root/docs/macro_conversion_guide

Revision 1954, 27.4 kB (checked in by pebenito, 2 years ago)

update mcg for dead selopt rules

  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
Line 
1 #
2 # This is the guide for converting old macros to local policy
3 # and new interfaces.
4 #
5 # $1, $2, etc. are replaced with and the first and second, etc.
6 # parameters to the old macro.
7 #
8
9 ########################################
10 #
11 # Attributes
12 #
13 # $1 is the type this attribute is on
14
15 #
16 # auth: complete
17 #
18 auth_read_shadow($1)
19
20 #
21 # auth_chkpwd: complete
22 #
23 auth_domtrans_chk_passwd($1)
24
25 #
26 # auth_write: complete
27 #
28 # handled by appropriate interfaces
29
30 #
31 # daemon: complete
32 #
33 optional_policy(`nscd',`
34         nscd_socket_use($1)
35 ')
36
37 #
38 # domain: complete
39 #
40 domain_type($1)
41
42 #
43 # etc_writer: complete
44 #
45 # handled by appropriate interfaces
46
47 #
48 # exec_type: complete
49 #
50 corecmd_executable_file($1)
51
52 #
53 # file_type: complete
54 #
55 files_type($1)
56
57 #
58 # fs_domain: complete
59 #
60 # handled by appropriate interfaces
61
62 #
63 # mlsfileread: complete
64 #
65 mls_file_read_up($1)
66
67 #
68 # mlsfileupgrade: complete
69 #
70 mls_file_upgrade($1)
71
72 #
73 # mlsfilewrite: complete
74 #
75 mls_file_write_down($1)
76
77 #
78 # mlsprocsetsl: complete
79 #
80 mls_process_set_level($1)
81
82 #
83 # mlsprocwrite: complete
84 #
85 mls_process_write_down($1)
86
87 #
88 # mlstrustedobject: complete
89 #
90 mls_trusted_object($1)
91
92 #
93 # mta_delivery_agent:
94 #
95 mta_mailserver_delivery($1)
96 # for piping mail to a command
97 kernel_read_system_state($1)
98 corecmd_exec_shell($1)
99 files_read_etc_runtime_files($1)
100 mta_append_spool($1)
101 ifdef(`TODO',`
102 optional_policy(`arpwatch',`
103         # why is mail delivered to a directory of type arpwatch_data_t?
104         allow mta_delivery_agent arpwatch_data_t:dir search;
105 ')
106 ') dnl end TODO
107
108 #
109 # mta_user_agent:
110 #
111 mta_mailserver_user_agent($1)
112 domain_use_interactive_fds($1)
113 userdom_sigchld_all_users($1)
114 userdom_use_all_user_fd($1)
115 userdom_use_sysadm_terms($1)
116 allow mta_user_agent privmail:fd use;
117 allow mta_user_agent privmail:process sigchld;
118 allow mta_user_agent privmail:fifo_file { read write };
119 allow mta_user_agent sysadm_t:fifo_file { read write };
120 optional_policy(`arpwatch',`
121         # why is mail delivered to a directory of type arpwatch_data_t?
122         allow mta_user_agent arpwatch_tmp_t:file rw_file_perms;
123         ifdef(`hide_broken_symptoms', `
124                 dontaudit mta_user_agent arpwatch_t:packet_socket { read write };
125         ')
126 ')
127 optional_policy(`
128         cron_sigchld($1)
129         cron_read_system_job_tmp_files($1)
130 ')
131 optional_policy(`
132         logrotate_read_tmp_files($1)
133 ')
134
135 #
136 # nscd_client_domain: complete
137 #
138 optional_policy(`
139         nscd_socket_use($1)
140 ')
141
142 #
143 # privfd: complete
144 #
145 domain_interactive_fd($1)
146
147 #
148 # privlog: complete
149 #
150 logging_send_syslog_msg($1)
151
152 #
153 # privmail: complete
154 #
155 optional_policy(`mta',`
156         mta_send_mail($1)
157 ')
158
159 #
160 # privmem: complete
161 #
162 # handled by appropriate interfaces
163
164 #
165 # privmodule: complete
166 #
167 modutils_domtrans_insmod($1)
168
169 #
170 # privowner: complete
171 #
172 domain_obj_id_change_exempt($1)
173
174 #
175 # privrole: complete
176 #
177 domain_role_change_exempt($1)
178
179 #
180 # privuser: complete
181 #
182 domain_subj_id_change_exempt($1)
183
184 #
185 # priv_system_role: complete
186 #
187 domain_system_change_exempt($1)
188
189 #
190 # secure_file_type: complete
191 #
192 files_security_file($1)
193
194 #
195 # sysadmfile: complete
196 #
197 files_type($1)
198
199 #
200 # sysctl_kernel_writer: complete
201 #
202 # handled by appropriate interfaces
203
204 #
205 # userspace_objmgr: complete
206 #
207 allow $1 self:process getattr;
208 # Receive notifications of policy reloads and enforcing status changes.
