files.if

Revision fca4a96bae6865d14e577ca89a03b4967f831cf0, 101.0 kB (checked in by Chris PeBenito <cpebenito@tresys.com>, 7 months ago)
Improve documentation on files_read_etc_files().
Property mode set to `100644`

Line
1	## <summary>
2	## Basic filesystem types and interfaces.
3	## </summary>
4	## <desc>
5	## <p>
6	## This module contains basic filesystem types and interfaces. This
7	## includes:
8	## <ul>
9	## <li>The concept of different file types including basic
10	## files, mount points, tmp files, etc.</li>
11	## <li>Access to groups of files and all files.</li>
12	## <li>Types and interfaces for the basic filesystem layout
13	## (/, /etc, /tmp, /usr, etc.).</li>
14	## </ul>
15	## </p>
16	## </desc>
17	## <required val="true">
18	## Contains the concept of a file.
19	## Comains the file initial SID.
20	## </required>
21
22	########################################
23	## <summary>
24	## Make the specified type usable for files
25	## in a filesystem.
26	## </summary>
27	## <param name="type">
28	## <summary>
29	## Type to be used for files.
30	## </summary>
31	## </param>
32	#
33	interface(`files_type',`
34	gen_require(`
35	attribute file_type, non_security_file_type;
36	')
37
38	typeattribute $1 file_type, non_security_file_type;
39	')
40
41	########################################
42	## <summary>
43	## Make the specified type usable for
44	## lock files.
45	## </summary>
46	## <param name="type">
47	## <summary>
48	## Type to be used for lock files.
49	## </summary>
50	## </param>
51	#
52	interface(`files_lock_file',`
53	gen_require(`
54	attribute lockfile;
55	')
56
57	files_type($1)
58	typeattribute $1 lockfile;
59	')
60
61	########################################
62	## <summary>
63	## Make the specified type usable for
64	## filesystem mount points.
65	## </summary>
66	## <param name="type">
67	## <summary>
68	## Type to be used for mount points.
69	## </summary>
70	## </param>
71	#
72	interface(`files_mountpoint',`
73	gen_require(`
74	attribute mountpoint;
75	')
76
77	files_type($1)
78	typeattribute $1 mountpoint;
79	')
80
81	########################################
82	## <summary>
83	## Make the specified type usable for
84	## runtime process ID files.
85	## </summary>
86	## <param name="type">
87	## <summary>
88	## Type to be used for PID files.
89	## </summary>
90	## </param>
91	#
92	interface(`files_pid_file',`
93	gen_require(`
94	attribute pidfile;
95	')
96
97	files_type($1)
98	typeattribute $1 pidfile;
99	')
100
101	########################################
102	## <summary>
103	## Make the specified type a
104	## configuration file.
105	## </summary>
106	## <param name="file_type">
107	## <summary>
108	## Type to be used as a configuration file.
109	## </summary>
110	## </param>
111	#
112	interface(`files_config_file',`
113	gen_require(`
114	attribute configfile;
115	')
116	files_type($1)
117	typeattribute $1 configfile;
118	')
119
120	########################################
121	## <summary>
122	## Make the specified type a
123	## polyinstantiated directory.
124	## </summary>
125	## <param name="file_type">
126	## <summary>
127	## Type of the file to be used as a
128	## polyinstantiated directory.
129	## </summary>
130	## </param>
131	#
132	interface(`files_poly',`
133	gen_require(`
134	attribute polydir;
135	')
136
137	files_type($1)
138	typeattribute $1 polydir;
139	')
140
141	########################################
142	## <summary>
143	## Make the specified type a parent
144	## of a polyinstantiated directory.
145	## </summary>
146	## <param name="file_type">
147	## <summary>
148	## Type of the file to be used as a
149	## parent directory.
150	## </summary>
151	## </param>
152	#
153	interface(`files_poly_parent',`
154	gen_require(`
155	attribute polyparent;
156	')
157
158	files_type($1)
159	typeattribute $1 polyparent;
160	')
161
162	########################################
163	## <summary>
164	## Make the specified type a
165	## polyinstantiation member directory.
166	## </summary>
167	## <param name="file_type">
168	## <summary>
169	## Type of the file to be used as a
170	## member directory.
171	## </summary>
172	## </param>
173	#
174	interface(`files_poly_member',`
175	gen_require(`
176	attribute polymember;
177	')
178
179	files_type($1)
180	typeattribute $1 polymember;
181	')
182
183	########################################
184	## <summary>
185	## Make the domain use the specified
186	## type of polyinstantiated directory.
187	## </summary>
188	## <param name="domain">
189	## <summary>
190	## Domain using the polyinstantiated
191	## directory.
192	## </summary>
193	## </param>
194	## <param name="file_type">
195	## <summary>
196	## Type of the file to be used as a
197	## member directory.
198	## </summary>
199	## </param>
200	#
201	interface(`files_poly_member_tmp',`
202	gen_require(`
203	type tmp_t;
204	')
205
206	type_member $1 tmp_t:dir $2;
207	')
208
209	########################################
210	## <summary>
211	## Make the specified type a file that
212	## should not be dontaudited from
213	## browsing from user domains.
214	## </summary>
215	## <param name="file_type">
216	## <summary>
217	## Type of the file to be used as a
218	## member directory.
219	## </summary>
220	## </param>
221	#
222	interface(`files_security_file',`
223	gen_require(`
224	attribute file_type, security_file_type;
225	')
226
227	typeattribute $1 file_type, security_file_type;
228	')
229
230	########################################
231	## <summary>
232	## Make the specified type usable for
233	## security file filesystem mount points.
234	## </summary>
235	## <param name="type">
236	## <summary>
237	## Type to be used for mount points.
238	## </summary>
239	## </param>
240	#
241	interface(`files_security_mountpoint',`
242	gen_require(`
243	attribute mountpoint;
244	')
245
246	files_security_file($1)
247	typeattribute $1 mountpoint;
248	')
249
250	########################################
251	## <summary>
252	## Make the specified type a file
253	## used for temporary files.
254	## </summary>
255	## <param name="file_type">
256	## <summary>
257	## Type of the file to be used as a
258	## temporary file.
259	## </summary>
260	## </param>
261	#
262	interface(`files_tmp_file',`
263	gen_require(`
264	attribute tmpfile;
265	type tmp_t;
266	')
267
268	files_type($1)
269	files_poly_member($1)
270	typeattribute $1 tmpfile;
271	')
272
273	########################################
274	## <summary>
275	## Transform the type into a file, for use on a
276	## virtual memory filesystem (tmpfs).
277	## </summary>
278	## <param name="type">
279	## <summary>
280	## The type to be transformed.
281	## </summary>
282	## </param>
283	#
284	interface(`files_tmpfs_file',`
285	gen_require(`
286	attribute tmpfsfile;
287	')
288
289	files_type($1)
290	typeattribute $1 tmpfsfile;
291	')
292
293	########################################
294	## <summary>
295	## Get the attributes of all directories.
296	## </summary>
297	## <param name="domain">
298	## <summary>
299	## Domain allowed access.
300	## </summary>
301	## </param>
302	#
303	interface(`files_getattr_all_dirs',`
304	gen_require(`
305	attribute file_type;
306	')
307
308	getattr_dirs_pattern($1, file_type, file_type)
309	')
310
311	########################################
312	## <summary>
313	## Do not audit attempts to get the attributes
314	## of all directories.
315	## </summary>
316	## <param name="domain">
317	## <summary>
318	## Domain to not audit.
319	## </summary>
320	## </param>
321	#
322	interface(`files_dontaudit_getattr_all_dirs',`
323	gen_require(`
324	attribute file_type;
325	')
326
327	dontaudit $1 file_type:dir getattr;
328	')
329
330	########################################
331	## <summary>
332	## List all non-security directories.
333	## </summary>
334	## <param name="domain">
335	## <summary>
336	## Domain allowed access.
337	## </summary>
338	## </param>
339	#
340	interface(`files_list_non_security',`
341	gen_require(`
342	attribute non_security_file_type;
343	')
344
345	list_dirs_pattern($1, non_security_file_type, non_security_file_type)
346	')
347
348	########################################
349	## <summary>
350	## Do not audit attempts to list all
351	## non-security directories.
352	## </summary>
353	## <param name="domain">
354	## <summary>
355	## Domain to not audit.
356	## </summary>
357	## </param>
358	#
359	interface(`files_dontaudit_list_non_security',`
360	gen_require(`
361	attribute non_security_file_type;
362	')
363
364	dontaudit $1 non_security_file_type:dir list_dir_perms;
365	')
366
367	########################################
368	## <summary>
369	## Mount a filesystem on all non-security
370	## directories and files.
371	## </summary>
372	## <param name="domain">
373	## <summary>
374	## Domain allowed access.
375	## </summary>
376	## </param>
377	#
378	interface(`files_mounton_non_security',`
379	gen_require(`
380	attribute non_security_file_type;
381	')
382
383	allow $1 non_security_file_type:dir mounton;
384	allow $1 non_security_file_type:file mounton;
385	')
386
387	########################################
388	## <summary>
389	## Allow attempts to modify any directory
390	## </summary>
391	## <param name="domain">
392	## <summary>
393	## Domain to allow
394	## </summary>
395	## </param>
396	#
397	interface(`files_write_non_security_dirs',`
398	gen_require(`
399	attribute non_security_file_type;
400	')
401
402	allow $1 non_security_file_type:dir write;
403	')
404
405	########################################
406	## <summary>
407	## Allow attempts to manage non-security directories
408	## </summary>
409	## <param name="domain">
410	## <summary>
411	## Domain to allow
412	## </summary>
413	## </param>
414	#
415	interface(`files_manage_non_security_dirs',`
416	gen_require(`
417	attribute non_security_file_type;
418	')
419
420	allow $1 non_security_file_type:dir manage_dir_perms;
421	')
422
423	########################################
424	## <summary>
425	## Get the attributes of all files.
426	## </summary>
427	## <param name="domain">
428	## <summary>
429	## Domain allowed access.
430	## </summary>
431	## </param>
432	#
433	interface(`files_getattr_all_files',`
434	gen_require(`
435	attribute file_type;
436	')
437
438	getattr_files_pattern($1, file_type, file_type)
439	getattr_lnk_files_pattern($1, file_type, file_type)
440	')
441
442	########################################
443	## <summary>
444	## Do not audit attempts to get the attributes
445	## of all files.
446	## </summary>
447	## <param name="domain">
448	## <summary>
449	## Domain to not audit.
450	## </summary>
451	## </param>
452	#
453	interface(`files_dontaudit_getattr_all_files',`
454	gen_require(`
455	attribute file_type;
456	')
457
458	dontaudit $1 file_type:file getattr;
459	')
460
461	########################################
462	## <summary>
463	## Do not audit attempts to get the attributes
464	## of non security files.
465	## </summary>
466	## <param name="domain">
467	## <summary>
468	## Domain to not audit.
469	## </summary>
470	## </param>
471	#
472	interface(`files_dontaudit_getattr_non_security_files',`
473	gen_require(`
474	attribute non_security_file_type;
475	')
476
477	dontaudit $1 non_security_file_type:file getattr;
478	')
479
480	########################################
481	## <summary>
482	## Read all files.
483	## </summary>
484	## <param name="domain">
485	## <summary>
486	## Domain allowed access.
487	## </summary>
488	## </param>
489	#
490	interface(`files_read_all_files',`
491	gen_require(`
492	attribute file_type;
493	')
494
495	allow $1 file_type:dir list_dir_perms;
496	read_files_pattern($1, file_type, file_type)
497
498	optional_policy(`
499	auth_read_shadow($1)
500	')
501	')
502
503	########################################
504	## <summary>
505	## Allow shared library text relocations in all files.
506	## </summary>
507	## <desc>
508	## <p>
509	## Allow shared library text relocations in all files.
510	## </p>
511	## <p>
512	## This is added to support WINE policy.
513	## </p>
514	## </desc>
515	## <param name="domain">
516	## <summary>
517	## Domain allowed access.
518	## </summary>
519	## </param>
520	#
521	interface(`files_execmod_all_files',`
522	gen_require(`
523	attribute file_type;
524	')
525
526	allow $1 file_type:file execmod;
527	')
528
529	########################################
530	## <summary>
531	## Read all non-security files.
532	## </summary>
533	## <param name="domain">
534	## <summary>
535	## Domain allowed access.
536	## </summary>
537	## </param>
538	## <rolecap/>
539	#
540	interface(`files_read_non_security_files',`
541	gen_require(`
542	attribute non_security_file_type;
543	')
544
545	read_files_pattern($1, non_security_file_type, non_security_file_type)
546	read_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
547	')
548
549	########################################
550	## <summary>
551	## Read all directories on the filesystem, except
552	## the listed exceptions.
553	## </summary>
554	## <param name="domain">
555	## <summary>
556	## The type of the domain perfoming this action.
557	## </summary>
558	## </param>
559	## <param name="exception_types" optional="true">
560	## <summary>
561	## The types to be excluded. Each type or attribute
562	## must be negated by the caller.
563	## </summary>
564	## </param>
565	#
566	interface(`files_read_all_dirs_except',`
567	gen_require(`
568	attribute file_type;
569	')
570
571	allow $1 { file_type $2 }:dir list_dir_perms;
572	')
573
574	########################################
575	## <summary>
576	## Read all files on the filesystem, except
577	## the listed exceptions.
578	## </summary>
579	## <param name="domain">
580	## <summary>
581	## The type of the domain perfoming this action.
582	## </summary>
583	## </param>
584	## <param name="exception_types" optional="true">
585	## <summary>
586	## The types to be excluded. Each type or attribute
587	## must be negated by the caller.
588	## </summary>
589	## </param>
590	#
591	interface(`files_read_all_files_except',`
592	gen_require(`
593	attribute file_type;
594	')
595
596	read_files_pattern($1, { file_type $2 }, { file_type $2 })
597	')
598
599	########################################
600	## <summary>
601	## Read all symbolic links on the filesystem, except
602	## the listed exceptions.
603	## </summary>
604	## <param name="domain">
605	## <summary>
606	## The type of the domain perfoming this action.
607	## </summary>
608	## </param>
609	## <param name="exception_types" optional="true">
610	## <summary>
611	## The types to be excluded. Each type or attribute
612	## must be negated by the caller.
613	## </summary>
614	## </param>
615	#
616	interface(`files_read_all_symlinks_except',`
617	gen_require(`
618	attribute file_type;
619	')
620
621	read_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
622	')
623
624	########################################
625	## <summary>
626	## Get the attributes of all symbolic links.
627	## </summary>
628	## <param name="domain">
629	## <summary>
630	## Domain allowed access.
631	## </summary>
632	## </param>
633	#
634	interface(`files_getattr_all_symlinks',`
635	gen_require(`
636	attribute file_type;
637	')
638
639	getattr_lnk_files_pattern($1, file_type, file_type)
640	')
641
642	########################################
643	## <summary>
644	## Do not audit attempts to get the attributes
645	## of all symbolic links.
646	## </summary>
647	## <param name="domain">
648	## <summary>
649	## Domain to not audit.
650	## </summary>
651	## </param>
652	#
653	interface(`files_dontaudit_getattr_all_symlinks',`
654	gen_require(`
655	attribute file_type;
656	')
657
658	dontaudit $1 file_type:lnk_file getattr;
659	')
660
661	########################################
662	## <summary>
663	## Do not audit attempts to read all symbolic links.
664	## </summary>
665	## <param name="domain">
666	## <summary>
667	## Domain to not audit.
668	## </summary>
669	## </param>
670	#
671	interface(`files_dontaudit_read_all_symlinks',`
672	gen_require(`
673	attribute file_type;
674	')
675
676	dontaudit $1 file_type:lnk_file read;
677	')
678
679	########################################
680	## <summary>
681	## Do not audit attempts to get the attributes
682	## of non security symbolic links.
