
dontaudit $1 file_t:dir search;
')
-define(`files_dontaudit_search_isid_type_dir_depend',`
- type file_t;
-
- class dir search;
-')
-
########################################
## <interface name="files_list_home">
## <description>
@@ -752,39 +652,36 @@ define(`files_dontaudit_search_isid_type_dir_depend',`
## </interface>
#
define(`files_list_home',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type home_root_t;
+ class dir r_dir_perms;
+ ')
allow $1 home_root_t:dir r_dir_perms;
')
-define(`files_list_home_depend',`
- type home_root_t;
-
- class dir r_dir_perms;
-')
-
########################################
#
# files_list_mnt(domain)
#
define(`files_list_mnt',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type mnt_t;
+ class dir r_dir_perms;
+ ')
allow $1 mnt_t:dir r_dir_perms;
')
-define(`files_read_etc_runtime_files_depend',`
- type mnt_t;
-
- class dir r_dir_perms;
-')
-
########################################
#
# files_create_tmp_files(domain,private_type,[object class(es)])
#
define(`files_create_tmp_files',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type tmp_t;
+ class dir rw_dir_perms;
+ ')
allow $1 tmp_t:dir rw_dir_perms;
@@ -795,18 +692,19 @@ define(`files_create_tmp_files',`
')
')
-define(`files_create_tmp_files_depend',`
- type tmp_t;
-
- class dir rw_dir_perms;
-')
-
########################################
#
# files_delete_all_tmp_files(domain)
#
define(`files_delete_all_tmp_files',`
- gen_require(`$0'_depend)
+ gen_require(`
+ attribute tmpfile;
+ class dir { getattr search read write add_name remove_name rmdir };
+ class file { getattr unlink };
+ class lnk_file { getattr unlink };
+ class fifo_file { getattr unlink };
+ class sock_file { getattr unlink };
+ ')
allow $1 tmpfile:dir { getattr search read write add_name remove_name rmdir };
allow $1 tmpfile:file { getattr unlink };
@@ -815,51 +713,35 @@ define(`files_delete_all_tmp_files',`
allow $1 tmpfile:sock_file { getattr unlink };
')
-define(`files_delete_all_tmp_files_depend',`
- attribute tmpfile;
-
- class dir { getattr search read write add_name remove_name rmdir };
- class file { getattr unlink };
- class lnk_file { getattr unlink };
- class fifo_file { getattr unlink };
- class sock_file { getattr unlink };
-')
-
########################################
#
# files_search_usr(domain)
#
define(`files_search_usr',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type usr_t;
+ class dir search;
+ ')
allow $1 usr_t:dir search;
')
-define(`files_search_usr_depend',`
- type usr_t;
-
- class dir search;
-')
-
########################################
#
# files_read_usr_files(domain)
#
define(`files_read_usr_files',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type usr_t;
+ class dir r_dir_perms;
+ class file r_file_perms;
+ class lnk_file r_file_perms;
+ ')
allow $1 usr_t:dir r_dir_perms;
allow $1 usr_t:{ file lnk_file } r_file_perms;
')
-define(`files_read_usr_files_depend',`
- type usr_t;
-
- class dir r_dir_perms;
- class file r_file_perms;
- class lnk_file r_file_perms;
-')
-
########################################
## <interface name="files_exec_usr_files">
## <description>
@@ -871,7 +753,11 @@ define(`files_read_usr_files_depend',`
## </interface>
#
define(`files_exec_usr_files',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type usr_t, src_t;
+ class dir r_dir_perms;
+ class lnk_file r_file_perms;
+ ')
allow $1 usr_t:dir search;
allow $1 src_t:dir r_dir_perms;
@@ -880,66 +766,49 @@ define(`files_exec_usr_files',`
')
-define(`files_read_usr_src_depend',`
- type usr_t, src_t;
-
- class dir r_dir_perms;
- class file { getattr read execute execute_no_trans };
- class lnk_file r_file_perms;
-')
-
########################################
#
# files_read_usr_src(domain)
#
define(`files_read_usr_src',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type usr_t, src_t;
+ class dir r_dir_perms;
+ class file r_file_perms;
+ class lnk_file r_file_perms;
+ ')
allow $1 usr_t:dir search;
allow $1 src_t:dir r_dir_perms;
allow $1 src_t:{ file lnk_file } r_file_perms;
')
-define(`files_read_usr_src_depend',`
- type usr_t, src_t;
-
- class dir r_dir_perms;
- class file r_file_perms;
- class lnk_file r_file_perms;
-')
-
########################################
#
# files_search_var(domain)
#
define(`files_search_var',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type var_t;
+ class dir search;
+ ')
allow $1 var_t:dir search;
')
-define(`files_search_var_depend',`
- type var_t;
-
- class dir search;
-')
-
########################################
#
# files_dontaudit_search_var(domain)
#
define(`files_dontaudit_search_var',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type var_t;
+ class dir search;
+ ')