209 allow $1 self:netlink_selinux_socket { create bind read };
210 selinux_get_fs_mount($1)
211 selinux_validate_context($1)
212 selinux_compute_access_vector($1)
213 selinux_compute_create_context($1)
214 selinux_compute_relabel_context($1)
215 selinux_compute_user_contexts($1)
216 seutil_read_config($1)
217 seutil_read_default_contexts($1)
218
219 #
220 # web_client_domain:
221 #
222 optional_policy(`squid',`
223         squid_use($1)
224 ')
225
226 ########################################
227 #
228 # Access macros
229 #
230
231 #
232 # access_terminal():
233 #
234 allow $1 $2_tty_device_t:chr_file { read write getattr ioctl };
235 allow $1 devtty_t:chr_file { read write getattr ioctl };
236 allow $1 devpts_t:dir { read search getattr };
237 allow $1 $2_devpts_t:chr_file { read write getattr ioctl };
238
239 #
240 # anonymous_domain():
241 #
242 gen_tunable(allow_$1_anon_write,false)
243 miscfiles_read_public_files($1_t)
244 tunable_policy(`allow_$1_anon_write',`
245 miscfiles_manage_public_files($1_t)
246 ')
247
248 #
249 # append_log_domain():
250 #
251 type $1_log_t;
252 logging_log_file($1_log_t)
253 allow $1_t var_log_t:dir ra_dir_perms;
254 allow $1_t $1_log_t:file  { create ra_file_perms };
255 type_transition $1_t var_log_t:file $1_log_t;
256
257 #
258 # append_logdir_domain():
259 #
260 type $1_log_t;
261 logging_log_file($1_log_t)
262 allow $1_t var_log_t:dir ra_dir_perms;
263 allow $1_t $1_log_t:dir { setattr ra_dir_perms };
264 allow $1_t $1_log_t:file  { create ra_file_perms };
265 type_transition $1_t var_log_t:file $1_log_t;
266
267 #
268 # application_domain():
269 #
270 type $1_t;
271 type $1_exec_t;
272 domain_type($1_t)
273 domain_entry_file($1_t,$1_exec_t)
274 libs_use_ld_so($1_t)
275 libs_use_shared_libs($1_t)
276 logging_send_syslog_msg($1_t)
277 # a "run" interface needs to be
278 # added, and have sysadm_t use it
279 # in a optional_policy block.
280 # and have unconfined_t use it
281 # in a optional_policy block inside
282 # the targeted_policy ifdef
283
284 #
285 # base_can_network($1,$2):
286 #
287 allow $1 self:$2_socket connected_socket_perms;
288 corenet_$2_sendrecv_generic_if($1)
289 corenet_raw_sendrecv_generic_if($1)
290 corenet_$2_sendrecv_all_nodes($1)
291 corenet_raw_sendrecv_all_nodes($1)
292 corenet_$2_sendrecv_all_ports($1)
293 corenet_non_ipsec_sendrecv($1)
294 corenet_$2_bind_all_nodes($1)
295 sysnet_read_config($1)
296
297 #
298 # base_can_network($1,$2,$3):
299 #
300 # remove _port_t from $3:
301 allow $1 self:$2_socket connected_socket_perms;
302 corenet_$2_sendrecv_generic_if($1)
303 corenet_raw_sendrecv_generic_if($1)
304 corenet_$2_sendrecv_all_nodes($1)
305 corenet_raw_sendrecv_all_nodes($1)
306 corenet_$2_sendrecv_$3_port($1)
307 corenet_non_ipsec_sendrecv($1)
308 corenet_$2_bind_all_nodes($1)
309 sysnet_read_config($1)
310
311 #
312 # base_file_read_access(): complete
313 #
314 kernel_read_kernel_sysctls($1)
315 corecmd_list_bin($1)
316 corecmd_read_bin_symlink($1)
317 corecmd_read_bin_file($1)
318 corecmd_read_bin_pipe($1)
319 corecmd_read_bin_socket($1)
320 corecmd_list_sbin($1)
321 corecmd_read_sbin_symlink($1)
322 corecmd_read_sbin_file($1)
323 corecmd_read_sbin_pipe($1)
324 corecmd_read_sbin_socket($1)
325 files_list_home($1)
326 files_read_usr_files($1)
327 seutil_read_config($1)
328 tunable_policy(`read_default_t',`
329         files_list_default($1)
330         files_read_default_files($1)
331         files_read_default_symlinks($1)
332         files_read_default_sockets($1)
333         files_read_default_pipes($1)
334 ')
335
336 #
337 # base_pty_perms():
338 #
339 allow $1_t ptmx_t:chr_file rw_file_perms;
340 allow $1_t devpts_t:filesystem getattr;
341 allow $1_t devpts_t:dir { getattr read search };
342 dontaudit $1_t bsdpty_device_t:chr_file { getattr read write };
343
344 #
345 # can_create($1,$2,$3): complete
346 #
347 # for each object class in $3:
348 # if dir:
349 allow $1 $2:dir create_dir_perms;
350 # else if lnk_file:
351 allow $1 $2:lnk_file create_lnk_perms;
352 # else:
353 allow $1 $2:$3 create_file_perms;
354
355 #
356 # can_create_other_pty(): complete
357 #
358 allow $1_t $2_devpts_t:chr_file { rw_file_perms setattr };
359 term_create_pty($1_t,$2_devpts_t)
360
361 #
362 # can_create_pty(): complete
363 #
364 # $2 may require more conversion
365 type $1_devpts_t $2;
366 term_pty($1_devpts_t)
367 allow $1_t $1_devpts_t:chr_file { rw_file_perms setattr };