683	## </summary>
684	## <param name="domain">
685	## <summary>
686	## Domain to not audit.
687	## </summary>
688	## </param>
689	#
690	interface(`files_dontaudit_getattr_non_security_symlinks',`
691	gen_require(`
692	attribute non_security_file_type;
693	')
694
695	dontaudit $1 non_security_file_type:lnk_file getattr;
696	')
697
698	########################################
699	## <summary>
700	## Do not audit attempts to get the attributes
701	## of non security block devices.
702	## </summary>
703	## <param name="domain">
704	## <summary>
705	## Domain to not audit.
706	## </summary>
707	## </param>
708	#
709	interface(`files_dontaudit_getattr_non_security_blk_files',`
710	gen_require(`
711	attribute non_security_file_type;
712	')
713
714	dontaudit $1 non_security_file_type:blk_file getattr;
715	')
716
717	########################################
718	## <summary>
719	## Do not audit attempts to get the attributes
720	## of non security character devices.
721	## </summary>
722	## <param name="domain">
723	## <summary>
724	## Domain to not audit.
725	## </summary>
726	## </param>
727	#
728	interface(`files_dontaudit_getattr_non_security_chr_files',`
729	gen_require(`
730	attribute non_security_file_type;
731	')
732
733	dontaudit $1 non_security_file_type:chr_file getattr;
734	')
735
736	########################################
737	## <summary>
738	## Read all symbolic links.
739	## </summary>
740	## <param name="domain">
741	## <summary>
742	## Domain allowed access.
743	## </summary>
744	## </param>
745	## <rolecap/>
746	#
747	interface(`files_read_all_symlinks',`
748	gen_require(`
749	attribute file_type;
750	')
751
752	allow $1 file_type:dir list_dir_perms;
753	read_lnk_files_pattern($1, file_type, file_type)
754	')
755
756	########################################
757	## <summary>
758	## Get the attributes of all named pipes.
759	## </summary>
760	## <param name="domain">
761	## <summary>
762	## Domain allowed access.
763	## </summary>
764	## </param>
765	#
766	interface(`files_getattr_all_pipes',`
767	gen_require(`
768	attribute file_type;
769	')
770
771	allow $1 file_type:dir list_dir_perms;
772	getattr_fifo_files_pattern($1, file_type, file_type)
773	')
774
775	########################################
776	## <summary>
777	## Do not audit attempts to get the attributes
778	## of all named pipes.
779	## </summary>
780	## <param name="domain">
781	## <summary>
782	## Domain to not audit.
783	## </summary>
784	## </param>
785	#
786	interface(`files_dontaudit_getattr_all_pipes',`
787	gen_require(`
788	attribute file_type;
789	')
790
791	dontaudit $1 file_type:fifo_file getattr;
792	')
793
794	########################################
795	## <summary>
796	## Do not audit attempts to get the attributes
797	## of non security named pipes.
798	## </summary>
799	## <param name="domain">
800	## <summary>
801	## Domain to not audit.
802	## </summary>
803	## </param>
804	#
805	interface(`files_dontaudit_getattr_non_security_pipes',`
806	gen_require(`
807	attribute non_security_file_type;
808	')
809
810	dontaudit $1 non_security_file_type:fifo_file getattr;
811	')
812
813	########################################
814	## <summary>
815	## Get the attributes of all named sockets.
816	## </summary>
817	## <param name="domain">
818	## <summary>
819	## Domain allowed access.
820	## </summary>
821	## </param>
822	#
823	interface(`files_getattr_all_sockets',`
824	gen_require(`
825	attribute file_type;
826	')
827
828	allow $1 file_type:dir list_dir_perms;
829	getattr_sock_files_pattern($1, file_type, file_type)
830	')
831
832	########################################
833	## <summary>
834	## Do not audit attempts to get the attributes
835	## of all named sockets.
836	## </summary>
837	## <param name="domain">
838	## <summary>
839	## Domain to not audit.
840	## </summary>
841	## </param>
842	#
843	interface(`files_dontaudit_getattr_all_sockets',`
844	gen_require(`
845	attribute file_type;
846	')
847
848	dontaudit $1 file_type:sock_file getattr;
849	')
850
851	########################################
852	## <summary>
853	## Do not audit attempts to get the attributes
854	## of non security named sockets.
855	## </summary>
856	## <param name="domain">
857	## <summary>
858	## Domain to not audit.
859	## </summary>
860	## </param>
861	#
862	interface(`files_dontaudit_getattr_non_security_sockets',`
863	gen_require(`
864	attribute non_security_file_type;
865	')
866
867	dontaudit $1 non_security_file_type:sock_file getattr;
868	')
869
870	########################################
871	## <summary>
872	## Read all block nodes with file types.
873	## </summary>
874	## <param name="domain">
875	## <summary>
876	## Domain allowed access.
877	## </summary>
878	## </param>
879	#
880	interface(`files_read_all_blk_files',`
881	gen_require(`
882	attribute file_type;
883	')
884
885	read_blk_files_pattern($1, file_type, file_type)
886	')
887
888	########################################
889	## <summary>
890	## Read all character nodes with file types.
891	## </summary>
892	## <param name="domain">
893	## <summary>
894	## Domain allowed access.
895	## </summary>
896	## </param>
897	#
898	interface(`files_read_all_chr_files',`
899	gen_require(`
900	attribute file_type;
901	')
902
903	read_chr_files_pattern($1, file_type, file_type)
904	')
905
906	########################################
907	## <summary>
908	## Relabel all files on the filesystem, except
909	## the listed exceptions.
910	## </summary>
911	## <param name="domain">
912	## <summary>
913	## The type of the domain perfoming this action.
914	## </summary>
915	## </param>
916	## <param name="exception_types" optional="true">
917	## <summary>
918	## The types to be excluded. Each type or attribute
919	## must be negated by the caller.
920	## </summary>
921	## </param>
922	## <rolecap/>
923	#
924	interface(`files_relabel_all_files',`
925	gen_require(`
926	attribute file_type;
927	')
928
929	allow $1 { file_type $2 }:dir list_dir_perms;
930	relabel_dirs_pattern($1, { file_type $2 }, { file_type $2 })
931	relabel_files_pattern($1, { file_type $2 }, { file_type $2 })
932	relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
933	relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
934	relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
935	# this is only relabelfrom since there should be no
936	# device nodes with file types.
937	relabelfrom_blk_files_pattern($1, { file_type $2 }, { file_type $2 })
938	relabelfrom_chr_files_pattern($1, { file_type $2 }, { file_type $2 })
939
940	# satisfy the assertions:
941	seutil_relabelto_bin_policy($1)
942	')
943
944	########################################
945	## <summary>
946	## rw all files on the filesystem, except
947	## the listed exceptions.
948	## </summary>
949	## <param name="domain">
950	## <summary>
951	## The type of the domain perfoming this action.
952	## </summary>
953	## </param>
954	## <param name="exception_types" optional="true">
955	## <summary>
956	## The types to be excluded. Each type or attribute
957	## must be negated by the caller.
958	## </summary>
959	## </param>
960	## <rolecap/>
961	#
962	interface(`files_rw_all_files',`
963	gen_require(`
964	attribute file_type;
965	')
966
967	rw_files_pattern($1, { file_type $2 }, { file_type $2 })
968	')
969
970	########################################
971	## <summary>
972	## Manage all files on the filesystem, except
973	## the listed exceptions.
974	## </summary>
975	## <param name="domain">
976	## <summary>
977	## The type of the domain perfoming this action.
978	## </summary>
979	## </param>
980	## <param name="exception_types" optional="true">
981	## <summary>
982	## The types to be excluded. Each type or attribute
983	## must be negated by the caller.
984	## </summary>
985	## </param>
986	## <rolecap/>
987	#
988	interface(`files_manage_all_files',`
989	gen_require(`
990	attribute file_type;
991	')
992
993	manage_dirs_pattern($1, { file_type $2 }, { file_type $2 })
994	manage_files_pattern($1, { file_type $2 }, { file_type $2 })
995	manage_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
996	manage_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
997	manage_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
998
999	# satisfy the assertions:
1000	seutil_create_bin_policy($1)
1001	files_manage_kernel_modules($1)
1002	')
1003
1004	########################################
1005	## <summary>
1006	## Search the contents of all directories on
1007	## extended attribute filesystems.
1008	## </summary>
1009	## <param name="domain">
1010	## <summary>
1011	## Domain allowed access.
1012	## </summary>
1013	## </param>
1014	#
1015	interface(`files_search_all',`
1016	gen_require(`
1017	attribute file_type;
1018	')
1019
1020	allow $1 file_type:dir search_dir_perms;
1021	')
1022
1023	########################################
1024	## <summary>
1025	## List the contents of all directories on
1026	## extended attribute filesystems.
1027	## </summary>
1028	## <param name="domain">
1029	## <summary>
1030	## Domain allowed access.
1031	## </summary>
1032	## </param>
1033	#
1034	interface(`files_list_all',`
1035	gen_require(`
1036	attribute file_type;
1037	')
1038
1039	allow $1 file_type:dir list_dir_perms;
1040	')
1041
1042	########################################
1043	## <summary>
1044	## Do not audit attempts to search the
1045	## contents of any directories on extended
1046	## attribute filesystems.
1047	## </summary>
1048	## <param name="domain">
1049	## <summary>
1050	## Domain allowed access.
1051	## </summary>
1052	## </param>
1053	#
1054	interface(`files_dontaudit_search_all_dirs',`
1055	gen_require(`
1056	attribute file_type;
1057	')
1058
1059	dontaudit $1 file_type:dir search_dir_perms;
1060	')
1061
1062	########################################
1063	## <summary>
1064	## Get the attributes of all filesystems
1065	## with the type of a file.
1066	## </summary>
1067	## <param name="domain">
1068	## <summary>
1069	## Domain allowed access.
1070	## </summary>
1071	## </param>
1072	#
1073	# dwalsh: This interface is to allow quotacheck to work on a
1074	# a filesystem mounted with the --context switch
1075	# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=212957
1076	#
1077	interface(`files_getattr_all_file_type_fs',`
1078	gen_require(`
1079	attribute file_type;
1080	')
1081
1082	allow $1 file_type:filesystem getattr;
1083	')
1084
1085	########################################
1086	## <summary>
1087	## Relabel a filesystem to the type of a file.
1088	## </summary>
1089	## <param name="domain">
1090	## <summary>
1091	## Domain allowed access.
1092	## </summary>
1093	## </param>
1094	#
1095	interface(`files_relabelto_all_file_type_fs',`
1096	gen_require(`
1097	attribute file_type;
1098	')
1099
1100	allow $1 file_type:filesystem relabelto;
1101	')
1102
1103	########################################
1104	## <summary>
1105	## Relabel a filesystem to the type of a file.
1106	## </summary>
1107	## <param name="domain">
1108	## <summary>
1109	## Domain allowed access.
1110	## </summary>
1111	## </param>
1112	#
1113	interface(`files_relabel_all_file_type_fs',`
1114	gen_require(`
1115	attribute file_type;
1116	')
1117
1118	allow $1 file_type:filesystem { relabelfrom relabelto };
1119	')
1120
1121	########################################
1122	## <summary>
1123	## Mount all filesystems with the type of a file.
1124	## </summary>
1125	## <param name="domain">
1126	## <summary>
1127	## Domain allowed access.
1128	## </summary>
1129	## </param>
1130	#
1131	interface(`files_mount_all_file_type_fs',`
1132	gen_require(`
1133	attribute file_type;
1134	')
1135
1136	allow $1 file_type:filesystem mount;
1137	')
1138
1139	########################################
1140	## <summary>
1141	## Unmount all filesystems with the type of a file.
1142	## </summary>
1143	## <param name="domain">
1144	## <summary>
1145	## Domain allowed access.
1146	## </summary>
1147	## </param>
1148	#
1149	interface(`files_unmount_all_file_type_fs',`
1150	gen_require(`
1151	attribute file_type;
1152	')
1153
1154	allow $1 file_type:filesystem unmount;
1155	')
1156
1157	#############################################
1158	## <summary>
1159	## Manage all configuration directories on filesystem
1160	## </summary>
1161	## <param name="domain">
1162	## <summary>
1163	## The type of domain performing this action
1164	## </summary>
1165	## </param>
1166	##
1167	#
1168	interface(`files_manage_config_dirs',`
1169	gen_require(`
1170	attribute configfile;
1171	')
1172
1173	manage_dirs_pattern($1, configfile, configfile)
1174	')
1175
1176	#########################################
1177	## <summary>
1178	## Relabel configuration directories
1179	## </summary>
1180	## <param name="domain">
1181	## <summary>
1182	## Type of domain performing this action
1183	## </summary>
1184	## </param>
1185	##
1186	#
1187	interface(`files_relabel_config_dirs',`
1188	gen_require(`
1189	attribute configfile;
1190	')
1191
1192	relabel_dirs_pattern($1, configfile, configfile)
1193	')
1194
1195	########################################
1196	## <summary>
1197	## Read config files in /etc.
1198	## </summary>
1199	## <param name="domain">
1200	## <summary>
1201	## Domain allowed access.
1202	## </summary>
1203	## </param>
1204	#
1205	interface(`files_read_config_files',`
1206	gen_require(`
1207	attribute configfile;
1208	')
1209
1210	allow $1 configfile:dir list_dir_perms;
1211	read_files_pattern($1, configfile, configfile)
1212	read_lnk_files_pattern($1, configfile, configfile)
1213	')
1214
1215	###########################################
1216	## <summary>
1217	## Manage all configuration files on filesystem
1218	## </summary>
1219	## <param name="domain">
1220	## <summary>
1221	## The type of domain performing this action
1222	## </summary>
1223	## </param>
1224	##
1225	#
1226	interface(`files_manage_config_files',`
1227	gen_require(`
1228	attribute configfile;
1229	')
1230
1231	manage_files_pattern($1, configfile, configfile)
1232	')
1233
1234	#######################################
1235	## <summary>
1236	## Relabel configuration files
1237	## </summary>
1238	## <param name="domain">
1239	## <summary>
1240	## Type of domain performing this action
1241	## </summary>
1242	## </param>
1243	##
1244	#
1245	interface(`files_relabel_config_files',`
1246	gen_require(`
1247	attribute configfile;
1248	')
1249
1250	relabel_files_pattern($1, configfile, configfile)
1251	')
1252
1253	########################################
1254	## <summary>
1255	## Mount a filesystem on all mount points.
1256	## </summary>
1257	## <param name="domain">
1258	## <summary>
1259	## Domain allowed access.
1260	## </summary>
1261	## </param>
1262	#
1263	interface(`files_mounton_all_mountpoints',`
1264	gen_require(`
1265	attribute mountpoint;
1266	')
1267
1268	allow $1 mountpoint:dir { search_dir_perms mounton };
1269	allow $1 mountpoint:file { getattr mounton };
1270	')
1271
1272	########################################
1273	## <summary>
1274	## Get the attributes of all mount points.
1275	## </summary>
1276	## <param name="domain">
1277	## <summary>
1278	## Domain allowed access.
1279	## </summary>
1280	## </param>
1281	#
1282	interface(`files_getattr_all_mountpoints',`
1283	gen_require(`
1284	attribute mountpoint;
1285	')
1286
1287	allow $1 mountpoint:dir getattr;
1288	')
1289
1290	########################################
1291	## <summary>
1292	## Search all mount points.
1293	## </summary>
1294	## <param name="domain">
1295	## <summary>
1296	## Domain allowed access.
1297	## </summary>
1298	## </param>
1299	#
1300	interface(`files_search_all_mountpoints',`
1301	gen_require(`
1302	attribute mountpoint;
1303	')
1304
1305	allow $1 mountpoint:dir search_dir_perms;
1306	')
1307
1308	########################################
1309	## <summary>
1310	## List the contents of the root directory.
1311	## </summary>
1312	## <param name="domain">
1313	## <summary>
1314	## Domain allowed access.