dontaudit $1 var_t:dir search;
')
-define(`files_dontaudit_search_var_depend',`
- type var_t;
-
- class dir search;
-')
-
########################################
## <interface name="files_search_var_lib">
## <description>
@@ -964,80 +833,71 @@ define(`files_search_var_lib',`
# files_manage_urandom_seed(domain)
#
define(`files_manage_urandom_seed',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type var_t, var_lib_t;
+ class dir rw_file_perms;
+ class file { getattr create read write setattr unlink };
+ ')
allow $1 var_t:dir search;
allow $1 var_lib_t:dir rw_dir_perms;
allow $1 var_lib_t:file { getattr create read write setattr unlink };
')
-define(`files_manage_urandom_seed_depend',`
- type var_t, var_lib_t;
-
- class dir rw_file_perms;
- class file { getattr create read write setattr unlink };
-')
-
########################################
#
# files_getattr_generic_lock_files(domain)
#
define(`files_getattr_generic_lock_files',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type var_lock_t;
+ class dir r_dir_perms;
+ class file getattr;
+ ')
allow $1 var_lock_t:dir r_dir_perms;
allow $1 var_lock_t:file getattr;
')
-define(`files_getattr_generic_lock_files_depend',`
- type var_lock_t;
-
- class dir r_dir_perms;
- class file getattr;
-')
-
########################################
#
# files_manage_generic_lock_files(domain)
#
define(`files_manage_generic_lock_files',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type var_lock_t;
+ class dir { getattr search create read write setattr add_name remove_name rmdir };
+ class file { getattr create read write setattr unlink };
+ ')
allow $1 var_lock_t:dir { getattr search create read write setattr add_name remove_name rmdir };
allow $1 var_lock_t:file { getattr create read write setattr unlink };
')
-define(`files_manage_generic_lock_files_depend',`
- type var_lock_t;
-
- class dir { getattr search create read write setattr add_name remove_name rmdir };
- class file { getattr create read write setattr unlink };
-')
-
########################################
#
# files_delete_all_lock_files(domain)
#
define(`files_delete_all_lock_files',`
- gen_require(`$0'_depend)
+ gen_require(`
+ attribute lockfile;
+ class dir rw_dir_perms;
+ class file { getattr unlink };
+ ')
allow $1 lockfile:dir rw_dir_perms;
allow $1 lockfile:file { getattr unlink };
')
-define(`files_delete_all_lock_files_depend',`
- attribute lockfile;
-
- class dir rw_dir_perms;
- class file { getattr unlink };
-')
-
########################################
#
# files_create_lock_file(domain,private_type,[object class(es)])
#
define(`files_create_lock_file',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type var_t, var_lock_t;
+ class dir rw_dir_perms;
+ ')
allow $1 var_t:dir search;
allow $1 var_lock_t:dir rw_dir_perms;
@@ -1049,68 +909,56 @@ define(`files_create_lock_file',`
')
')
-define(`files_create_lock_file_depend',`
- type var_t, var_lock_t;
-
- class dir rw_dir_perms;
-')
-
########################################
#
# files_search_pids(domain)
#
define(`files_search_pids',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type var_t, var_run_t;
+ class dir search;
+ ')
allow $1 var_t:dir search;
allow $1 var_run_t:dir search;
')
-define(`files_search_pids_depend',`
- type var_t, var_run_t;
-
- class dir search;
-')
-
########################################
#
# files_dontaudit_search_pids(domain)
#
define(`files_dontaudit_search_pids',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type var_run_t;
+ class dir search;
+ ')
allow $1 var_run_t:dir search;
')
-define(`files_dontaudit_search_pids_depend',`
- type var_run_t;
-
- class dir search;
-')
-
########################################
#
# files_list_pids(domain)
#
define(`files_list_pids',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type var_t, var_run_t;
+ class dir r_dir_perms;
+ ')
allow $1 var_t:dir search;
allow $1 var_run_t:dir r_dir_perms;
')
-define(`files_list_pids_depend',`
- type var_t, var_run_t;
-
- class dir r_dir_perms;
-')
-
########################################
#
# files_create_pid(domain,pidfile,[object class(es)])
#
define(`files_create_pid',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type var_t, var_run_t;
+ class dir rw_dir_perms;
+ ')
allow $1 var_t:dir search;
allow $1 var_run_t:dir rw_dir_perms;
@@ -1122,31 +970,22 @@ define(`files_create_pid',`
')
')
-define(`files_create_pid_depend',`
- type var_t, var_run_t;
-
- class dir rw_dir_perms;
-')
-
########################################
#
# files_rw_generic_pids(domain)
#
define(`files_rw_generic_pids',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type var_t, var_run_t;
+ class dir r_dir_perms;
+ class file rw_file_perms;
+ ')
allow $1 var_t:dir search;