368 term_create_pty($1_t,$1_devpts_t)
369
370 #
371 # can_exec_any(): complete
372 #
373 corecmd_exec_all_executables($1)
374 files_exec_etc_files($1)
375 libs_use_ld_so($1)
376 libs_use_shared_libs($1)
377 libs_exec_ld_so($1)
378 libs_exec_lib_files($1)
379
380 #
381 # can_getcon(): complete
382 #
383 allow $1 self:process getattr;
384 kernel_read_system_state($1)
385
386 #
387 # can_getsecurity(): complete
388 #
389 selinux_get_fs_mount($1)
390 selinux_validate_context($1)
391 selinux_compute_access_vector($1)
392 selinux_compute_create_context($1)
393 selinux_compute_relabel_context($1)
394 selinux_compute_user_contexts($1)
395
396 #
397 # can_kerberos(): complete
398 #
399 optional_policy(`kerberos',`
400         kerberos_use($1)
401 ')
402
403 #
404 # can_ldap(): complete
405 #
406 sysnet_use_ldap($1)
407
408 #
409 # can_loadpol(): complete
410 #
411 selinux_get_fs_mount($1)
412 selinux_load_policy($1)
413
414 #
415 # can_network($1):
416 #
417 allow $1 self:tcp_socket create_stream_socket_perms;
418 allow $1 self:udp_socket create_socket_perms;
419 corenet_tcp_sendrecv_generic_if($1)
420 corenet_udp_sendrecv_generic_if($1)
421 corenet_raw_sendrecv_generic_if($1)
422 corenet_tcp_sendrecv_all_nodes($1)
423 corenet_udp_sendrecv_all_nodes($1)
424 corenet_raw_sendrecv_all_nodes($1)
425 corenet_tcp_sendrecv_all_ports($1)
426 corenet_udp_sendrecv_all_ports($1)
427 corenet_non_ipsec_sendrecv($1)
428 corenet_tcp_bind_all_nodes($1)
429 corenet_udp_bind_all_nodes($1)
430 sysnet_read_config($1)
431 optional_policy(`mount',`
432         mount_send_nfs_client_request($1)
433 ')
434
435 #
436 # can_network($1,$2):
437 #
438 allow $1 self:tcp_socket create_stream_socket_perms;
439 allow $1 self:udp_socket create_socket_perms;
440 corenet_tcp_sendrecv_generic_if($1)
441 corenet_udp_sendrecv_generic_if($1)
442 corenet_raw_sendrecv_generic_if($1)
443 corenet_tcp_sendrecv_all_nodes($1)
444 corenet_udp_sendrecv_all_nodes($1)
445 corenet_raw_sendrecv_all_nodes($1)
446 corenet_tcp_sendrecv_all_ports($1)
447 corenet_udp_sendrecv_all_ports($1)
448 corenet_non_ipsec_sendrecv($1)
449 corenet_tcp_bind_all_nodes($1)
450 corenet_udp_bind_all_nodes($1)
451 sysnet_read_config($1)
452 # (remove _port_t from $2):
453 corenet_tcp_sendrecv_$2_port($1)
454 corenet_udp_sendrecv_$2_port($1)
455 optional_policy(`mount',`
456         mount_send_nfs_client_request($1)
457 ')
458
459 #
460 # can_network_client($1):
461 #
462 allow $1 self:tcp_socket create_socket_perms;
463 allow $1 self:udp_socket create_socket_perms;
464 corenet_tcp_sendrecv_generic_if($1)
465 corenet_udp_sendrecv_generic_if($1)
466 corenet_raw_sendrecv_generic_if($1)
467 corenet_tcp_sendrecv_all_nodes($1)
468 corenet_udp_sendrecv_all_nodes($1)
469 corenet_raw_sendrecv_all_nodes($1)
470 corenet_tcp_sendrecv_all_ports($1)
471 corenet_udp_sendrecv_all_ports($1)
472 corenet_non_ipsec_sendrecv($1)
473 corenet_tcp_bind_all_nodes($1)
474 corenet_udp_bind_all_nodes($1)
475 sysnet_read_config($1)
476
477 #
478 # can_network_client($1,$2): complete
479 #
480 # remove _port_t from $2
481 allow $1 self:tcp_socket create_socket_perms;
482 allow $1 self:udp_socket create_socket_perms;
483 corenet_tcp_sendrecv_generic_if($1)
484 corenet_udp_sendrecv_generic_if($1)
485 corenet_raw_sendrecv_generic_if($1)
486 corenet_tcp_sendrecv_all_nodes($1)
487 corenet_udp_sendrecv_all_nodes($1)
488 corenet_raw_sendrecv_all_nodes($1)
489 corenet_tcp_sendrecv_$2_port($1)
490 corenet_udp_sendrecv_$2_port($1)
491 corenet_non_ipsec_sendrecv($1)
492 corenet_tcp_bind_all_nodes($1)
493 corenet_udp_bind_all_nodes($1)
494 sysnet_read_config($1)
495
496 #
497 # can_network_client_tcp($1): complete
498 #
499 allow $1 self:tcp_socket create_socket_perms;
500 corenet_tcp_sendrecv_generic_if($1)
501 corenet_raw_sendrecv_generic_if($1)
502 corenet_tcp_sendrecv_all_nodes($1)
503 corenet_raw_sendrecv_all_nodes($1)
504 corenet_tcp_sendrecv_all_ports($1)
505 corenet_non_ipsec_sendrecv($1)
506 corenet_tcp_bind_all_nodes($1)
507 sysnet_read_config($1)
508
509 #
510 # can_network_client_tcp($1,$2): complete
511 #
512 # remove _port_t from $2
513 allow $1 self:tcp_socket create_socket_perms;
514 corenet_tcp_sendrecv_generic_if($1)
515 corenet_raw_sendrecv_generic_if($1)
516 corenet_tcp_sendrecv_all_nodes($1)
517 corenet_raw_sendrecv_all_nodes($1)
518 corenet_tcp_sendrecv_$2_port($1)
519 corenet_non_ipsec_sendrecv($1)
520 corenet_tcp_bind_all_nodes($1)