1315	## </summary>
1316	## </param>
1317	#
1318	interface(`files_list_root',`
1319	gen_require(`
1320	type root_t;
1321	')
1322
1323	allow $1 root_t:dir list_dir_perms;
1324	allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock };
1325	')
1326
1327	########################################
1328	## <summary>
1329	## Do not audit attempts to write
1330	## files in the root directory.
1331	## </summary>
1332	## <param name="domain">
1333	## <summary>
1334	## Domain allowed access.
1335	## </summary>
1336	## </param>
1337	#
1338	interface(`files_dontaudit_rw_root_dir',`
1339	gen_require(`
1340	type root_t;
1341	')
1342
1343	dontaudit $1 root_t:dir rw_dir_perms;
1344	')
1345
1346	########################################
1347	## <summary>
1348	## Create an object in the root directory, with a private
1349	## type using a type transition.
1350	## </summary>
1351	## <param name="domain">
1352	## <summary>
1353	## Domain allowed access.
1354	## </summary>
1355	## </param>
1356	## <param name="private type">
1357	## <summary>
1358	## The type of the object to be created.
1359	## </summary>
1360	## </param>
1361	## <param name="object">
1362	## <summary>
1363	## The object class of the object being created.
1364	## </summary>
1365	## </param>
1366	#
1367	interface(`files_root_filetrans',`
1368	gen_require(`
1369	type root_t;
1370	')
1371
1372	filetrans_pattern($1, root_t, $2, $3)
1373	')
1374
1375	########################################
1376	## <summary>
1377	## Do not audit attempts to read files in
1378	## the root directory.
1379	## </summary>
1380	## <param name="domain">
1381	## <summary>
1382	## Domain to not audit.
1383	## </summary>
1384	## </param>
1385	#
1386	interface(`files_dontaudit_read_root_files',`
1387	gen_require(`
1388	type root_t;
1389	')
1390
1391	dontaudit $1 root_t:file { getattr read };
1392	')
1393
1394	########################################
1395	## <summary>
1396	## Do not audit attempts to read or write
1397	## files in the root directory.
1398	## </summary>
1399	## <param name="domain">
1400	## <summary>
1401	## Domain allowed access.
1402	## </summary>
1403	## </param>
1404	#
1405	interface(`files_dontaudit_rw_root_files',`
1406	gen_require(`
1407	type root_t;
1408	')
1409
1410	dontaudit $1 root_t:file { read write };
1411	')
1412
1413	########################################
1414	## <summary>
1415	## Do not audit attempts to read or write
1416	## character device nodes in the root directory.
1417	## </summary>
1418	## <param name="domain">
1419	## <summary>
1420	## Domain allowed access.
1421	## </summary>
1422	## </param>
1423	#
1424	interface(`files_dontaudit_rw_root_chr_files',`
1425	gen_require(`
1426	type root_t;
1427	')
1428
1429	dontaudit $1 root_t:chr_file { read write };
1430	')
1431
1432	########################################
1433	## <summary>
1434	## Remove entries from the root directory.
1435	## </summary>
1436	## <param name="domain">
1437	## <summary>
1438	## Domain allowed access.
1439	## </summary>
1440	## </param>
1441	#
1442	interface(`files_delete_root_dir_entry',`
1443	gen_require(`
1444	type root_t;
1445	')
1446
1447	allow $1 root_t:dir rw_dir_perms;
1448	')
1449
1450	########################################
1451	## <summary>
1452	## Unmount a rootfs filesystem.
1453	## </summary>
1454	## <param name="domain">
1455	## <summary>
1456	## Domain allowed access.
1457	## </summary>
1458	## </param>
1459	#
1460	interface(`files_unmount_rootfs',`
1461	gen_require(`
1462	type root_t;
1463	')
1464
1465	allow $1 root_t:filesystem unmount;
1466	')
1467
1468	########################################
1469	## <summary>
1470	## Get attributes of the /boot directory.
1471	## </summary>
1472	## <param name="domain">
1473	## <summary>
1474	## Domain allowed access.
1475	## </summary>
1476	## </param>
1477	#
1478	interface(`files_getattr_boot_dirs',`
1479	gen_require(`
1480	type boot_t;
1481	')
1482
1483	allow $1 boot_t:dir getattr;
1484	')
1485
1486	########################################
1487	## <summary>
1488	## Do not audit attempts to get attributes
1489	## of the /boot directory.
1490	## </summary>
1491	## <param name="domain">
1492	## <summary>
1493	## Domain to not audit.
1494	## </summary>
1495	## </param>
1496	#
1497	interface(`files_dontaudit_getattr_boot_dirs',`
1498	gen_require(`
1499	type boot_t;
1500	')
1501
1502	dontaudit $1 boot_t:dir getattr;
1503	')
1504
1505	########################################
1506	## <summary>
1507	## Search the /boot directory.
1508	## </summary>
1509	## <param name="domain">
1510	## <summary>
1511	## Domain allowed access.
1512	## </summary>
1513	## </param>
1514	#
1515	interface(`files_search_boot',`
1516	gen_require(`
1517	type boot_t;
1518	')
1519
1520	allow $1 boot_t:dir search_dir_perms;
1521	')
1522
1523	########################################
1524	## <summary>
1525	## Do not audit attempts to search the /boot directory.
1526	## </summary>
1527	## <param name="domain">
1528	## <summary>
1529	## Domain allowed access.
1530	## </summary>
1531	## </param>
1532	#
1533	interface(`files_dontaudit_search_boot',`
1534	gen_require(`
1535	type boot_t;
1536	')
1537
1538	dontaudit $1 boot_t:dir search_dir_perms;
1539	')
1540
1541	########################################
1542	## <summary>
1543	## List the /boot directory.
1544	## </summary>
1545	## <param name="domain">
1546	## <summary>
1547	## Domain allowed access.
1548	## </summary>
1549	## </param>
1550	#
1551	interface(`files_list_boot',`
1552	gen_require(`
1553	type boot_t;
1554	')
1555
1556	allow $1 boot_t:dir list_dir_perms;
1557	')
1558
1559	########################################
1560	## <summary>
1561	## Create directories in /boot
1562	## </summary>
1563	## <param name="domain">
1564	## <summary>
1565	## Domain allowed access.
1566	## </summary>
1567	## </param>
1568	#
1569	interface(`files_create_boot_dirs',`
1570	gen_require(`
1571	type boot_t;
1572	')
1573
1574	allow $1 boot_t:dir { create rw_dir_perms };
1575	')
1576
1577	########################################
1578	## <summary>
1579	## Create a private type object in boot
1580	## with an automatic type transition
1581	## </summary>
1582	## <param name="domain">
1583	## <summary>
1584	## Domain allowed access.
1585	## </summary>
1586	## </param>
1587	## <param name="private_type">
1588	## <summary>
1589	## The type of the object to be created.
1590	## </summary>
1591	## </param>
1592	## <param name="object_class">
1593	## <summary>
1594	## The object class of the object being created.
1595	## </summary>
1596	## </param>
1597	#
1598	interface(`files_boot_filetrans',`
1599	gen_require(`
1600	type boot_t;
1601	')
1602
1603	filetrans_pattern($1, boot_t, $2, $3)
1604	')
1605
1606	########################################
1607	## <summary>
1608	## read files in the /boot directory.
1609	## </summary>
1610	## <param name="domain">
1611	## <summary>
1612	## Domain allowed access.
1613	## </summary>
1614	## </param>
1615	## <rolecap/>
1616	#
1617	interface(`files_read_boot_files',`
1618	gen_require(`
1619	type boot_t;
1620	')
1621
1622	manage_files_pattern($1, boot_t, boot_t)
1623	')
1624
1625	########################################
1626	## <summary>
1627	## Create, read, write, and delete files
1628	## in the /boot directory.
1629	## </summary>
1630	## <param name="domain">
1631	## <summary>
1632	## Domain allowed access.
1633	## </summary>
1634	## </param>
1635	## <rolecap/>
1636	#
1637	interface(`files_manage_boot_files',`
1638	gen_require(`
1639	type boot_t;
1640	')
1641
1642	manage_files_pattern($1, boot_t, boot_t)
1643	')
1644
1645	########################################
1646	## <summary>
1647	## Relabel from files in the /boot directory.
1648	## </summary>
1649	## <param name="domain">
1650	## <summary>
1651	## Domain allowed access.
1652	## </summary>
1653	## </param>
1654	#
1655	interface(`files_relabelfrom_boot_files',`
1656	gen_require(`
1657	type boot_t;
1658	')
1659
1660	relabelfrom_files_pattern($1, boot_t, boot_t)
1661	')
1662
1663	########################################
1664	## <summary>
1665	## Read and write symbolic links
1666	## in the /boot directory.
1667	## </summary>
1668	## <param name="domain">
1669	## <summary>
1670	## Domain allowed access.
1671	## </summary>
1672	## </param>
1673	#
1674	interface(`files_rw_boot_symlinks',`
1675	gen_require(`
1676	type boot_t;
1677	')
1678
1679	allow $1 boot_t:dir list_dir_perms;
1680	rw_lnk_files_pattern($1, boot_t, boot_t)
1681	')
1682
1683	########################################
1684	## <summary>
1685	## Create, read, write, and delete symbolic links
1686	## in the /boot directory.
1687	## </summary>
1688	## <param name="domain">
1689	## <summary>
1690	## Domain allowed access.
1691	## </summary>
1692	## </param>
1693	#
1694	interface(`files_manage_boot_symlinks',`
1695	gen_require(`
1696	type boot_t;
1697	')
1698
1699	manage_lnk_files_pattern($1, boot_t, boot_t)
1700	')
1701
1702	########################################
1703	## <summary>
1704	## Read kernel files in the /boot directory.
1705	## </summary>
1706	## <param name="domain">
1707	## <summary>
1708	## Domain allowed access.
1709	## </summary>
1710	## </param>
1711	#
1712	interface(`files_read_kernel_img',`
1713	gen_require(`
1714	type boot_t;
1715	')
1716
1717	allow $1 boot_t:dir list_dir_perms;
1718	read_files_pattern($1, boot_t, boot_t)
1719	read_lnk_files_pattern($1, boot_t, boot_t)
1720	')
1721
1722	########################################
1723	## <summary>
1724	## Install a kernel into the /boot directory.
1725	## </summary>
1726	## <param name="domain">
1727	## <summary>
1728	## Domain allowed access.
1729	## </summary>
1730	## </param>
1731	## <rolecap/>
1732	#
1733	interface(`files_create_kernel_img',`
1734	gen_require(`
1735	type boot_t;
1736	')
1737
1738	allow $1 boot_t:file { create_file_perms rw_file_perms };
1739	manage_lnk_files_pattern($1, boot_t, boot_t)
1740	')
1741
1742	########################################
1743	## <summary>
1744	## Delete a kernel from /boot.
1745	## </summary>
1746	## <param name="domain">
1747	## <summary>
1748	## Domain allowed access.
1749	## </summary>
1750	## </param>
1751	## <rolecap/>
1752	#
1753	interface(`files_delete_kernel',`
1754	gen_require(`
1755	type boot_t;
1756	')
1757
1758	delete_files_pattern($1, boot_t, boot_t)
1759	')
1760
1761	########################################
1762	## <summary>
1763	## Getattr of directories with the default file type.
1764	## </summary>
1765	## <param name="domain">
1766	## <summary>
1767	## Domain allowed access.
1768	## </summary>
1769	## </param>
1770	#
1771	interface(`files_getattr_default_dirs',`
1772	gen_require(`
1773	type default_t;
1774	')
1775
1776	allow $1 default_t:dir getattr;
1777	')
1778
1779	########################################
1780	## <summary>
1781	## Do not audit attempts to get the attributes of
1782	## directories with the default file type.
1783	## </summary>
1784	## <param name="domain">
1785	## <summary>
1786	## Domain to not audit.
1787	## </summary>
1788	## </param>
1789	#
1790	interface(`files_dontaudit_getattr_default_dirs',`
1791	gen_require(`
1792	type default_t;
1793	')
1794
1795	dontaudit $1 default_t:dir getattr;
1796	')
1797
1798	########################################
1799	## <summary>
1800	## Search the contents of directories with the default file type.
1801	## </summary>
1802	## <param name="domain">
1803	## <summary>
1804	## Domain allowed access.
1805	## </summary>
1806	## </param>
1807	#
1808	interface(`files_search_default',`
1809	gen_require(`
1810	type default_t;
1811	')
1812
1813	allow $1 default_t:dir search_dir_perms;
1814	')
1815
1816	########################################
1817	## <summary>
1818	## List contents of directories with the default file type.
1819	## </summary>
1820	## <param name="domain">
1821	## <summary>
1822	## Domain allowed access.
1823	## </summary>
1824	## </param>
1825	#
1826	interface(`files_list_default',`
1827	gen_require(`
1828	type default_t;
1829	')
1830
1831	allow $1 default_t:dir list_dir_perms;
1832	')
1833
1834	########################################
1835	## <summary>
1836	## Do not audit attempts to list contents of
1837	## directories with the default file type.
1838	## </summary>
1839	## <param name="domain">
1840	## <summary>
1841	## Domain to not audit.
1842	## </summary>
1843	## </param>
1844	#
1845	interface(`files_dontaudit_list_default',`
1846	gen_require(`
1847	type default_t;
1848	')
1849
1850	dontaudit $1 default_t:dir list_dir_perms;
1851	')
1852
1853	########################################
1854	## <summary>
1855	## Create, read, write, and delete directories with
1856	## the default file type.
1857	## </summary>
1858	## <param name="domain">
1859	## <summary>
1860	## Domain allowed access.
1861	## </summary>
1862	## </param>
1863	#
1864	interface(`files_manage_default_dirs',`
1865	gen_require(`
1866	type default_t;
1867	')
1868
1869	manage_dirs_pattern($1, default_t, default_t)
1870	')
1871
1872	########################################
1873	## <summary>
1874	## Mount a filesystem on a directory with the default file type.
1875	## </summary>
1876	## <param name="domain">
1877	## <summary>
1878	## Domain allowed access.
1879	## </summary>
1880	## </param>
1881	#
1882	interface(`files_mounton_default',`
1883	gen_require(`
1884	type default_t;
1885	')
1886
1887	allow $1 default_t:dir { search_dir_perms mounton };
1888	')
1889
1890	########################################
1891	## <summary>
1892	## Do not audit attempts to get the attributes of
1893	## files with the default file type.
1894	## </summary>
1895	## <param name="domain">
1896	## <summary>
1897	## Domain to not audit.
1898	## </summary>
1899	## </param>
1900	#
1901	interface(`files_dontaudit_getattr_default_files',`
1902	gen_require(`
1903	type default_t;
1904	')
1905
1906	dontaudit $1 default_t:file getattr;
1907	')
1908
1909	########################################
1910	## <summary>
1911	## Read files with the default file type.
1912	## </summary>
1913	## <param name="domain">
1914	## <summary>
1915	## Domain allowed access.
1916	## </summary>
1917	## </param>
1918	#
1919	interface(`files_read_default_files',`
1920	gen_require(`
1921	type default_t;
1922	')
1923
1924	allow $1 default_t:file read_file_perms;
1925	')
1926
1927	########################################
1928	## <summary>
1929	## Do not audit attempts to read files
1930	## with the default file type.
1931	## </summary>
1932	## <param name="domain">
1933	## <summary>
1934	## Domain to not audit.
1935	## </summary>
1936	## </param>
1937	#
1938	interface(`files_dontaudit_read_default_files',`
1939	gen_require(`
1940	type default_t;
1941	')
1942
1943	dontaudit $1 default_t:file read_file_perms;
1944	')
1945
1946	########################################
1947	## <summary>
1948	## Create, read, write, and delete files with
1949	## the default file type.
1950	## </summary>
1951	## <param name="domain">
1952	## <summary>
1953	## Domain allowed access.