allow $1 var_run_t:dir r_dir_perms;
allow $1 var_run_t:file rw_file_perms;
')
-define(`files_rw_generic_pids_depend',`
- type var_t, var_run_t;
-
- class dir r_dir_perms;
- class file rw_file_perms;
-')
-
########################################
## <interface name="files_dontaudit_write_all_pids">
## <description>
@@ -1157,19 +996,15 @@ define(`files_rw_generic_pids_depend',`
## </parameter>
## </interface>
#
-
define(`files_dontaudit_write_all_pids',`
- gen_require(`$0'_depend)
+ gen_require(`
+ attribute pidfile;
+ class file write;
+ ')
dontaudit $1 pidfile:file write;
')
-define(`files_dontaudit_write_all_pids_depend',`
- attribute pidfile;
-
- class file write;
-')
-
########################################
## <interface name="files_dontaudit_ioctl_all_pids">
## <description>
@@ -1180,45 +1015,45 @@ define(`files_dontaudit_write_all_pids_depend',`
## </parameter>
## </interface>
#
-
define(`files_dontaudit_ioctl_all_pids',`
- gen_require(`$0'_depend)
+ gen_require(`
+ attribute pidfile;
+ class file ioctl;
+ ')
dontaudit $1 pidfile:file ioctl;
')
-define(`files_dontaudit_ioctl_all_pids_depend',`
- attribute pidfile;
-
- class file ioctl;
-')
-
########################################
#
# files_read_all_pids(domain)
#
define(`files_read_all_pids',`
- gen_require(`$0'_depend)
+ gen_require(`
+ attribute pidfile;
+ type var_t;
+ class dir r_dir_perms;
+ class file r_file_perms;
+ ')
allow $1 var_t:dir search;
allow $1 pidfile:dir r_dir_perms;
allow $1 pidfile:file r_file_perms;
')
-define(`files_read_all_pids_depend',`
- attribute pidfile;
-
- type var_t;
- class dir r_dir_perms;
- class file r_file_perms;
-')
-
########################################
#
# files_delete_all_pids(domain)
#
define(`files_delete_all_pids',`
- gen_require(`$0'_depend)
+ gen_require(`
+ attribute pidfile;
+ type var_t, var_run_t;
+ class dir rw_dir_perms;
+ class file { getattr unlink };
+ class lnk_file { getattr unlink };
+ class sock_file { getattr unlink };
+ ')
allow $1 var_t:dir search;
allow $1 var_run_t:{ sock_file lnk_file } { getattr unlink };
@@ -1228,87 +1063,64 @@ define(`files_delete_all_pids',`
allow $1 pidfile:sock_file { getattr unlink };
')
-define(`files_delete_all_pids_depend',`
- attribute pidfile;
-
- type var_t, var_run_t;
-
- class dir rw_dir_perms;
- class file { getattr unlink };
- class lnk_file { getattr unlink };
- class sock_file { getattr unlink };
-')
-
########################################
#
# files_search_spool(domain)
#
define(`files_search_spool',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type var_t, var_spool_t;
+ class dir search;
+ ')
allow $1 var_t:dir search;
allow $1 var_spool_t:dir search;
')
-define(`files_search_spool_depend',`
- type var_t, var_spool_t;
-
- class dir search;
-')
-
########################################
#
# files_list_spool(domain)
#
define(`files_list_spool',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type var_t, var_spool_t;
+ class dir r_dir_perms;
+ ')
allow $1 var_t:dir search;
allow $1 var_spool_t:dir r_dir_perms;
')
-define(`files_list_spool_depend',`
- type var_t, var_spool_t;
-
- class dir r_dir_perms;
-')
-
########################################
#
# files_read_spools(domain)
#
define(`files_read_spools',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type var_t, var_spool_t;
+ class dir r_dir_perms;
+ class file r_file_perms;
+ ')
allow $1 var_t:dir search;
allow $1 var_spool_t:dir r_dir_perms;
allow $1 var_spool_t:file r_file_perms;
')
-define(`files_read_spools_depend',`
- type var_t, var_spool_t;
-
- class dir r_dir_perms;
- class file r_file_perms;
-')
-
########################################
#
# files_manage_spools(domain)
#
define(`files_manage_spools',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type var_t, var_spool_t;
+ class dir rw_dir_perms;
+ class file create_file_perms;
+ ')
allow $1 var_t:dir search;
allow $1 var_spool_t:dir rw_dir_perms;
allow $1 var_spool_t:file create_file_perms;
')
-define(`files_manage_spools_depend',`
- type var_t, var_spool_t;
-
- class dir rw_dir_perms;
- class file create_file_perms;
-')
-
## </module>
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index f129a43..7b17ad9 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -859,15 +859,13 @@ define(`userdom_spec_domtrans_unpriv_users',`
## </interface>
#
define(`userdom_shell_domtrans_sysadm',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type sysadm_t;
+ ')
corecmd_domtrans_shell($1,sysadm_t)
')
-define(`userdom_shell_domtrans_sysadm_depend',`
- type sysadm_t;
-')
-
########################################
## <interface name="userdom_use_sysadm_tty">
## <description>
More information about the scm-commits
mailing list