521 sysnet_read_config($1)
522
523 #
524 # can_network_server($1): complete
525 #
526 allow $1 self:tcp_socket create_stream_socket_perms;
527 allow $1 self:udp_socket create_socket_perms;
528 corenet_tcp_sendrecv_generic_if($1)
529 corenet_udp_sendrecv_generic_if($1)
530 corenet_raw_sendrecv_generic_if($1)
531 corenet_tcp_sendrecv_all_nodes($1)
532 corenet_udp_sendrecv_all_nodes($1)
533 corenet_raw_sendrecv_all_nodes($1)
534 corenet_tcp_sendrecv_all_ports($1)
535 corenet_udp_sendrecv_all_ports($1)
536 corenet_non_ipsec_sendrecv($1)
537 corenet_tcp_bind_all_nodes($1)
538 corenet_udp_bind_all_nodes($1)
539 sysnet_read_config($1)
540
541 #
542 # can_network_server($1,$2): complete
543 #
544 # remove _port_t from $2
545 allow $1 self:tcp_socket create_stream_socket_perms;
546 allow $1 self:udp_socket create_socket_perms;
547 corenet_tcp_sendrecv_generic_if($1)
548 corenet_udp_sendrecv_generic_if($1)
549 corenet_raw_sendrecv_generic_if($1)
550 corenet_tcp_sendrecv_all_nodes($1)
551 corenet_udp_sendrecv_all_nodes($1)
552 corenet_raw_sendrecv_all_nodes($1)
553 corenet_tcp_sendrecv_$2_port($1)
554 corenet_udp_sendrecv_$2_port($1)
555 corenet_non_ipsec_sendrecv($1)
556 corenet_tcp_bind_all_nodes($1)
557 corenet_udp_bind_all_nodes($1)
558 sysnet_read_config($1)
559
560 #
561 # can_network_server_tcp($1): complete
562 #
563 allow $1 self:tcp_socket create_stream_socket_perms;
564 corenet_tcp_sendrecv_generic_if($1)
565 corenet_raw_sendrecv_generic_if($1)
566 corenet_tcp_sendrecv_all_nodes($1)
567 corenet_raw_sendrecv_all_nodes($1)
568 corenet_tcp_sendrecv_all_ports($1)
569 corenet_non_ipsec_sendrecv($1)
570 corenet_tcp_bind_all_nodes($1)
571 sysnet_read_config($1)
572
573 #
574 # can_network_server_tcp($1,$2): complete
575 #
576 # remove _port_t from $2:
577 allow $1 self:tcp_socket create_stream_socket_perms;
578 corenet_tcp_sendrecv_generic_if($1)
579 corenet_raw_sendrecv_generic_if($1)
580 corenet_tcp_sendrecv_all_nodes($1)
581 corenet_raw_sendrecv_all_nodes($1)
582 corenet_tcp_sendrecv_$2_port($1)
583 corenet_non_ipsec_sendrecv($1)
584 corenet_tcp_bind_all_nodes($1)
585 sysnet_read_config($1)
586
587 #
588 # can_network_tcp($1): complete
589 #
590 allow $1 self:tcp_socket create_stream_socket_perms;
591 corenet_tcp_sendrecv_generic_if($1)
592 corenet_raw_sendrecv_generic_if($1)
593 corenet_tcp_sendrecv_all_nodes($1)
594 corenet_raw_sendrecv_all_nodes($1)
595 corenet_tcp_sendrecv_all_ports($1)
596 corenet_non_ipsec_sendrecv($1)
597 corenet_tcp_bind_all_nodes($1)
598 sysnet_read_config($1)
599
600 #
601 # can_network_tcp($1,$2): complete
602 #
603 # remove _port_t from $2:
604 allow $1 self:tcp_socket create_stream_socket_perms;
605 corenet_tcp_sendrecv_generic_if($1)
606 corenet_raw_sendrecv_generic_if($1)
607 corenet_tcp_sendrecv_all_nodes($1)
608 corenet_raw_sendrecv_all_nodes($1)
609 corenet_tcp_sendrecv_$2_port($1)
610 corenet_non_ipsec_sendrecv($1)
611 corenet_tcp_bind_all_nodes($1)
612 sysnet_read_config($1)
613
614 #
615 # can_network_udp($1): complete
616 #
617 allow $1 self:udp_socket create_socket_perms;
618 corenet_udp_sendrecv_generic_if($1)
619 corenet_raw_sendrecv_generic_if($1)
620 corenet_udp_sendrecv_all_nodes($1)
621 corenet_raw_sendrecv_all_nodes($1)
622 corenet_udp_sendrecv_all_ports($1)
623 corenet_non_ipsec_sendrecv($1)
624 corenet_udp_bind_all_nodes($1)
625 sysnet_read_config($1)
626
627 #
628 # can_network_udp($1,$2): complete
629 #
630 # remove _port_t from $2
631 allow $1 self:udp_socket create_socket_perms;
632 corenet_udp_sendrecv_generic_if($1)
633 corenet_raw_sendrecv_generic_if($1)
634 corenet_udp_sendrecv_all_nodes($1)
635 corenet_raw_sendrecv_all_nodes($1)
636 corenet_udp_sendrecv_$2_port($1)
637 corenet_non_ipsec_sendrecv($1)
638 corenet_udp_bind_all_nodes($1)
639 sysnet_read_config($1)
640
641 #
642 # can_ps():
643 #
644 allow $1 $2:dir { search getattr read };
645 allow $1 $2:{ file lnk_file } { read getattr };
646 allow $1 $2:process getattr;
647
648 #
649 # can_ptrace():
650 #
651 allow $1 $2:process ptrace;
652 allow $2 $1:process sigchld;
653
654 #
655 # can_portmap():
656 #
657 sysnet_use_portmap($1)
658
659 #
660 # can_resolve(): complete
661 #
662 sysnet_dns_name_resolve($1)
663
664 #
665 # can_setbool(): complete
666 #
667 selinux_get_fs_mount($1)
668 selinux_set_boolean($1)
669
670 #
671 # can_setcon(): complete
672 #
673 # get mount point is due to libselinux init
674 #
675 allow $1 self:process setcurrent;