1954	## </summary>
1955	## </param>
1956	#
1957	interface(`files_manage_default_files',`
1958	gen_require(`
1959	type default_t;
1960	')
1961
1962	manage_files_pattern($1, default_t, default_t)
1963	')
1964
1965	########################################
1966	## <summary>
1967	## Read symbolic links with the default file type.
1968	## </summary>
1969	## <param name="domain">
1970	## <summary>
1971	## Domain allowed access.
1972	## </summary>
1973	## </param>
1974	#
1975	interface(`files_read_default_symlinks',`
1976	gen_require(`
1977	type default_t;
1978	')
1979
1980	allow $1 default_t:lnk_file read_lnk_file_perms;
1981	')
1982
1983	########################################
1984	## <summary>
1985	## Read sockets with the default file type.
1986	## </summary>
1987	## <param name="domain">
1988	## <summary>
1989	## Domain allowed access.
1990	## </summary>
1991	## </param>
1992	#
1993	interface(`files_read_default_sockets',`
1994	gen_require(`
1995	type default_t;
1996	')
1997
1998	allow $1 default_t:sock_file read_sock_file_perms;
1999	')
2000
2001	########################################
2002	## <summary>
2003	## Read named pipes with the default file type.
2004	## </summary>
2005	## <param name="domain">
2006	## <summary>
2007	## Domain allowed access.
2008	## </summary>
2009	## </param>
2010	#
2011	interface(`files_read_default_pipes',`
2012	gen_require(`
2013	type default_t;
2014	')
2015
2016	allow $1 default_t:fifo_file read_fifo_file_perms;
2017	')
2018
2019	########################################
2020	## <summary>
2021	## Search the contents of /etc directories.
2022	## </summary>
2023	## <param name="domain">
2024	## <summary>
2025	## Domain allowed access.
2026	## </summary>
2027	## </param>
2028	#
2029	interface(`files_search_etc',`
2030	gen_require(`
2031	type etc_t;
2032	')
2033
2034	allow $1 etc_t:dir search_dir_perms;
2035	')
2036
2037	########################################
2038	## <summary>
2039	## Set the attributes of the /etc directories.
2040	## </summary>
2041	## <param name="domain">
2042	## <summary>
2043	## Domain allowed access.
2044	## </summary>
2045	## </param>
2046	#
2047	interface(`files_setattr_etc_dirs',`
2048	gen_require(`
2049	type etc_t;
2050	')
2051
2052	allow $1 etc_t:dir setattr;
2053	')
2054
2055	########################################
2056	## <summary>
2057	## List the contents of /etc directories.
2058	## </summary>
2059	## <param name="domain">
2060	## <summary>
2061	## Domain allowed access.
2062	## </summary>
2063	## </param>
2064	#
2065	interface(`files_list_etc',`
2066	gen_require(`
2067	type etc_t;
2068	')
2069
2070	allow $1 etc_t:dir list_dir_perms;
2071	')
2072
2073	########################################
2074	## <summary>
2075	## Add and remove entries from /etc directories.
2076	## </summary>
2077	## <param name="domain">
2078	## <summary>
2079	## Domain allowed access.
2080	## </summary>
2081	## </param>
2082	#
2083	interface(`files_rw_etc_dirs',`
2084	gen_require(`
2085	type etc_t;
2086	')
2087
2088	allow $1 etc_t:dir rw_dir_perms;
2089	')
2090
2091	##########################################
2092	## <summary>
2093	## Manage generic directories in /etc
2094	## </summary>
2095	## <param name="domain">
2096	## <summary>
2097	## Domain allowed access
2098	## </summary>
2099	## </param>
2100	##
2101	#
2102	interface(`files_manage_etc_dirs',`
2103	gen_require(`
2104	type etc_t;
2105	')
2106
2107	manage_dirs_pattern($1, etc_t, etc_t)
2108	')
2109
2110	########################################
2111	## <summary>
2112	## Read generic files in /etc.
2113	## </summary>
2114	## <desc>
2115	## <p>
2116	## Allow the specified domain to read generic
2117	## files in /etc. These files are typically
2118	## general system configuration files that do
2119	## not have more specific SELinux types. Some
2120	## examples of these files are:
2121	## </p>
2122	## <ul>
2123	## <li>/etc/fstab</li>
2124	## <li>/etc/passwd</li>
2125	## <li>/etc/services</li>
2126	## <li>/etc/shells</li>
2127	## </ul>
2128	## <p>
2129	## This interface does not include access to /etc/shadow.
2130	## </p>
2131	## <p>
2132	## Generally, it is safe for many domains to have
2133	## this access. However, since this interface provides
2134	## access to the /etc/passwd file, caution must be
2135	## exercised, as user account names can be leaked
2136	## through this access.
2137	## </p>
2138	## <p>
2139	## Related interfaces:
2140	## </p>
2141	## <ul>
2142	## <li>auth_read_shadow()</li>
2143	## <li>files_read_etc_runtime_files()</li>
2144	## <li>seutil_read_config()</li>
2145	## </ul>
2146	## </desc>
2147	## <param name="domain">
2148	## <summary>
2149	## Domain allowed access.
2150	## </summary>
2151	## </param>
2152	## <infoflow type="read" weight="10"/>
2153	#
2154	interface(`files_read_etc_files',`
2155	gen_require(`
2156	type etc_t;
2157	')
2158
2159	allow $1 etc_t:dir list_dir_perms;
2160	read_files_pattern($1, etc_t, etc_t)
2161	read_lnk_files_pattern($1, etc_t, etc_t)
2162	')
2163
2164	########################################
2165	## <summary>
2166	## Do not audit attempts to write generic files in /etc.
2167	## </summary>
2168	## <param name="domain">
2169	## <summary>
2170	## Domain allowed access.
2171	## </summary>
2172	## </param>
2173	#
2174	interface(`files_dontaudit_write_etc_files',`
2175	gen_require(`
2176	type etc_t;
2177	')
2178
2179	dontaudit $1 etc_t:file write;
2180	')
2181
2182	########################################
2183	## <summary>
2184	## Read and write generic files in /etc.
2185	## </summary>
2186	## <param name="domain">
2187	## <summary>
2188	## Domain allowed access.
2189	## </summary>
2190	## </param>
2191	## <rolecap/>
2192	#
2193	interface(`files_rw_etc_files',`
2194	gen_require(`
2195	type etc_t;
2196	')
2197
2198	allow $1 etc_t:dir list_dir_perms;
2199	rw_files_pattern($1, etc_t, etc_t)
2200	read_lnk_files_pattern($1, etc_t, etc_t)
2201	')
2202
2203	########################################
2204	## <summary>
2205	## Create, read, write, and delete generic
2206	## files in /etc.
2207	## </summary>
2208	## <param name="domain">
2209	## <summary>
2210	## Domain allowed access.
2211	## </summary>
2212	## </param>
2213	## <rolecap/>
2214	#
2215	interface(`files_manage_etc_files',`
2216	gen_require(`
2217	type etc_t;
2218	')
2219
2220	manage_files_pattern($1, etc_t, etc_t)
2221	read_lnk_files_pattern($1, etc_t, etc_t)
2222	')
2223
2224	########################################
2225	## <summary>
2226	## Delete system configuration files in /etc.
2227	## </summary>
2228	## <param name="domain">
2229	## <summary>
2230	## Domain allowed access.
2231	## </summary>
2232	## </param>
2233	#
2234	interface(`files_delete_etc_files',`
2235	gen_require(`
2236	type etc_t;
2237	')
2238
2239	delete_files_pattern($1, etc_t, etc_t)
2240	')
2241
2242	########################################
2243	## <summary>
2244	## Execute generic files in /etc.
2245	## </summary>
2246	## <param name="domain">
2247	## <summary>
2248	## Domain allowed access.
2249	## </summary>
2250	## </param>
2251	#
2252	interface(`files_exec_etc_files',`
2253	gen_require(`
2254	type etc_t;
2255	')
2256
2257	allow $1 etc_t:dir list_dir_perms;
2258	read_lnk_files_pattern($1, etc_t, etc_t)
2259	exec_files_pattern($1, etc_t, etc_t)
2260	')
2261
2262	#######################################
2263	## <summary>
2264	## Relabel from and to generic files in /etc.
2265	## </summary>
2266	## <param name="domain">
2267	## <summary>
2268	## Domain allowed access.
2269	## </summary>
2270	## </param>
2271	#
2272	interface(`files_relabel_etc_files',`
2273	gen_require(`
2274	type etc_t;
2275	')
2276
2277	allow $1 etc_t:dir list_dir_perms;
2278	relabel_files_pattern($1, etc_t, etc_t)
2279	')
2280
2281	########################################
2282	## <summary>
2283	## Read symbolic links in /etc.
2284	## </summary>
2285	## <param name="domain">
2286	## <summary>
2287	## Domain allowed access.
2288	## </summary>
2289	## </param>
2290	#
2291	interface(`files_read_etc_symlinks',`
2292	gen_require(`
2293	type etc_t;
2294	')
2295
2296	read_lnk_files_pattern($1, etc_t, etc_t)
2297	')
2298
2299	########################################
2300	## <summary>
2301	## Create, read, write, and delete symbolic links in /etc.
2302	## </summary>
2303	## <param name="domain">
2304	## <summary>
2305	## Domain allowed access.
2306	## </summary>
2307	## </param>
2308	#
2309	interface(`files_manage_etc_symlinks',`
2310	gen_require(`
2311	type etc_t;
2312	')
2313
2314	manage_lnk_files_pattern($1, etc_t, etc_t)
2315	')
2316
2317	########################################
2318	## <summary>
2319	## Create objects in /etc with a private
2320	## type using a type_transition.
2321	## </summary>
2322	## <param name="domain">
2323	## <summary>
2324	## Domain allowed access.
2325	## </summary>
2326	## </param>
2327	## <param name="file_type">
2328	## <summary>
2329	## Private file type.
2330	## </summary>
2331	## </param>
2332	## <param name="class">
2333	## <summary>
2334	## Object classes to be created.
2335	## </summary>
2336	## </param>
2337	#
2338	interface(`files_etc_filetrans',`
2339	gen_require(`
2340	type etc_t;
2341	')
2342
2343	filetrans_pattern($1, etc_t, $2, $3)
2344	')
2345
2346	########################################
2347	## <summary>
2348	## Create a boot flag.
2349	## </summary>
2350	## <desc>
2351	## <p>
2352	## Create a boot flag, such as
2353	## /.autorelabel and /.autofsck.
2354	## </p>
2355	## </desc>
2356	## <param name="domain">
2357	## <summary>
2358	## Domain allowed access.
2359	## </summary>
2360	## </param>
2361	## <rolecap/>
2362	#
2363	interface(`files_create_boot_flag',`
2364	gen_require(`
2365	type root_t, etc_runtime_t;
2366	')
2367
2368	allow $1 etc_runtime_t:file manage_file_perms;
2369	filetrans_pattern($1, root_t, etc_runtime_t, file)
2370	')
2371
2372	########################################
2373	## <summary>
2374	## Read files in /etc that are dynamically
2375	## created on boot, such as mtab.
2376	## </summary>
2377	## <param name="domain">
2378	## <summary>
2379	## Domain allowed access.
2380	## </summary>
2381	## </param>
2382	## <rolecap/>
2383	#
2384	interface(`files_read_etc_runtime_files',`
2385	gen_require(`
2386	type etc_t, etc_runtime_t;
2387	')
2388
2389	allow $1 etc_t:dir list_dir_perms;
2390	read_files_pattern($1, etc_t, etc_runtime_t)
2391	read_lnk_files_pattern($1, etc_t, etc_runtime_t)
2392	')
2393
2394	########################################
2395	## <summary>
2396	## Do not audit attempts to read files
2397	## in /etc that are dynamically
2398	## created on boot, such as mtab.
2399	## </summary>
2400	## <param name="domain">
2401	## <summary>
2402	## Domain to not audit.
2403	## </summary>
2404	## </param>
2405	#
2406	interface(`files_dontaudit_read_etc_runtime_files',`
2407	gen_require(`
2408	type etc_runtime_t;
2409	')
2410
2411	dontaudit $1 etc_runtime_t:file { getattr read };
2412	')
2413
2414	########################################
2415	## <summary>
2416	## Read and write files in /etc that are dynamically
2417	## created on boot, such as mtab.
2418	## </summary>
2419	## <param name="domain">
2420	## <summary>
2421	## Domain allowed access.
2422	## </summary>
2423	## </param>
2424	## <rolecap/>
2425	#
2426	interface(`files_rw_etc_runtime_files',`
2427	gen_require(`
2428	type etc_t, etc_runtime_t;
2429	')
2430
2431	allow $1 etc_t:dir list_dir_perms;
2432	rw_files_pattern($1, etc_t, etc_runtime_t)
2433	')
2434
2435	########################################
2436	## <summary>
2437	## Create, read, write, and delete files in
2438	## /etc that are dynamically created on boot,
2439	## such as mtab.
2440	## </summary>
2441	## <param name="domain">
2442	## <summary>
2443	## Domain allowed access.
2444	## </summary>
2445	## </param>
2446	## <rolecap/>
2447	#
2448	interface(`files_manage_etc_runtime_files',`
2449	gen_require(`
2450	type etc_t, etc_runtime_t;
2451	')
2452
2453	manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
2454	')
2455
2456	########################################
2457	## <summary>
2458	## Create, etc runtime objects with an automatic
2459	## type transition.
2460	## </summary>
2461	## <param name="domain">
2462	## <summary>
2463	## Domain allowed access.
2464	## </summary>
2465	## </param>
2466	## <param name="object">
2467	## <summary>
2468	## The class of the object being created.
2469	## </summary>
2470	## </param>
2471	#
2472	interface(`files_etc_filetrans_etc_runtime',`
2473	gen_require(`
2474	type etc_t, etc_runtime_t;
2475	')
2476
2477	filetrans_pattern($1, etc_t, etc_runtime_t, $2)
2478	')
2479
2480	########################################
2481	## <summary>
2482	## Getattr of directories on new filesystems
2483	## that have not yet been labeled.
2484	## </summary>
2485	## <param name="domain">
2486	## <summary>
2487	## Domain allowed access.
2488	## </summary>
2489	## </param>
2490	#
2491	interface(`files_getattr_isid_type_dirs',`
2492	gen_require(`
2493	type file_t;
2494	')
2495
2496	allow $1 file_t:dir getattr;
2497	')
2498
2499	########################################
2500	## <summary>
2501	## Do not audit attempts to search directories on new filesystems
2502	## that have not yet been labeled.
2503	## </summary>
2504	## <param name="domain">
2505	## <summary>
2506	## Domain allowed access.
2507	## </summary>
2508	## </param>
2509	#
2510	interface(`files_dontaudit_search_isid_type_dirs',`
2511	gen_require(`
2512	type file_t;
2513	')
2514
2515	dontaudit $1 file_t:dir search_dir_perms;
2516	')
2517
2518	########################################
2519	## <summary>
2520	## List the contents of directories on new filesystems
2521	## that have not yet been labeled.
2522	## </summary>
2523	## <param name="domain">
2524	## <summary>
2525	## Domain allowed access.
2526	## </summary>
2527	## </param>
2528	#
2529	interface(`files_list_isid_type_dirs',`
2530	gen_require(`
2531	type file_t;
2532	')
2533
2534	allow $1 file_t:dir list_dir_perms;
2535	')
2536
2537	########################################
2538	## <summary>
2539	## Read and write directories on new filesystems
2540	## that have not yet been labeled.
2541	## </summary>
2542	## <param name="domain">
2543	## <summary>
2544	## Domain allowed access.
2545	## </summary>
2546	## </param>
2547	#
2548	interface(`files_rw_isid_type_dirs',`
2549	gen_require(`
2550	type file_t;
2551	')
2552
2553	allow $1 file_t:dir rw_dir_perms;
2554	')
2555
2556	########################################
2557	## <summary>
2558	## Delete directories on new filesystems
2559	## that have not yet been labeled.