676 domain_dyntrans_type($1)
677 selinux_get_fs_mount($1)
678
679 #
680 # can_setenforce(): complete
681 #
682 # get mount point is due to libselinux init
683 #
684 selinux_get_fs_mount($1)
685 selinux_set_enforce_mode($1)
686
687 #
688 # can_setexec(): complete
689 #
690 # get mount point is due to libselinux init
691 #
692 allow $1 self:process setexec;
693 selinux_get_fs_mount($1)
694
695 #
696 # can_setfscreate(): complete
697 #
698 # get mount point is due to libselinux init
699 #
700 allow $1 self:process setfscreate;
701 selinux_get_fs_mount($1)
702
703 #
704 # can_setsecparam(): complete
705 #
706 # get mount point is due to libselinux init
707 #
708 selinux_get_fs_mount($1)
709 kernel_setsecparam($1)
710
711 #
712 # can_sysctl(): complete
713 #
714 kernel_rw_all_sysctls($1)
715
716 #
717 # can_tcp_connect():
718 #
719 # can_tcp_connect() is deprecated and should be removed
720
721 #
722 # can_udp_send():
723 #
724 # can_udp_send() is deprecated and should be removed
725
726 #
727 # can_unix_connect():
728 #
729 allow $1 $2:unix_stream_socket connectto;
730
731 #
732 # can_unix_send():
733 #
734 allow $1 $2:unix_dgram_socket sendto;
735
736 #
737 # can_winbind(): complete
738 #
739 optional_policy(`samba',`
740         samba_connect_winbind($1)
741 ')
742
743 #
744 # can_ypbind(): complete
745 #
746 optional_policy(`nis',`
747         nis_use_ypbind($1)
748 ')
749
750 #
751 # create_append_log_file():
752 #
753 allow $1 $2:dir { read getattr search add_name write };
754 allow $1 $2:file { create ioctl getattr setattr append link };
755
756 #
757 # create_dir_file():
758 #
759 allow $1 $2:dir create_dir_perms;
760 allow $1 $2:file create_file_perms;
761 allow $1 $2:lnk_file create_lnk_perms;
762
763 #
764 # create_dir_notdevfile():
765 #
766 allow $1 $2:dir create_dir_perms;
767 allow $1 $2:{ file sock_file fifo_file } create_file_perms;
768 allow $1 $2:lnk_file create_lnk_perms;
769
770 #
771 # daemon_base_domain():
772 #
773 type $1_t;
774 type $1_exec_t;
775 init_daemon_domain($1_t,$1_exec_t)
776 dontaudit $1_t self:capability sys_tty_config;
777 allow $1_t self:process signal_perms;
778 kernel_list_proc($1_t)
779 kernel_read_proc_symlinks($1_t)
780 kernel_read_kernel_sysctls($1_t)
781 dev_read_sysfs($1_t)
782 domain_use_interactive_fds($1_t)
783 fs_search_auto_mountpoints($1_t)
784 term_dontaudit_use_console($1_t)
785 init_use_fds($1_t)
786 init_use_script_ptys($1_t)
787 libs_use_ld_so($1_t)
788 libs_use_shared_libs($1_t)
789 logging_send_syslog_msg($1_t)
790 userdom_dontaudit_use_unpriv_user_fds($1_t)
791 ifdef(`targeted_policy',`
792         term_dontaudit_use_unallocated_ttys($1_t)
793         term_dontaudit_use_generic_ptys($1_t)
794         files_dontaudit_read_root_files($1_t)
795 ')
796 optional_policy(`
797         seutil_sigchld_newrole($1_t)
798 ')
799 optional_policy(`
800         udev_read_db($1_t)
801 ')
802
803 #
804 # daemon_domain():
805 #
806 type $1_t;
807 type $1_exec_t;
808 init_daemon_domain($1_t,$1_exec_t)
809 type $1_var_run_t;
810 files_pid_file($1_var_run_t)
811 dontaudit $1_t self:capability sys_tty_config;
812 allow $1_t self:process signal_perms;
813 allow $1_t $1_var_run_t:file create_file_perms;
814 allow $1_t $1_var_run_t:dir rw_dir_perms;
815 files_pid_filetrans($1_t,$1_var_run_t,file)
816 kernel_read_kernel_sysctls($1_t)
817 kernel_list_proc($1_t)
818 kernel_read_proc_symlinks($1_t)
819 dev_read_sysfs($1_t)
820 domain_use_interactive_fds($1_t)
821 fs_getattr_all_fs($1_t)
822 fs_search_auto_mountpoints($1_t)
823 term_dontaudit_use_console($1_t)
824 init_use_fds($1_t)
825 init_use_script_ptys($1_t)
826 libs_use_ld_so($1_t)
827 libs_use_shared_libs($1_t)
828 logging_send_syslog_msg($1_t)
829 miscfiles_read_localization($1_t)
830 userdom_dontaudit_use_unpriv_user_fds($1_t)
831 userdom_dontaudit_search_sysadm_home_dirs($1_t)
832 ifdef(`targeted_policy',`
833         term_dontaudit_use_unallocated_ttys($1_t)
834         term_dontaudit_use_generic_ptys($1_t)
835         files_dontaudit_read_root_files($1_t)
836 ')
837 optional_policy(`
838         seutil_sigchld_newrole($1_t)
839 ')
840 optional_policy(`
841         udev_read_db($1_t)
842 ')
843
844 #
845 # daemon_sub_domain():
846 #
847 # $3 may need more work
848 type $2_t; #, daemon $3;
849 domain_type($2_t)
850 type $2_exec_t;
851 domain_entry_file($2_t,$2_exec_t)
852 role system_r types $2_t;
853 allow $2_t self:process signal_perms;