2560	## </summary>
2561	## <param name="domain">
2562	## <summary>
2563	## Domain allowed access.
2564	## </summary>
2565	## </param>
2566	#
2567	interface(`files_delete_isid_type_dirs',`
2568	gen_require(`
2569	type file_t;
2570	')
2571
2572	delete_dirs_pattern($1, file_t, file_t)
2573	')
2574
2575	########################################
2576	## <summary>
2577	## Create, read, write, and delete directories
2578	## on new filesystems that have not yet been labeled.
2579	## </summary>
2580	## <param name="domain">
2581	## <summary>
2582	## Domain allowed access.
2583	## </summary>
2584	## </param>
2585	#
2586	interface(`files_manage_isid_type_dirs',`
2587	gen_require(`
2588	type file_t;
2589	')
2590
2591	allow $1 file_t:dir manage_dir_perms;
2592	')
2593
2594	########################################
2595	## <summary>
2596	## Mount a filesystem on a directory on new filesystems
2597	## that has not yet been labeled.
2598	## </summary>
2599	## <param name="domain">
2600	## <summary>
2601	## Domain allowed access.
2602	## </summary>
2603	## </param>
2604	#
2605	interface(`files_mounton_isid_type_dirs',`
2606	gen_require(`
2607	type file_t;
2608	')
2609
2610	allow $1 file_t:dir { search_dir_perms mounton };
2611	')
2612
2613	########################################
2614	## <summary>
2615	## Read files on new filesystems
2616	## that have not yet been labeled.
2617	## </summary>
2618	## <param name="domain">
2619	## <summary>
2620	## Domain allowed access.
2621	## </summary>
2622	## </param>
2623	#
2624	interface(`files_read_isid_type_files',`
2625	gen_require(`
2626	type file_t;
2627	')
2628
2629	allow $1 file_t:file read_file_perms;
2630	')
2631
2632	########################################
2633	## <summary>
2634	## Delete files on new filesystems
2635	## that have not yet been labeled.
2636	## </summary>
2637	## <param name="domain">
2638	## <summary>
2639	## Domain allowed access.
2640	## </summary>
2641	## </param>
2642	#
2643	interface(`files_delete_isid_type_files',`
2644	gen_require(`
2645	type file_t;
2646	')
2647
2648	delete_files_pattern($1, file_t, file_t)
2649	')
2650
2651	########################################
2652	## <summary>
2653	## Create, read, write, and delete files
2654	## on new filesystems that have not yet been labeled.
2655	## </summary>
2656	## <param name="domain">
2657	## <summary>
2658	## Domain allowed access.
2659	## </summary>
2660	## </param>
2661	#
2662	interface(`files_manage_isid_type_files',`
2663	gen_require(`
2664	type file_t;
2665	')
2666
2667	allow $1 file_t:file manage_file_perms;
2668	')
2669
2670	########################################
2671	## <summary>
2672	## Create, read, write, and delete symbolic links
2673	## on new filesystems that have not yet been labeled.
2674	## </summary>
2675	## <param name="domain">
2676	## <summary>
2677	## Domain allowed access.
2678	## </summary>
2679	## </param>
2680	#
2681	interface(`files_manage_isid_type_symlinks',`
2682	gen_require(`
2683	type file_t;
2684	')
2685
2686	allow $1 file_t:lnk_file manage_lnk_file_perms;
2687	')
2688
2689	########################################
2690	## <summary>
2691	## Read and write block device nodes on new filesystems
2692	## that have not yet been labeled.
2693	## </summary>
2694	## <param name="domain">
2695	## <summary>
2696	## Domain allowed access.
2697	## </summary>
2698	## </param>
2699	#
2700	interface(`files_rw_isid_type_blk_files',`
2701	gen_require(`
2702	type file_t;
2703	')
2704
2705	allow $1 file_t:blk_file rw_blk_file_perms;
2706	')
2707
2708	########################################
2709	## <summary>
2710	## Create, read, write, and delete block device nodes
2711	## on new filesystems that have not yet been labeled.
2712	## </summary>
2713	## <param name="domain">
2714	## <summary>
2715	## Domain allowed access.
2716	## </summary>
2717	## </param>
2718	#
2719	interface(`files_manage_isid_type_blk_files',`
2720	gen_require(`
2721	type file_t;
2722	')
2723
2724	allow $1 file_t:blk_file manage_blk_file_perms;
2725	')
2726
2727	########################################
2728	## <summary>
2729	## Create, read, write, and delete character device nodes
2730	## on new filesystems that have not yet been labeled.
2731	## </summary>
2732	## <param name="domain">
2733	## <summary>
2734	## Domain allowed access.
2735	## </summary>
2736	## </param>
2737	#
2738	interface(`files_manage_isid_type_chr_files',`
2739	gen_require(`
2740	type file_t;
2741	')
2742
2743	allow $1 file_t:chr_file manage_chr_file_perms;
2744	')
2745
2746	########################################
2747	## <summary>
2748	## Get the attributes of the home directories root
2749	## (/home).
2750	## </summary>
2751	## <param name="domain">
2752	## <summary>
2753	## Domain allowed access.
2754	## </summary>
2755	## </param>
2756	#
2757	interface(`files_getattr_home_dir',`
2758	gen_require(`
2759	type home_root_t;
2760	')
2761
2762	allow $1 home_root_t:dir getattr;
2763	')
2764
2765	########################################
2766	## <summary>
2767	## Do not audit attempts to get the
2768	## attributes of the home directories root
2769	## (/home).
2770	## </summary>
2771	## <param name="domain">
2772	## <summary>
2773	## Domain to not audit.
2774	## </summary>
2775	## </param>
2776	#
2777	interface(`files_dontaudit_getattr_home_dir',`
2778	gen_require(`
2779	type home_root_t;
2780	')
2781
2782	dontaudit $1 home_root_t:dir getattr;
2783	')
2784
2785	########################################
2786	## <summary>
2787	## Search home directories root (/home).
2788	## </summary>
2789	## <param name="domain">
2790	## <summary>
2791	## Domain allowed access.
2792	## </summary>
2793	## </param>
2794	#
2795	interface(`files_search_home',`
2796	gen_require(`
2797	type home_root_t;
2798	')
2799
2800	allow $1 home_root_t:dir search_dir_perms;
2801	')
2802
2803	########################################
2804	## <summary>
2805	## Do not audit attempts to search
2806	## home directories root (/home).
2807	## </summary>
2808	## <param name="domain">
2809	## <summary>
2810	## Domain to not audit.
2811	## </summary>
2812	## </param>
2813	#
2814	interface(`files_dontaudit_search_home',`
2815	gen_require(`
2816	type home_root_t;
2817	')
2818
2819	dontaudit $1 home_root_t:dir search_dir_perms;
2820	')
2821
2822	########################################
2823	## <summary>
2824	## Do not audit attempts to list
2825	## home directories root (/home).
2826	## </summary>
2827	## <param name="domain">
2828	## <summary>
2829	## Domain to not audit.
2830	## </summary>
2831	## </param>
2832	#
2833	interface(`files_dontaudit_list_home',`
2834	gen_require(`
2835	type home_root_t;
2836	')
2837
2838	dontaudit $1 home_root_t:dir list_dir_perms;
2839	')
2840
2841	########################################
2842	## <summary>
2843	## Get listing of home directories.
2844	## </summary>
2845	## <param name="domain">
2846	## <summary>
2847	## Domain allowed access.
2848	## </summary>
2849	## </param>
2850	#
2851	interface(`files_list_home',`
2852	gen_require(`
2853	type home_root_t;
2854	')
2855
2856	allow $1 home_root_t:dir list_dir_perms;
2857	')
2858
2859	########################################
2860	## <summary>
2861	## Create objects in /home.
2862	## </summary>
2863	## <param name="domain">
2864	## <summary>
2865	## Domain allowed access.
2866	## </summary>
2867	## </param>
2868	## <param name="home_type">
2869	## <summary>
2870	## The private type.
2871	## </summary>
2872	## </param>
2873	## <param name="object">
2874	## <summary>
2875	## The class of the object being created.
2876	## </summary>
2877	## </param>
2878	#
2879	interface(`files_home_filetrans',`
2880	gen_require(`
2881	type home_root_t;
2882	')
2883
2884	filetrans_pattern($1, home_root_t, $2, $3)
2885	')
2886
2887	########################################
2888	## <summary>
2889	## Get the attributes of lost+found directories.
2890	## </summary>
2891	## <param name="domain">
2892	## <summary>
2893	## Domain allowed access.
2894	## </summary>
2895	## </param>
2896	#
2897	interface(`files_getattr_lost_found_dirs',`
2898	gen_require(`
2899	type lost_found_t;
2900	')
2901
2902	allow $1 lost_found_t:dir getattr;
2903	')
2904
2905	########################################
2906	## <summary>
2907	## Do not audit attempts to get the attributes of
2908	## lost+found directories.
2909	## </summary>
2910	## <param name="domain">
2911	## <summary>
2912	## Domain to not audit.
2913	## </summary>
2914	## </param>
2915	#
2916	interface(`files_dontaudit_getattr_lost_found_dirs',`
2917	gen_require(`
2918	type lost_found_t;
2919	')
2920
2921	dontaudit $1 lost_found_t:dir getattr;
2922	')
2923
2924	########################################
2925	## <summary>
2926	## Create, read, write, and delete objects in
2927	## lost+found directories.
2928	## </summary>
2929	## <param name="domain">
2930	## <summary>
2931	## Domain allowed access.
2932	## </summary>
2933	## </param>
2934	## <rolecap/>
2935	#
2936	interface(`files_manage_lost_found',`
2937	gen_require(`
2938	type lost_found_t;
2939	')
2940
2941	manage_dirs_pattern($1, lost_found_t, lost_found_t)
2942	manage_files_pattern($1, lost_found_t, lost_found_t)
2943	manage_lnk_files_pattern($1, lost_found_t, lost_found_t)
2944	manage_fifo_files_pattern($1, lost_found_t, lost_found_t)
2945	manage_sock_files_pattern($1, lost_found_t, lost_found_t)
2946	')
2947
2948	########################################
2949	## <summary>
2950	## Search the contents of /mnt.
2951	## </summary>
2952	## <param name="domain">
2953	## <summary>
2954	## Domain allowed access.
2955	## </summary>
2956	## </param>
2957	#
2958	interface(`files_search_mnt',`
2959	gen_require(`
2960	type mnt_t;
2961	')
2962
2963	allow $1 mnt_t:dir search_dir_perms;
2964	')
2965
2966	########################################
2967	## <summary>
2968	## Do not audit attempts to search /mnt.
2969	## </summary>
2970	## <param name="domain">
2971	## <summary>
2972	## Domain to not audit.
2973	## </summary>
2974	## </param>
2975	#
2976	interface(`files_dontaudit_search_mnt',`
2977	gen_require(`
2978	type mnt_t;
2979	')
2980
2981	dontaudit $1 mnt_t:dir search_dir_perms;
2982	')
2983
2984	########################################
2985	## <summary>
2986	## List the contents of /mnt.
2987	## </summary>
2988	## <param name="domain">
2989	## <summary>
2990	## Domain allowed access.
2991	## </summary>
2992	## </param>
2993	#
2994	interface(`files_list_mnt',`
2995	gen_require(`
2996	type mnt_t;
2997	')
2998
2999	allow $1 mnt_t:dir list_dir_perms;
3000	')
3001
3002	########################################
3003	## <summary>
3004	## Mount a filesystem on /mnt.
3005	## </summary>
3006	## <param name="domain">
3007	## <summary>
3008	## Domain allowed access.
3009	## </summary>
3010	## </param>
3011	#
3012	interface(`files_mounton_mnt',`
3013	gen_require(`
3014	type mnt_t;
3015	')
3016
3017	allow $1 mnt_t:dir { search_dir_perms mounton };
3018	')
3019
3020	########################################
3021	## <summary>
3022	## Create, read, write, and delete directories in /mnt.
3023	## </summary>
3024	## <param name="domain">
3025	## <summary>
3026	## Domain allowed access.
3027	## </summary>
3028	## </param>
3029	## <rolecap/>
3030	#
3031	interface(`files_manage_mnt_dirs',`
3032	gen_require(`
3033	type mnt_t;
3034	')
3035
3036	allow $1 mnt_t:dir manage_dir_perms;
3037	')
3038
3039	########################################
3040	## <summary>
3041	## Create, read, write, and delete files in /mnt.
3042	## </summary>
3043	## <param name="domain">
3044	## <summary>
3045	## Domain allowed access.
3046	## </summary>
3047	## </param>
3048	#
3049	interface(`files_manage_mnt_files',`
3050	gen_require(`
3051	type mnt_t;
3052	')
3053
3054	manage_files_pattern($1, mnt_t, mnt_t)
3055	')
3056
3057	########################################
3058	## <summary>
3059	## read files in /mnt.
3060	## </summary>
3061	## <param name="domain">
3062	## <summary>
3063	## Domain allowed access.
3064	## </summary>
3065	## </param>
3066	#
3067	interface(`files_read_mnt_files',`
3068	gen_require(`
3069	type mnt_t;
3070	')
3071
3072	read_files_pattern($1, mnt_t, mnt_t)
3073	')
3074
3075	########################################
3076	## <summary>
3077	## Create, read, write, and delete symbolic links in /mnt.
3078	## </summary>
3079	## <param name="domain">
3080	## <summary>
3081	## Domain allowed access.
3082	## </summary>
3083	## </param>
3084	#
3085	interface(`files_manage_mnt_symlinks',`
3086	gen_require(`
3087	type mnt_t;
3088	')
3089
3090	manage_lnk_files_pattern($1, mnt_t, mnt_t)
3091	')
3092
3093	########################################
3094	## <summary>
3095	## Search the contents of the kernel module directories.
3096	## </summary>
3097	## <param name="domain">
3098	## <summary>
3099	## Domain allowed access.
3100	## </summary>
3101	## </param>
3102	#
3103	interface(`files_search_kernel_modules',`
3104	gen_require(`
3105	type modules_object_t;
3106	')
3107
3108	allow $1 modules_object_t:dir search_dir_perms;
3109	read_lnk_files_pattern($1, modules_object_t, modules_object_t)
3110	')
3111
3112	########################################
3113	## <summary>
3114	## List the contents of the kernel module directories.
3115	## </summary>
3116	## <param name="domain">
3117	## <summary>
3118	## Domain allowed access.
3119	## </summary>
3120	## </param>
3121	#
3122	interface(`files_list_kernel_modules',`
3123	gen_require(`
3124	type modules_object_t;
3125	')
3126
3127	allow $1 modules_object_t:dir list_dir_perms;
3128	')
3129
3130	########################################
3131	## <summary>
3132	## Get the attributes of kernel module files.
3133	## </summary>
3134	## <param name="domain">
3135	## <summary>
3136	## Domain allowed access.
3137	## </summary>
3138	## </param>
3139	#
3140	interface(`files_getattr_kernel_modules',`
3141	gen_require(`
3142	type modules_object_t;
3143	')
3144
3145	getattr_files_pattern($1, modules_object_t, modules_object_t)
3146	')
3147
3148	########################################
3149	## <summary>
3150	## Read kernel module files.
3151	## </summary>
3152	## <param name="domain">
3153	## <summary>
3154	## Domain allowed access.
3155	## </summary>
3156	## </param>
3157	#
3158	interface(`files_read_kernel_modules',`
3159	gen_require(`
3160	type modules_object_t;
3161	')
3162
3163	allow $1 modules_object_t:dir list_dir_perms;
3164	read_files_pattern($1, modules_object_t, modules_object_t)
3165	read_lnk_files_pattern($1, modules_object_t, modules_object_t)
3166	')
3167
3168	########################################
3169	## <summary>
3170	## Write kernel module files.