854 domain_auto_trans($1, $2_exec_t, $2_t)
855 logging_send_syslog_msg($1_t)
856 libs_use_ld_so($2_t)
857 libs_use_shared_libs($2_t)
858 kernel_list_proc($1_t)
859 kernel_read_proc_symlinks($1_t)
860
861 #
862 # etc_domain(): complete
863 #
864 type $1_etc_t;
865 files_config_file($1_etc_t)
866 allow $1_t $1_etc_t:file { getattr read };
867 files_search_etc($1_t)
868
869 #
870 # etcdir_domain(): complete
871 #
872 type $1_etc_t;
873 files_config_file($1_etc_t)
874 allow $1_t $1_etc_t:file r_file_perms;
875 allow $1_t $1_etc_t:dir r_dir_perms;
876 allow $1_t $1_etc_t:lnk_file { getattr read };
877 files_search_etc($1_t)
878
879 #
880 # file_type_auto_trans($1,$2,$3): complete
881 #
882 allow $1 $2:dir rw_dir_perms;
883 allow $1 $3:dir create_dir_perms;
884 allow $1 $3:file create_file_perms;
885 allow $1 $3:lnk_file create_lnk_perms;
886 allow $1 $3:sock_file create_file_perms;
887 allow $1 $3:fifo_file create_file_perms;
888 type_transition $1 $2:{ file lnk_file sock_file fifo_file } $3;
889
890 #
891 # file_type_auto_trans($1,$2,$3,$4): complete
892 #
893 allow $1 $2:dir rw_dir_perms;
894 # for each i in $4:
895 can_create_internal($1,$3,$i)
896 type_transition $1 $2:$i $3;
897
898 #
899 # general_domain_access(): complete
900 #
901 allow $1 self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
902 allow $1 self:fd use;
903 allow $1 self:fifo_file rw_file_perms;
904 allow $1 self:unix_dgram_socket create_socket_perms;
905 allow $1 self:unix_stream_socket create_stream_socket_perms;
906 allow $1 self:unix_dgram_socket sendto;
907 allow $1 self:unix_stream_socket connectto;
908 allow $1 self:shm create_shm_perms;
909 allow $1 self:sem create_sem_perms;
910 allow $1 self:msgq create_msgq_perms;
911 allow $1 self:msg { send receive };
912 fs_search_auto_mountpoints($1)
913 userdom_use_unpriv_users_fds($1)
914 optional_policy(`nis',`
915         nis_use_ypbind($1)
916 ')
917
918 #
919 # general_proc_read_access(): complete
920 #
921 kernel_read_system_state($1)
922 kernel_read_network_state($1)
923 kernel_read_software_raid_state($1)
924 kernel_getattr_core_if($1)
925 kernel_getattr_message_if($1)
926 kernel_read_kernel_sysctls($1)
927
928 #
929 # home_domain($1,$2)
930 #
931 type $1_$2_home_t alias $1_$2_rw_t;
932 files_poly_member($1_$2_home_t)
933 userdom_user_home_content($1,$1_$2_home_t)
934 allow $1_t $1_$2_home_t:dir manage_dir_perms;
935 allow $1_t $1_$2_home_t:file manage_file_perms;
936 allow $1_t $1_$2_home_t:lnk_file create_lnk_perms;
937 allow $1_t $1_$2_home_t:{ dir file lnk_file } { relabelfrom relabelto };
938 userdom_search_user_home_dirs($1,$1_$2_t)
939 allow $1_$2_t $1_$2_home_t:dir manage_dir_perms;
940 allow $1_$2_t $1_$2_home_t:file manage_file_perms;
941 allow $1_$2_t $1_$2_home_t:lnk_file create_lnk_perms;
942 fs_search_auto_mountpoints($1_$2_t)
943 tunable_policy(`use_nfs_home_dirs',`
944 fs_manage_nfs_dirs($1_$2_t)
945 fs_manage_nfs_files($1_$2_t)
946 fs_manage_nfs_symlinks($1_$2_t)
947 ')
948 tunable_policy(`use_samba_home_dirs',`
949 fs_manage_cifs_dirs($1_$2_t)
950 fs_manage_cifs_files($1_$2_t)
951 fs_manage_cifs_symlinks($1_$2_t)
952 ')
953
954 #
955 # in_user_role():
956 #
957 # this is replaced by run interfaces
958
959 #
960 # init_service_domain(): complete
961 #
962 type $1_t;
963 type $1_exec_t;
964 init_domain($1_t,$1_exec_t)
965 dontaudit $1_t self:capability sys_tty_config;
966 allow self:process signal_perms;
967 kernel_list_proc($1_t)
968 kernel_read_proc_symlinks($1_t)
969 dev_read_sysfs($1_t)
970 term_dontaudit_use_console($1_t)
971 libs_use_ld_so($1_t)
972 libs_use_shared_libs($1_t)
973 logging_send_syslog_msg($1_t)
974 userdom_dontaudit_use_unpriv_user_fds($1_t)
975 ifdef(`targeted_policy',`
976         term_dontaudit_use_unallocated_tty($1_t)
977         term_dontaudit_use_generic_pty($1_t)
978         files_dontaudit_read_root_files($1_t)
979 ')
980 optional_policy(`udev',`
981         udev_read_db($1_t)
982 ')
983
984 #
985 # inetd_child_domain():
986 #
987 type $1_t;
988 type $1_exec_t;
989 inetd_(udp_|tcp_)?service_domain($1_t,$1_exec_t)
990 role system_r types $1_t;
991 type $1_tmp_t;
992 files_tmp_file($1_tmp_t)
993 type $1_var_run_t;
994 files_pid_file($1_var_run_t)
995 allow $1_t self:process signal_perms;
996 allow $1_t self:fifo_file rw_file_perms;
997 allow $1_t self:tcp_socket connected_stream_socket_perms;
998 # for identd
999 # cjp: this should probably only be inetd_child rules?
1000 allow $1_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
1001 allow $1_t self:capability { setuid setgid };
1002 files_search_home($1_t)
1003 optional_policy(`kerberos',`
1004         kerberos_use($1_t)
1005 ')
1006 #end for identd
1007 allow $1_t $1_tmp_t:dir create_dir_perms;
1008 allow $1_t $1_tmp_t:file create_file_perms;
1009 files_tmp_filetrans($1_t, $1_tmp_t, { file dir })
1010 allow $1_t $1_var_run_t:file create_file_perms;
1011 allow $1_t $1_var_run_t:dir rw_dir_perms;
1012 files_pid_filetrans($1_t,$1_var_run_t)
1013 kernel_read_kernel_sysctls($1_t)
1014 kernel_read_system_state($1_t)
1015 kernel_read_network_state($1_t)
1016 corenet_tcp_sendrecv_generic_if($1_t)
1017 corenet_udp_sendrecv_generic_if($1_t)
1018 corenet_raw_sendrecv_generic_if($1_t)
1019 corenet_tcp_sendrecv_all_nodes($1_t)
1020 corenet_udp_sendrecv_all_nodes($1_t)
1021 corenet_raw_sendrecv_all_nodes($1_t)
1022 corenet_tcp_sendrecv_all_ports($1_t)
1023 corenet_udp_sendrecv_all_ports($1_t)
1024 corenet_non_ipsec_sendrecv($1_t)
1025 corenet_tcp_bind_all_nodes($1_t)
1026 corenet_udp_bind_all_nodes($1_t)
1027 dev_read_urand($1_t)
1028 fs_getattr_xattr_fs($1_t)
1029 files_read_etc_files($1_t)
1030 libs_use_ld_so($1_t)
1031 libs_use_shared_libs($1_t)
1032 logging_send_syslog_msg($1_t)
1033 miscfiles_read_localization($1_t)
1034 sysnet_read_config($1_t)
1035 optional_policy(`nis',`
1036         nis_use_ypbind($1_t)
1037 ')
1038 optional_policy(`nscd',`
1039         nscd_socket_use($1_t)
1040 ')
1041
1042 #
1043 # legacy_domain(): complete
1044 #
1045 allow $1_t self:process { execmem execstack };
1046 libs_legacy_use_shared_libs($1_t)
1047 libs_legacy_use_ld_so($1_t)
1048
1049 #
1050 # lock_domain(): complete
1051 #
1052 type $1_lock_t;
1053 files_lock_file($1_lock_t)
1054 allow $1_t $1_lock_t:file create_file_perms;
1055 files_lock_filetrans($1_t,$1_lock_t,file)
1056
1057 #
1058 # log_domain(): complete
1059 #
1060 type $1_log_t;
1061 logging_log_file($1_log_t)
1062 allow $1_t $1_log_t:file create_file_perms;
1063 logging_log_filetrans($1_t,$1_log_t,file)
1064
1065 #
1066 # logdir_domain(): complete
1067 #
1068 type $1_log_t;
1069 logging_log_file($1_log_t)
1070 allow $1_t $1_log_t:file create_file_perms;
1071 allow $1_t $1_log_t:dir rw_dir_perms;
1072 logging_log_filetrans($1_t,$1_log_t,{ file dir })
1073
1074 #
1075 # network_home_dir():
1076 #
1077 create_dir_file($1, $2)
1078 can_exec($1, $2)
1079 allow $1 $2:{ sock_file fifo_file } { create ioctl read getattr lock write setattr append link unlink rename };
1080
1081 #
1082 # polyinstantiater(): complete
1083 #
1084 files_polyinstantiate_all($1)
1085
1086 #
1087 # pty_slave_label():
1088 #
1089 type $1_devpts_t, file_type, sysadmfile, ptyfile $2;
1090 allow $1_devpts_t devpts_t:filesystem associate;
1091 type_transition $1_t devpts_t:chr_file $1_devpts_t;
1092 allow $1_t $1_devpts_t:chr_file { setattr rw_file_perms };
1093
1094 #
1095 # r_dir_file(): complete
1096 #
1097 allow $1 $2:dir r_dir_perms;
1098 allow $1 $2:file r_file_perms;
1099 allow $1 $2:lnk_file { getattr read };
1100
1101 #
1102 # ra_dir_create_file(): complete
1103 #
1104 allow $1 $2:dir ra_dir_perms;
1105 allow $1 $2:file { create ra_file_perms };
1106 allow $1 $2:lnk_file { create read getattr };
1107
1108 #
1109 # ra_dir_file(): complete
1110 #
1111 allow $1 $2:dir ra_dir_perms;
1112 allow $1 $2:file ra_file_perms;
1113 allow $1 $2:lnk_file { getattr read };
1114
1115 #
1116 # read_locale(): complete
1117 #
1118 miscfiles_read_localization($1)
1119
1120 #
1121 # read_sysctl($1): complete
1122 #
1123 kernel_read_kernel_sysctls($1)
1124
1125 #
1126 # read_sysctl($1,full): complete
1127 #
1128 kernel_read_all_sysctls($1)
1129
1130 #