3171	## </summary>
3172	## <param name="domain">
3173	## <summary>
3174	## Domain allowed access.
3175	## </summary>
3176	## </param>
3177	#
3178	interface(`files_write_kernel_modules',`
3179	gen_require(`
3180	type modules_object_t;
3181	')
3182
3183	allow $1 modules_object_t:dir list_dir_perms;
3184	write_files_pattern($1, modules_object_t, modules_object_t)
3185	')
3186
3187	########################################
3188	## <summary>
3189	## Delete kernel module files.
3190	## </summary>
3191	## <param name="domain">
3192	## <summary>
3193	## Domain allowed access.
3194	## </summary>
3195	## </param>
3196	#
3197	interface(`files_delete_kernel_modules',`
3198	gen_require(`
3199	type modules_object_t;
3200	')
3201
3202	delete_files_pattern($1, modules_object_t, modules_object_t)
3203	')
3204
3205	########################################
3206	## <summary>
3207	## Create, read, write, and delete
3208	## kernel module files.
3209	## </summary>
3210	## <param name="domain">
3211	## <summary>
3212	## Domain allowed access.
3213	## </summary>
3214	## </param>
3215	## <rolecap/>
3216	#
3217	interface(`files_manage_kernel_modules',`
3218	gen_require(`
3219	type modules_object_t;
3220	')
3221
3222	manage_files_pattern($1, modules_object_t, modules_object_t)
3223	')
3224
3225	########################################
3226	## <summary>
3227	## Relabel from and to kernel module files.
3228	## </summary>
3229	## <param name="domain">
3230	## <summary>
3231	## Domain allowed access.
3232	## </summary>
3233	## </param>
3234	#
3235	interface(`files_relabel_kernel_modules',`
3236	gen_require(`
3237	type modules_object_t;
3238	')
3239
3240	relabel_files_pattern($1, modules_object_t, modules_object_t)
3241	allow $1 modules_object_t:dir list_dir_perms;
3242	')
3243
3244	########################################
3245	## <summary>
3246	## Create objects in the kernel module directories
3247	## with a private type via an automatic type transition.
3248	## </summary>
3249	## <param name="domain">
3250	## <summary>
3251	## Domain allowed access.
3252	## </summary>
3253	## </param>
3254	## <param name="private_type">
3255	## <summary>
3256	## The type of the object to be created.
3257	## </summary>
3258	## </param>
3259	## <param name="object_class">
3260	## <summary>
3261	## The object class of the object being created.
3262	## </summary>
3263	## </param>
3264	#
3265	interface(`files_kernel_modules_filetrans',`
3266	gen_require(`
3267	type modules_object_t;
3268	')
3269
3270	filetrans_pattern($1, modules_object_t, $2, $3)
3271	')
3272
3273	########################################
3274	## <summary>
3275	## List world-readable directories.
3276	## </summary>
3277	## <param name="domain">
3278	## <summary>
3279	## Domain allowed access.
3280	## </summary>
3281	## </param>
3282	## <rolecap/>
3283	#
3284	interface(`files_list_world_readable',`
3285	gen_require(`
3286	type readable_t;
3287	')
3288
3289	allow $1 readable_t:dir list_dir_perms;
3290	')
3291
3292	########################################
3293	## <summary>
3294	## Read world-readable files.
3295	## </summary>
3296	## <param name="domain">
3297	## <summary>
3298	## Domain allowed access.
3299	## </summary>
3300	## </param>
3301	## <rolecap/>
3302	#
3303	interface(`files_read_world_readable_files',`
3304	gen_require(`
3305	type readable_t;
3306	')
3307
3308	allow $1 readable_t:file read_file_perms;
3309	')
3310
3311	########################################
3312	## <summary>
3313	## Read world-readable symbolic links.
3314	## </summary>
3315	## <param name="domain">
3316	## <summary>
3317	## Domain allowed access.
3318	## </summary>
3319	## </param>
3320	## <rolecap/>
3321	#
3322	interface(`files_read_world_readable_symlinks',`
3323	gen_require(`
3324	type readable_t;
3325	')
3326
3327	allow $1 readable_t:lnk_file read_lnk_file_perms;
3328	')
3329
3330	########################################
3331	## <summary>
3332	## Read world-readable named pipes.
3333	## </summary>
3334	## <param name="domain">
3335	## <summary>
3336	## Domain allowed access.
3337	## </summary>
3338	## </param>
3339	#
3340	interface(`files_read_world_readable_pipes',`
3341	gen_require(`
3342	type readable_t;
3343	')
3344
3345	allow $1 readable_t:fifo_file read_fifo_file_perms;
3346	')
3347
3348	########################################
3349	## <summary>
3350	## Read world-readable sockets.
3351	## </summary>
3352	## <param name="domain">
3353	## <summary>
3354	## Domain allowed access.
3355	## </summary>
3356	## </param>
3357	#
3358	interface(`files_read_world_readable_sockets',`
3359	gen_require(`
3360	type readable_t;
3361	')
3362
3363	allow $1 readable_t:sock_file read_sock_file_perms;
3364	')
3365
3366	########################################
3367	## <summary>
3368	## Allow the specified type to associate
3369	## to a filesystem with the type of the
3370	## temporary directory (/tmp).
3371	## </summary>
3372	## <param name="file_type">
3373	## <summary>
3374	## Type of the file to associate.
3375	## </summary>
3376	## </param>
3377	#
3378	interface(`files_associate_tmp',`
3379	gen_require(`
3380	type tmp_t;
3381	')
3382
3383	allow $1 tmp_t:filesystem associate;
3384	')
3385
3386	########################################
3387	## <summary>
3388	## Get the attributes of the tmp directory (/tmp).
3389	## </summary>
3390	## <param name="domain">
3391	## <summary>
3392	## Domain allowed access.
3393	## </summary>
3394	## </param>
3395	#
3396	interface(`files_getattr_tmp_dirs',`
3397	gen_require(`
3398	type tmp_t;
3399	')
3400
3401	allow $1 tmp_t:dir getattr;
3402	')
3403
3404	########################################
3405	## <summary>
3406	## Do not audit attempts to get the
3407	## attributes of the tmp directory (/tmp).
3408	## </summary>
3409	## <param name="domain">
3410	## <summary>
3411	## Domain allowed access.
3412	## </summary>
3413	## </param>
3414	#
3415	interface(`files_dontaudit_getattr_tmp_dirs',`
3416	gen_require(`
3417	type tmp_t;
3418	')
3419
3420	dontaudit $1 tmp_t:dir getattr;
3421	')
3422
3423	########################################
3424	## <summary>
3425	## Search the tmp directory (/tmp).
3426	## </summary>
3427	## <param name="domain">
3428	## <summary>
3429	## Domain allowed access.
3430	## </summary>
3431	## </param>
3432	#
3433	interface(`files_search_tmp',`
3434	gen_require(`
3435	type tmp_t;
3436	')
3437
3438	allow $1 tmp_t:dir search_dir_perms;
3439	')
3440
3441	########################################
3442	## <summary>
3443	## Do not audit attempts to search the tmp directory (/tmp).
3444	## </summary>
3445	## <param name="domain">
3446	## <summary>
3447	## Domain allowed access.
3448	## </summary>
3449	## </param>
3450	#
3451	interface(`files_dontaudit_search_tmp',`
3452	gen_require(`
3453	type tmp_t;
3454	')
3455
3456	dontaudit $1 tmp_t:dir search_dir_perms;
3457	')
3458
3459	########################################
3460	## <summary>
3461	## Read the tmp directory (/tmp).
3462	## </summary>
3463	## <param name="domain">
3464	## <summary>
3465	## Domain allowed access.
3466	## </summary>
3467	## </param>
3468	#
3469	interface(`files_list_tmp',`
3470	gen_require(`
3471	type tmp_t;
3472	')
3473
3474	allow $1 tmp_t:dir list_dir_perms;
3475	')
3476
3477	########################################
3478	## <summary>
3479	## Do not audit listing of the tmp directory (/tmp).
3480	## </summary>
3481	## <param name="domain">
3482	## <summary>
3483	## Domain not to audit.
3484	## </summary>
3485	## </param>
3486	#
3487	interface(`files_dontaudit_list_tmp',`
3488	gen_require(`
3489	type tmp_t;
3490	')
3491
3492	dontaudit $1 tmp_t:dir list_dir_perms;
3493	')
3494
3495	########################################
3496	## <summary>
3497	## Remove entries from the tmp directory.
3498	## </summary>
3499	## <param name="domain">
3500	## <summary>
3501	## Domain allowed access.
3502	## </summary>
3503	## </param>
3504	#
3505	interface(`files_delete_tmp_dir_entry',`
3506	gen_require(`
3507	type tmp_t;
3508	')
3509
3510	allow $1 tmp_t:dir del_entry_dir_perms;
3511	')
3512
3513	########################################
3514	## <summary>
3515	## Read files in the tmp directory (/tmp).
3516	## </summary>
3517	## <param name="domain">
3518	## <summary>
3519	## Domain allowed access.
3520	## </summary>
3521	## </param>
3522	#
3523	interface(`files_read_generic_tmp_files',`
3524	gen_require(`
3525	type tmp_t;
3526	')
3527
3528	read_files_pattern($1, tmp_t, tmp_t)
3529	')
3530
3531	########################################
3532	## <summary>
3533	## Manage temporary directories in /tmp.
3534	## </summary>
3535	## <param name="domain">
3536	## <summary>
3537	## The type of the process performing this action.
3538	## </summary>
3539	## </param>
3540	#
3541	interface(`files_manage_generic_tmp_dirs',`
3542	gen_require(`
3543	type tmp_t;
3544	')
3545
3546	manage_dirs_pattern($1, tmp_t, tmp_t)
3547	')
3548
3549	########################################
3550	## <summary>
3551	## Manage temporary files and directories in /tmp.
3552	## </summary>
3553	## <param name="domain">
3554	## <summary>
3555	## The type of the process performing this action.
3556	## </summary>
3557	## </param>
3558	#
3559	interface(`files_manage_generic_tmp_files',`
3560	gen_require(`
3561	type tmp_t;
3562	')
3563
3564	manage_files_pattern($1, tmp_t, tmp_t)
3565	')
3566
3567	########################################
3568	## <summary>
3569	## Read symbolic links in the tmp directory (/tmp).
3570	## </summary>
3571	## <param name="domain">
3572	## <summary>
3573	## Domain allowed access.
3574	## </summary>
3575	## </param>
3576	#
3577	interface(`files_read_generic_tmp_symlinks',`
3578	gen_require(`
3579	type tmp_t;
3580	')
3581
3582	read_lnk_files_pattern($1, tmp_t, tmp_t)
3583	')
3584
3585	########################################
3586	## <summary>
3587	## Read and write generic named sockets in the tmp directory (/tmp).
3588	## </summary>
3589	## <param name="domain">
3590	## <summary>
3591	## Domain allowed access.
3592	## </summary>
3593	## </param>
3594	#
3595	interface(`files_rw_generic_tmp_sockets',`
3596	gen_require(`
3597	type tmp_t;
3598	')
3599
3600	rw_sock_files_pattern($1, tmp_t, tmp_t)
3601	')
3602
3603	########################################
3604	## <summary>
3605	## Set the attributes of all tmp directories.
3606	## </summary>
3607	## <param name="domain">
3608	## <summary>
3609	## Domain allowed access.
3610	## </summary>
3611	## </param>
3612	#
3613	interface(`files_setattr_all_tmp_dirs',`
3614	gen_require(`
3615	attribute tmpfile;
3616	')
3617
3618	allow $1 tmpfile:dir { search_dir_perms setattr };
3619	')
3620
3621	########################################
3622	## <summary>
3623	## List all tmp directories.
3624	## </summary>
3625	## <param name="domain">
3626	## <summary>
3627	## Domain allowed access.
3628	## </summary>
3629	## </param>
3630	#
3631	interface(`files_list_all_tmp',`
3632	gen_require(`
3633	attribute tmpfile;
3634	')
3635
3636	allow $1 tmpfile:dir list_dir_perms;
3637	')
3638
3639	########################################
3640	## <summary>
3641	## Do not audit attempts to get the attributes
3642	## of all tmp files.
3643	## </summary>
3644	## <param name="domain">
3645	## <summary>
3646	## Domain not to audit.
3647	## </summary>
3648	## </param>
3649	#
3650	interface(`files_dontaudit_getattr_all_tmp_files',`
3651	gen_require(`
3652	attribute tmpfile;
3653	')
3654
3655	dontaudit $1 tmpfile:file getattr;
3656	')
3657
3658	########################################
3659	## <summary>
3660	## Allow attempts to get the attributes
3661	## of all tmp files.
3662	## </summary>
3663	## <param name="domain">
3664	## <summary>
3665	## Domain not to audit.
3666	## </summary>
3667	## </param>
3668	#
3669	interface(`files_getattr_all_tmp_files',`
3670	gen_require(`
3671	attribute tmpfile;
3672	')
3673
3674	allow $1 tmpfile:file getattr;
3675	')
3676
3677	########################################
3678	## <summary>
3679	## Do not audit attempts to get the attributes
3680	## of all tmp sock_file.
3681	## </summary>
3682	## <param name="domain">
3683	## <summary>
3684	## Domain not to audit.
3685	## </summary>
3686	## </param>
3687	#
3688	interface(`files_dontaudit_getattr_all_tmp_sockets',`
3689	gen_require(`
3690	attribute tmpfile;
3691	')
3692
3693	dontaudit $1 tmpfile:sock_file getattr;
3694	')
3695
3696	########################################
3697	## <summary>
3698	## Read all tmp files.
3699	## </summary>
3700	## <param name="domain">
3701	## <summary>
3702	## Domain allowed access.
3703	## </summary>
3704	## </param>
3705	#
3706	interface(`files_read_all_tmp_files',`
3707	gen_require(`
3708	attribute tmpfile;
3709	')
3710
3711	read_files_pattern($1, tmpfile, tmpfile)
3712	')
3713
3714	########################################
3715	## <summary>
3716	## Create an object in the tmp directories, with a private
3717	## type using a type transition.
3718	## </summary>
3719	## <param name="domain">
3720	## <summary>
3721	## Domain allowed access.
3722	## </summary>
3723	## </param>
3724	## <param name="private type">
3725	## <summary>
3726	## The type of the object to be created.
3727	## </summary>
3728	## </param>
3729	## <param name="object">
3730	## <summary>
3731	## The object class of the object being created.
3732	## </summary>
3733	## </param>
3734	#
3735	interface(`files_tmp_filetrans',`
3736	gen_require(`
3737	type tmp_t;
3738	')
3739
3740	filetrans_pattern($1, tmp_t, $2, $3)
3741	')
3742
3743	########################################
3744	## <summary>
3745	## Delete the contents of /tmp.
3746	## </summary>
3747	## <param name="domain">
3748	## <summary>
3749	## Domain allowed access.
3750	## </summary>
3751	## </param>
3752	#
3753	interface(`files_purge_tmp',`
3754	gen_require(`
3755	attribute tmpfile;
3756	')
3757
3758	allow $1 tmpfile:dir list_dir_perms;
3759	delete_dirs_pattern($1, tmpfile, tmpfile)
3760	delete_files_pattern($1, tmpfile, tmpfile)
3761	delete_lnk_files_pattern($1, tmpfile, tmpfile)
3762	delete_fifo_files_pattern($1, tmpfile, tmpfile)
3763	delete_sock_files_pattern($1, tmpfile, tmpfile)
3764	')
3765
3766	########################################
3767	## <summary>
3768	## Search the content of /etc.
3769	## </summary>
3770	## <param name="domain">
3771	## <summary>
3772	## Domain allowed access.
3773	## </summary>
3774	## </param>
3775	#
3776	interface(`files_search_usr',`
3777	gen_require(`
3778	type usr_t;
3779	')
3780
3781	allow $1 usr_t:dir search_dir_perms;
3782	')
3783
3784	########################################
3785	## <summary>
3786	## List the contents of generic
3787	## directories in /usr.
3788	## </summary>
3789	## <param name="domain">
3790	## <summary>
3791	## Domain allowed access.
3792	## </summary>
3793	## </param>
3794	#
3795	interface(`files_list_usr',`
3796	gen_require(`
3797	type usr_t;
3798	')
3799
3800	allow $1 usr_t:dir list_dir_perms;
3801	')
3802
3803	########################################
3804	## <summary>
3805	## Add and remove entries from /usr directories.
3806	## </summary>
3807	## <param name="domain">
3808	## <summary>
3809	## Domain allowed access.
3810	## </summary>
3811	## </param>
3812	#
3813	interface(`files_rw_usr_dirs',`
3814	gen_require(`
3815	type usr_t;
3816	')
3817
3818	allow $1 usr_t:dir rw_dir_perms;
3819	')
3820
3821	########################################
3822	## <summary>
3823	## dontaudit Add and remove entries from /usr directories.
3824	## </summary>
3825	## <param name="domain">
3826	## <summary>
3827	## Domain allowed access.
3828	## </summary>
3829	## </param>
3830	#
3831	interface(`files_dontaudit_rw_usr_dirs',`
3832	gen_require(`
3833	type usr_t;
3834	')
3835
3836	dontaudit $1 usr_t:dir rw_dir_perms;
3837	')
3838
3839	########################################
3840	## <summary>
3841	## Delete generic directories in /usr in the caller domain.
3842	## </summary>
3843	## <param name="domain">
3844	## <summary>
3845	## Domain allowed access.
3846	## </summary>
3847	## </param>
3848	#
3849	interface(`files_delete_usr_dirs',`
3850	gen_require(`
3851	type usr_t;
3852	')
3853
3854	delete_dirs_pattern($1, usr_t, usr_t)
3855	')
3856
3857	########################################
3858	## <summary>
3859	## Delete generic files in /usr in the caller domain.
3860	## </summary>
3861	## <param name="domain">
3862	## <summary>
3863	## Domain allowed access.
3864	## </summary>
3865	## </param>
3866	#
3867	interface(`files_delete_usr_files',`
3868	gen_require(`
3869	type usr_t;
3870	')
3871
3872	allow $1 usr_t:file delete_file_perms;
3873	')
3874
3875	########################################
3876	## <summary>
3877	## Get the attributes of files in /usr.
3878	## </summary>
3879	## <param name="domain">
3880	## <summary>
3881	## Domain allowed access.
3882	## </summary>
3883	## </param>
3884	#
3885	interface(`files_getattr_usr_files',`
3886	gen_require(`
3887	type usr_t;
3888	')
3889
3890	getattr_files_pattern($1, usr_t, usr_t)
3891	')
3892
3893	########################################
3894	## <summary>
3895	## Read generic files in /usr.
3896	## </summary>
3897	## <param name="domain">
3898	## <summary>
3899	## Domain allowed access.
3900	## </summary>
3901	## </param>
3902	#
3903	interface(`files_read_usr_files',`
3904	gen_require(`
3905	type usr_t;
3906	')
3907
3908	allow $1 usr_t:dir list_dir_perms;
3909	read_files_pattern($1, usr_t, usr_t)
3910	read_lnk_files_pattern($1, usr_t, usr_t)
3911	')
3912
3913	########################################
3914	## <summary>
3915	## Execute generic programs in /usr in the caller domain.
3916	## </summary>
3917	## <param name="domain">
3918	## <summary>
3919	## Domain allowed access.
3920	## </summary>
3921	## </param>
3922	#
3923	interface(`files_exec_usr_files',`
3924	gen_require(`
3925	type usr_t;
3926	')
3927
3928	allow $1 usr_t:dir list_dir_perms;
3929	exec_files_pattern($1, usr_t, usr_t)
3930	read_lnk_files_pattern($1, usr_t, usr_t)
3931	')
3932
3933	########################################
3934	## <summary>
3935	## dontaudit write of /usr files
3936	## </summary>
3937	## <param name="domain">
3938	## <summary>
3939	## Domain allowed access.
3940	## </summary>
3941	## </param>
3942	#
3943	interface(`files_dontaudit_write_usr_files',`
3944	gen_require(`
3945	type usr_t;
3946	')
3947
3948	dontaudit $1 usr_t:file write;
3949	')
3950
3951	########################################
3952	## <summary>
3953	## Create, read, write, and delete files in the /usr directory.
3954	## </summary>
3955	## <param name="domain">
3956	## <summary>
3957	## Domain allowed access.
3958	## </summary>
3959	## </param>
3960	#
3961	interface(`files_manage_usr_files',`
3962	gen_require(`
3963	type usr_t;
3964	')
3965
3966	manage_files_pattern($1, usr_t, usr_t)
3967	')
3968
3969	########################################
3970	## <summary>
3971	## Relabel a file to the type used in /usr.
3972	## </summary>
3973	## <param name="domain">
3974	## <summary>
3975	## Domain allowed access.
3976	## </summary>
3977	## </param>
3978	#
3979	interface(`files_relabelto_usr_files',`
3980	gen_require(`
3981	type usr_t;
3982	')
3983
3984	relabelto_files_pattern($1, usr_t, usr_t)
3985	')
3986
3987	########################################
3988	## <summary>
3989	## Relabel a file from the type used in /usr.
3990	## </summary>
3991	## <param name="domain">
3992	## <summary>
3993	## Domain allowed access.
3994	## </summary>
3995	## </param>
3996	#
3997	interface(`files_relabelfrom_usr_files',`
3998	gen_require(`
3999	type usr_t;
4000	')
4001
4002	relabelfrom_files_pattern($1, usr_t, usr_t)
4003	')
4004
4005	########################################
4006	## <summary>
4007	## Read symbolic links in /usr.
4008	## </summary>
4009	## <param name="domain">
4010	## <summary>
4011	## Domain allowed access.
4012	## </summary>
4013	## </param>
4014	#
4015	interface(`files_read_usr_symlinks',`
4016	gen_require(`
4017	type usr_t;
4018	')
4019
4020	read_lnk_files_pattern($1, usr_t, usr_t)
4021	')
4022
4023	########################################
4024	## <summary>
4025	## Create objects in the /usr directory
4026	## </summary>
4027	## <param name="domain">
4028	## <summary>
4029	## Domain allowed access.
4030	## </summary>
4031	## </param>
4032	## <param name="file_type">
4033	## <summary>
4034	## The type of the object to be created
4035	## </summary>
4036	## </param>
4037	## <param name="object_class">
4038	## <summary>
4039	## The object class.
4040	## </summary>
4041	## </param>
4042	#
4043	interface(`files_usr_filetrans',`
4044	gen_require(`
4045	type usr_t;
4046	')
4047
4048	filetrans_pattern($1, usr_t, $2, $3)
4049	')
4050
4051	########################################
4052	## <summary>
4053	## Do not audit attempts to search /usr/src.
4054	## </summary>
4055	## <param name="domain">
4056	## <summary>
4057	## Domain to not audit.
4058	## </summary>
4059	## </param>
4060	#
4061	interface(`files_dontaudit_search_src',`
4062	gen_require(`
4063	type src_t;
4064	')
4065
4066	dontaudit $1 src_t:dir search_dir_perms;
4067	')
4068
4069	########################################
4070	## <summary>
4071	## Get the attributes of files in /usr/src.
4072	## </summary>
4073	## <param name="domain">
4074	## <summary>
4075	## Domain allowed access.
4076	## </summary>
4077	## </param>
4078	#
4079	interface(`files_getattr_usr_src_files',`
4080	gen_require(`
4081	type usr_t, src_t;
4082	')
4083
4084	getattr_files_pattern($1, src_t, src_t)
4085
4086	# /usr/src/linux symlink:
4087	read_lnk_files_pattern($1, usr_t, src_t)
4088	')
4089
4090	########################################
4091	## <summary>
4092	## Read files in /usr/src.
4093	## </summary>
4094	## <param name="domain">
4095	## <summary>
4096	## Domain allowed access.
4097	## </summary>
4098	## </param>
4099	#
4100	interface(`files_read_usr_src_files',`
4101	gen_require(`
4102	type usr_t, src_t;
4103	')
4104
4105	allow $1 usr_t:dir search_dir_perms;
4106	read_files_pattern($1, { usr_t src_t }, src_t)
4107	read_lnk_files_pattern($1, { usr_t src_t }, src_t)
4108	allow $1 src_t:dir list_dir_perms;
4109	')
4110
4111	########################################
4112	## <summary>
4113	## Execute programs in /usr/src in the caller domain.
4114	## </summary>
4115	## <param name="domain">
4116	## <summary>
4117	## Domain allowed access.
4118	## </summary>
4119	## </param>
4120	#
4121	interface(`files_exec_usr_src_files',`
4122	gen_require(`
4123	type usr_t, src_t;
4124	')
4125
4126	list_dirs_pattern($1, usr_t, src_t)
4127	exec_files_pattern($1, src_t, src_t)
4128	read_lnk_files_pattern($1, src_t, src_t)
4129	')
4130
4131	########################################
4132	## <summary>
4133	## Install a system.map into the /boot directory.
4134	## </summary>
4135	## <param name="domain">
4136	## <summary>
4137	## Domain allowed access.
4138	## </summary>
4139	## </param>
4140	#
4141	interface(`files_create_kernel_symbol_table',`
4142	gen_require(`
4143	type boot_t, system_map_t;
4144	')
4145
4146	allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms };
4147	allow $1 system_map_t:file { create_file_perms rw_file_perms };
4148	')
4149
4150	########################################
4151	## <summary>
4152	## Read system.map in the /boot directory.
4153	## </summary>
4154	## <param name="domain">
4155	## <summary>
4156	## Domain allowed access.
4157	## </summary>
4158	## </param>
4159	#
4160	interface(`files_read_kernel_symbol_table',`
4161	gen_require(`
4162	type boot_t, system_map_t;
4163	')
4164
4165	allow $1 boot_t:dir list_dir_perms;
4166	read_files_pattern($1, boot_t, system_map_t)
4167	')
4168
4169	########################################
4170	## <summary>
4171	## Delete a system.map in the /boot directory.
4172	## </summary>
4173	## <param name="domain">
4174	## <summary>
4175	## Domain allowed access.
4176	## </summary>
4177	## </param>
4178	#
4179	interface(`files_delete_kernel_symbol_table',`
4180	gen_require(`
4181	type boot_t, system_map_t;
4182	')
4183
4184	allow $1 boot_t:dir list_dir_perms;
4185	delete_files_pattern($1, boot_t, system_map_t)
4186	')
4187
4188	########################################
4189	## <summary>
4190	## Search the contents of /var.
4191	## </summary>
4192	## <param name="domain">
4193	## <summary>
4194	## Domain allowed access.
4195	## </summary>
4196	## </param>
4197	#
4198	interface(`files_search_var',`
4199	gen_require(`
4200	type var_t;
4201	')
4202
4203	allow $1 var_t:dir search_dir_perms;
4204	')
4205
4206	########################################
4207	## <summary>
4208	## Do not audit attempts to write to /var.
4209	## </summary>
4210	## <param name="domain">
4211	## <summary>
4212	## Domain to not audit.
4213	## </summary>
4214	## </param>
4215	#
4216	interface(`files_dontaudit_write_var_dirs',`
4217	gen_require(`
4218	type var_t;
4219	')
4220
4221	dontaudit $1 var_t:dir write;
4222	')
4223
4224	########################################
4225	## <summary>
4226	## Allow attempts to write to /var.dirs
4227	## </summary>
4228	## <param name="domain">
4229	## <summary>
4230	## Domain to not audit.
4231	## </summary>
4232	## </param>
4233	#
4234	interface(`files_write_var_dirs',`
4235	gen_require(`
4236	type var_t;
4237	')
4238
4239	allow $1 var_t:dir write;
4240	')
4241
4242	########################################
4243	## <summary>
4244	## Do not audit attempts to search
4245	## the contents of /var.
4246	## </summary>
4247	## <param name="domain">
4248	## <summary>
4249	## Domain to not audit.
4250	## </summary>
4251	## </param>
4252	#
4253	interface(`files_dontaudit_search_var',`
4254	gen_require(`
4255	type var_t;
4256	')
4257
4258	dontaudit $1 var_t:dir search_dir_perms;
4259	')
4260
4261	########################################
4262	## <summary>
4263	## List the contents of /var.
4264	## </summary>
4265	## <param name="domain">
4266	## <summary>
4267	## Domain allowed access.
4268	## </summary>
4269	## </param>
4270	#
4271	interface(`files_list_var',`
4272	gen_require(`
4273	type var_t;
4274	')
4275
4276	allow $1 var_t:dir list_dir_perms;
4277	')
4278
4279	########################################
4280	## <summary>
4281	## Create, read, write, and delete directories
4282	## in the /var directory.
4283	## </summary>
4284	## <param name="domain">
4285	## <summary>
4286	## Domain allowed access.
4287	## </summary>
4288	## </param>
4289	#
4290	interface(`files_manage_var_dirs',`
4291	gen_require(`
4292	type var_t;
4293	')
4294
4295	allow $1 var_t:dir manage_dir_perms;
4296	')
4297
4298	########################################
4299	## <summary>
4300	## Read files in the /var directory.
4301	## </summary>
4302	## <param name="domain">
4303	## <summary>
4304	## Domain allowed access.
4305	## </summary>
4306	## </param>
4307	#
4308	interface(`files_read_var_files',`
4309	gen_require(`
4310	type var_t;
4311	')
4312
4313	read_files_pattern($1, var_t, var_t)
4314	')
4315
4316	########################################
4317	## <summary>
4318	## Read and write files in the /var directory.
4319	## </summary>
4320	## <param name="domain">
4321	## <summary>
4322	## Domain allowed access.
4323	## </summary>
4324	## </param>
4325	#
4326	interface(`files_rw_var_files',`
4327	gen_require(`
4328	type var_t;
4329	')
4330
4331	rw_files_pattern($1, var_t, var_t)
4332	')
4333
4334	########################################
4335	## <summary>
4336	## Do not audit attempts to read and write
4337	## files in the /var directory.
4338	## </summary>
4339	## <param name="domain">
4340	## <summary>
4341	## Domain allowed access.
4342	## </summary>
4343	## </param>
4344	#
4345	interface(`files_dontaudit_rw_var_files',`
4346	gen_require(`
4347	type var_t;
4348	')
4349
4350	dontaudit $1 var_t:file rw_file_perms;
4351	')
4352
4353	########################################
4354	## <summary>
4355	## Create, read, write, and delete files in the /var directory.
4356	## </summary>
4357	## <param name="domain">
4358	## <summary>
4359	## Domain allowed access.
4360	## </summary>
4361	## </param>
4362	#
4363	interface(`files_manage_var_files',`
4364	gen_require(`
4365	type var_t;
4366	')
4367
4368	manage_files_pattern($1, var_t, var_t)
4369	')
4370
4371	########################################
4372	## <summary>
4373	## Read symbolic links in the /var directory.
4374	## </summary>
4375	## <param name="domain">
4376	## <summary>
4377	## Domain allowed access.
4378	## </summary>
4379	## </param>
4380	#
4381	interface(`files_read_var_symlinks',`
4382	gen_require(`
4383	type var_t;
4384	')
4385
4386	read_lnk_files_pattern($1, var_t, var_t)
4387	')
4388
4389	########################################
4390	## <summary>
4391	## Create, read, write, and delete symbolic
4392	## links in the /var directory.
4393	## </summary>
4394	## <param name="domain">
4395	## <summary>
4396	## Domain allowed access.
4397	## </summary>
4398	## </param>
4399	#
4400	interface(`files_manage_var_symlinks',`
4401	gen_require(`
4402	type var_t;
4403	')
4404
4405	manage_lnk_files_pattern($1, var_t, var_t)
4406	')
4407
4408	########################################
4409	## <summary>
4410	## Create objects in the /var directory
4411	## </summary>
4412	## <param name="domain">
4413	## <summary>
4414	## Domain allowed access.