1131 # rhgb_domain():
1132 #
1133 #
1134
1135 #
1136 # rw_dir_create_file(): complete
1137 #
1138 allow $1 $2:dir rw_dir_perms;
1139 allow $1 $2:file create_file_perms;
1140 allow $1 $2:lnk_file create_lnk_perms;
1141
1142 #
1143 # rw_dir_file(): complete
1144 #
1145 # cjp: rw_dir_perms here doesnt make sense
1146 allow $1 $2:dir rw_dir_perms;
1147 allow $1 $2:file rw_file_perms;
1148 allow $1 $2:lnk_file { getattr read };
1149
1150 #
1151 # system_crond_entry():
1152 #
1153 optional_policy(`cron',`
1154         cron_system_entry($2,$1)
1155 ')
1156
1157 #
1158 # system_domain(): complete
1159 #
1160 type $1_t;
1161 type $1_exec_t;
1162 init_system_domain($1_t,$1_exec_t)
1163 files_list_etc($1_t)
1164 libs_use_ld_so($1_t)
1165 libs_use_shared_libs($1_t)
1166 logging_send_syslog_msg($1_t)
1167
1168 #
1169 # tmp_domain($1): complete
1170 #
1171 type $1_tmp_t;
1172 files_tmp_file($1_tmp_t)
1173 allow $1_t $1_tmp_t:dir create_dir_perms;
1174 allow $1_t $1_tmp_t:file create_file_perms;
1175 files_tmp_filetrans($1_t, $1_tmp_t, { file dir })
1176
1177 #
1178 # tmp_domain($1,$2,$3): complete
1179 #
1180 # $2 may need more handling
1181 #
1182 type $1_tmp_t $2;
1183 files_tmp_file($1_tmp_t)
1184 allow $1_t $1_tmp_t:$3 manage_obj_perms;
1185 files_tmp_filetrans($1_t, $1_tmp_t, $3)
1186
1187 #
1188 # tmpfs_domain(): complete
1189 #
1190 type $1_tmpfs_t;
1191 files_tmpfs_file($1_tmpfs_t)
1192 allow $1_t $1_tmpfs_t:dir rw_dir_perms;
1193 allow $1_t $1_tmpfs_t:file manage_file_perms;
1194 allow $1_t $1_tmpfs_t:lnk_file create_lnk_perms;
1195 allow $1_t $1_tmpfs_t:sock_file manage_file_perms;
1196 allow $1_t $1_tmpfs_t:fifo_file manage_file_perms;
1197 fs_tmpfs_filetrans($1_t,$1_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
1198
1199 #
1200 # unconfined_domain(): complete
1201 #
1202 unconfined_domain_template($1)
1203
1204 #
1205 # uses_authbind():
1206 #
1207 domain_auto_trans($1, authbind_exec_t, authbind_t)
1208 allow authbind_t $1:process sigchld;
1209 allow authbind_t $1:fd use;
1210 allow authbind_t $1:{ tcp_socket udp_socket } rw_socket_perms;
1211
1212 #
1213 # uses_shlib(): complete
1214 #
1215 libs_use_ld_so($1)
1216 libs_use_shared_libs($1)
1217
1218 #
1219 # var_lib_domain(): complete
1220 #
1221 type $1_var_lib_t;
1222 files_type($1_var_lib_t)
1223 allow $1_t $1_var_lib_t:file create_file_perms;
1224 allow $1_t $1_var_lib_t:dir rw_dir_perms;
1225 files_var_lib_filetrans($1_t,$1_var_lib_t,file)
1226
1227 #
1228 # var_run_domain($1): complete
1229 #
1230 type $1_var_run_t;
1231 files_pid_file($1_var_run_t)
1232 allow $1_t $1_var_run_t:file create_file_perms;
1233 allow $1_t $1_var_run_t:dir rw_dir_perms;
1234 files_pid_filetrans($1_t,$1_var_run_t,file)
1235
1236 #
1237 # var_run_domain($1,$2): complete
1238 #
1239 type $1_var_run_t;
1240 files_pid_file($1_var_run_t)
1241 files_pid_filetrans($1_t,$1_var_run_t,$2)
1242 # for each object class in $2:
1243 # if dir:
1244 allow $1 $1_var_run_t:dir create_dir_perms;
1245 # else if lnk_file:
1246 allow $1 $1_var_run_t:lnk_file create_lnk_perms;
1247 # else:
1248 allow $1 $1_var_run_t:$2 create_file_perms;
1249
1250 #
1251 # x_client_domain($1,$2): complete
1252 #
1253 type $1_tmpfs_t;
1254 files_tmpfs_file($1_tmpfs_t)
1255 allow $1_t $1_tmpfs_t:dir rw_dir_perms;
1256 allow $1_t $1_tmpfs_t:file manage_file_perms;
1257 allow $1_t $1_tmpfs_t:lnk_file create_lnk_perms;
1258 allow $1_t $1_tmpfs_t:sock_file manage_file_perms;
1259 allow $1_t $1_tmpfs_t:fifo_file manage_file_perms;
1260 fs_tmpfs_filetrans($1_t,$1_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
1261 optional_policy(`xserver',`
1262 xserver_user_client_template($2,$1_t,$1_tmpfs_t)
1263 ')
Note: See TracBrowser for help on using the browser.