4415	## </summary>
4416	## </param>
4417	## <param name="file_type">
4418	## <summary>
4419	## The type of the object to be created
4420	## </summary>
4421	## </param>
4422	## <param name="object_class">
4423	## <summary>
4424	## The object class.
4425	## </summary>
4426	## </param>
4427	#
4428	interface(`files_var_filetrans',`
4429	gen_require(`
4430	type var_t;
4431	')
4432
4433	filetrans_pattern($1, var_t, $2, $3)
4434	')
4435
4436	########################################
4437	## <summary>
4438	## Get the attributes of the /var/lib directory.
4439	## </summary>
4440	## <param name="domain">
4441	## <summary>
4442	## Domain allowed access.
4443	## </summary>
4444	## </param>
4445	#
4446	interface(`files_getattr_var_lib_dirs',`
4447	gen_require(`
4448	type var_t, var_lib_t;
4449	')
4450
4451	getattr_dirs_pattern($1, var_t, var_lib_t)
4452	')
4453
4454	########################################
4455	## <summary>
4456	## Search the /var/lib directory.
4457	## </summary>
4458	## <param name="domain">
4459	## <summary>
4460	## Domain allowed access.
4461	## </summary>
4462	## </param>
4463	#
4464	interface(`files_search_var_lib',`
4465	gen_require(`
4466	type var_t, var_lib_t;
4467	')
4468
4469	search_dirs_pattern($1, var_t, var_lib_t)
4470	')
4471
4472	########################################
4473	## <summary>
4474	## List the contents of the /var/lib directory.
4475	## </summary>
4476	## <param name="domain">
4477	## <summary>
4478	## Domain allowed access.
4479	## </summary>
4480	## </param>
4481	#
4482	interface(`files_list_var_lib',`
4483	gen_require(`
4484	type var_t, var_lib_t;
4485	')
4486
4487	list_dirs_pattern($1, var_t, var_lib_t)
4488	')
4489
4490	###########################################
4491	## <summary>
4492	## Read-write /var/lib directories
4493	## </summary>
4494	## <param name="domain">
4495	## <summary>
4496	## Domain allowed access.
4497	## </summary>
4498	## </param>
4499	#
4500	interface(`files_rw_var_lib_dirs',`
4501	gen_require(`
4502	type var_lib_t;
4503	')
4504
4505	rw_dirs_pattern($1, var_lib_t, var_lib_t)
4506	')
4507
4508	########################################
4509	## <summary>
4510	## Create objects in the /var/lib directory
4511	## </summary>
4512	## <param name="domain">
4513	## <summary>
4514	## Domain allowed access.
4515	## </summary>
4516	## </param>
4517	## <param name="file_type">
4518	## <summary>
4519	## The type of the object to be created
4520	## </summary>
4521	## </param>
4522	## <param name="object_class">
4523	## <summary>
4524	## The object class.
4525	## </summary>
4526	## </param>
4527	#
4528	interface(`files_var_lib_filetrans',`
4529	gen_require(`
4530	type var_t, var_lib_t;
4531	')
4532
4533	allow $1 var_t:dir search_dir_perms;
4534	filetrans_pattern($1, var_lib_t, $2, $3)
4535	')
4536
4537	########################################
4538	## <summary>
4539	## Read generic files in /var/lib.
4540	## </summary>
4541	## <param name="domain">
4542	## <summary>
4543	## Domain allowed access.
4544	## </summary>
4545	## </param>
4546	#
4547	interface(`files_read_var_lib_files',`
4548	gen_require(`
4549	type var_t, var_lib_t;
4550	')
4551
4552	allow $1 var_lib_t:dir list_dir_perms;
4553	read_files_pattern($1, { var_t var_lib_t }, var_lib_t)
4554	')
4555
4556	########################################
4557	## <summary>
4558	## Read generic symbolic links in /var/lib
4559	## </summary>
4560	## <param name="domain">
4561	## <summary>
4562	## Domain allowed access.
4563	## </summary>
4564	## </param>
4565	#
4566	interface(`files_read_var_lib_symlinks',`
4567	gen_require(`
4568	type var_t, var_lib_t;
4569	')
4570
4571	read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
4572	')
4573
4574	# cjp: the next two interfaces really need to be fixed
4575	# in some way. They really neeed their own types.
4576
4577	########################################
4578	## <summary>
4579	## Create, read, write, and delete the
4580	## pseudorandom number generator seed.
4581	## </summary>
4582	## <param name="domain">
4583	## <summary>
4584	## Domain allowed access.
4585	## </summary>
4586	## </param>
4587	#
4588	interface(`files_manage_urandom_seed',`
4589	gen_require(`
4590	type var_t, var_lib_t;
4591	')
4592
4593	allow $1 var_t:dir search_dir_perms;
4594	manage_files_pattern($1, var_lib_t, var_lib_t)
4595	')
4596
4597	########################################
4598	## <summary>
4599	## Allow domain to manage mount tables
4600	## necessary for rpcd, nfsd, etc.
4601	## </summary>
4602	## <param name="domain">
4603	## <summary>
4604	## Domain allowed access.
4605	## </summary>
4606	## </param>
4607	#
4608	interface(`files_manage_mounttab',`
4609	gen_require(`
4610	type var_t, var_lib_t;
4611	')
4612
4613	allow $1 var_t:dir search_dir_perms;
4614	manage_files_pattern($1, var_lib_t, var_lib_t)
4615	')
4616
4617	########################################
4618	## <summary>
4619	## Search the locks directory (/var/lock).
4620	## </summary>
4621	## <param name="domain">
4622	## <summary>
4623	## Domain allowed access.
4624	## </summary>
4625	## </param>
4626	#
4627	interface(`files_search_locks',`
4628	gen_require(`
4629	type var_t, var_lock_t;
4630	')
4631
4632	search_dirs_pattern($1, var_t, var_lock_t)
4633	')
4634
4635	########################################
4636	## <summary>
4637	## Do not audit attempts to search the
4638	## locks directory (/var/lock).
4639	## </summary>
4640	## <param name="domain">
4641	## <summary>
4642	## Domain to not audit.
4643	## </summary>
4644	## </param>
4645	#
4646	interface(`files_dontaudit_search_locks',`
4647	gen_require(`
4648	type var_lock_t;
4649	')
4650
4651	dontaudit $1 var_lock_t:dir search_dir_perms;
4652	')
4653
4654	########################################
4655	## <summary>
4656	## Add and remove entries in the /var/lock
4657	## directories.
4658	## </summary>
4659	## <param name="domain">
4660	## <summary>
4661	## Domain allowed access.
4662	## </summary>
4663	## </param>
4664	#
4665	interface(`files_rw_lock_dirs',`
4666	gen_require(`
4667	type var_t, var_lock_t;
4668	')
4669
4670	rw_dirs_pattern($1, var_t, var_lock_t)
4671	')
4672
4673	########################################
4674	## <summary>
4675	## Get the attributes of generic lock files.
4676	## </summary>
4677	## <param name="domain">
4678	## <summary>
4679	## Domain allowed access.
4680	## </summary>
4681	## </param>
4682	#
4683	interface(`files_getattr_generic_locks',`
4684	gen_require(`
4685	type var_t, var_lock_t;
4686	')
4687
4688	allow $1 var_t:dir search_dir_perms;
4689	allow $1 var_lock_t:dir list_dir_perms;
4690	getattr_files_pattern($1, var_lock_t, var_lock_t)
4691	')
4692
4693	########################################
4694	## <summary>
4695	## Create, read, write, and delete generic
4696	## lock files.
4697	## </summary>
4698	## <param name="domain">
4699	## <summary>
4700	## Domain allowed access.
4701	## </summary>
4702	## </param>
4703	#
4704	interface(`files_manage_generic_locks',`
4705	gen_require(`
4706	type var_t, var_lock_t;
4707	')
4708
4709	allow $1 var_t:dir search_dir_perms;
4710	manage_files_pattern($1, var_lock_t, var_lock_t)
4711	')
4712
4713	########################################
4714	## <summary>
4715	## Delete all lock files.
4716	## </summary>
4717	## <param name="domain">
4718	## <summary>
4719	## Domain allowed access.
4720	## </summary>
4721	## </param>
4722	## <rolecap/>
4723	#
4724	interface(`files_delete_all_locks',`
4725	gen_require(`
4726	attribute lockfile;
4727	type var_t;
4728	')
4729
4730	allow $1 var_t:dir search_dir_perms;
4731	delete_files_pattern($1, lockfile, lockfile)
4732	')
4733
4734	########################################
4735	## <summary>
4736	## Read all lock files.
4737	## </summary>
4738	## <param name="domain">
4739	## <summary>
4740	## Domain allowed access.
4741	## </summary>
4742	## </param>
4743	#
4744	interface(`files_read_all_locks',`
4745	gen_require(`
4746	attribute lockfile;
4747	type var_t, var_lock_t;
4748	')
4749
4750	allow $1 { var_t var_lock_t }:dir search_dir_perms;
4751	allow $1 lockfile:dir list_dir_perms;
4752	read_files_pattern($1, lockfile, lockfile)
4753	read_lnk_files_pattern($1, lockfile, lockfile)
4754	')
4755
4756	########################################
4757	## <summary>
4758	## manage all lock files.
4759	## </summary>
4760	## <param name="domain">
4761	## <summary>
4762	## Domain allowed access.
4763	## </summary>
4764	## </param>
4765	#
4766	interface(`files_manage_all_locks',`
4767	gen_require(`
4768	attribute lockfile;
4769	type var_t, var_lock_t;
4770	')
4771
4772	allow $1 { var_t var_lock_t }:dir search_dir_perms;
4773	manage_dirs_pattern($1, lockfile, lockfile)
4774	manage_files_pattern($1, lockfile, lockfile)
4775	manage_lnk_files_pattern($1, lockfile, lockfile)
4776	')
4777
4778	########################################
4779	## <summary>
4780	## Create an object in the locks directory, with a private
4781	## type using a type transition.
4782	## </summary>
4783	## <param name="domain">
4784	## <summary>
4785	## Domain allowed access.
4786	## </summary>
4787	## </param>
4788	## <param name="private type">
4789	## <summary>
4790	## The type of the object to be created.
4791	## </summary>
4792	## </param>
4793	## <param name="object">
4794	## <summary>
4795	## The object class of the object being created.
4796	## </summary>
4797	## </param>
4798	#
4799	interface(`files_lock_filetrans',`
4800	gen_require(`
4801	type var_t, var_lock_t;
4802	')
4803
4804	allow $1 var_t:dir search_dir_perms;
4805	filetrans_pattern($1, var_lock_t, $2, $3)
4806	')
4807
4808	########################################
4809	## <summary>
4810	## Do not audit attempts to get the attributes
4811	## of the /var/run directory.
4812	## </summary>
4813	## <param name="domain">
4814	## <summary>
4815	## Domain to not audit.
4816	## </summary>
4817	## </param>
4818	#
4819	interface(`files_dontaudit_getattr_pid_dirs',`
4820	gen_require(`
4821	type var_run_t;
4822	')
4823
4824	dontaudit $1 var_run_t:dir getattr;
4825	')
4826
4827	########################################
4828	## <summary>
4829	## Search the contents of runtime process
4830	## ID directories (/var/run).
4831	## </summary>
4832	## <param name="domain">
4833	## <summary>
4834	## Domain allowed access.
4835	## </summary>
4836	## </param>
4837	#
4838	interface(`files_search_pids',`
4839	gen_require(`
4840	type var_t, var_run_t;
4841	')
4842
4843	search_dirs_pattern($1, var_t, var_run_t)
4844	')
4845
4846	########################################
4847	## <summary>
4848	## Do not audit attempts to search
4849	## the /var/run directory.
4850	## </summary>
4851	## <param name="domain">
4852	## <summary>
4853	## Domain to not audit.
4854	## </summary>
4855	## </param>
4856	#
4857	interface(`files_dontaudit_search_pids',`
4858	gen_require(`
4859	type var_run_t;
4860	')
4861
4862	dontaudit $1 var_run_t:dir search_dir_perms;
4863	')
4864
4865	########################################
4866	## <summary>
4867	## List the contents of the runtime process
4868	## ID directories (/var/run).
4869	## </summary>
4870	## <param name="domain">
4871	## <summary>
4872	## Domain allowed access.
4873	## </summary>
4874	## </param>
4875	#
4876	interface(`files_list_pids',`
4877	gen_require(`
4878	type var_t, var_run_t;
4879	')
4880
4881	list_dirs_pattern($1, var_t, var_run_t)
4882	')
4883
4884	########################################
4885	## <summary>
4886	## Read generic process ID files.
4887	## </summary>
4888	## <param name="domain">
4889	## <summary>
4890	## Domain allowed access.
4891	## </summary>
4892	## </param>
4893	#
4894	interface(`files_read_generic_pids',`
4895	gen_require(`
4896	type var_t, var_run_t;
4897	')
4898
4899	list_dirs_pattern($1, var_t, var_run_t)
4900	read_files_pattern($1, var_run_t, var_run_t)
4901	')
4902
4903	########################################
4904	## <summary>
4905	## Create an object in the process ID directory, with a private
4906	## type using a type transition.
4907	## </summary>
4908	## <param name="domain">
4909	## <summary>
4910	## Domain allowed access.
4911	## </summary>
4912	## </param>
4913	## <param name="private type">
4914	## <summary>
4915	## The type of the object to be created.
4916	## </summary>
4917	## </param>
4918	## <param name="object">
4919	## <summary>
4920	## The object class of the object being created.
4921	## </summary>
4922	## </param>
4923	#
4924	interface(`files_pid_filetrans',`
4925	gen_require(`
4926	type var_t, var_run_t;
4927	')
4928
4929	allow $1 var_t:dir search_dir_perms;
4930	filetrans_pattern($1, var_run_t, $2, $3)
4931	')
4932
4933	########################################
4934	## <summary>
4935	## Read and write generic process ID files.
4936	## </summary>
4937	## <param name="domain">
4938	## <summary>
4939	## Domain allowed access.
4940	## </summary>
4941	## </param>
4942	#
4943	interface(`files_rw_generic_pids',`
4944	gen_require(`
4945	type var_t, var_run_t;
4946	')
4947
4948	list_dirs_pattern($1, var_t, var_run_t)
4949	rw_files_pattern($1, var_run_t, var_run_t)
4950	')
4951
4952	########################################
4953	## <summary>
4954	## Do not audit attempts to write to daemon runtime data files.
4955	## </summary>
4956	## <param name="domain">
4957	## <summary>
4958	## Domain allowed access.
4959	## </summary>
4960	## </param>
4961	#
4962	interface(`files_dontaudit_write_all_pids',`
4963	gen_require(`
4964	attribute pidfile;
4965	')
4966
4967	dontaudit $1 pidfile:file write;
4968	')
4969
4970	########################################
4971	## <summary>
4972	## Do not audit attempts to ioctl daemon runtime data files.
4973	## </summary>
4974	## <param name="domain">
4975	## <summary>
4976	## Domain allowed access.
4977	## </summary>
4978	## </param>
4979	#
4980	interface(`files_dontaudit_ioctl_all_pids',`
4981	gen_require(`
4982	attribute pidfile;
4983	')
4984
4985	dontaudit $1 pidfile:file ioctl;
4986	')
4987
4988	########################################
4989	## <summary>
4990	## Read all process ID files.
4991	## </summary>
4992	## <param name="domain">
4993	## <summary>
4994	## Domain allowed access.
4995	## </summary>
4996	## </param>
4997	## <rolecap/>
4998	#
4999	interface(`files_read_all_pids',`
5000	gen_require(`
5001	attribute pidfile;
5002	type var_t;
5003	')
5004
5005	list_dirs_pattern($1, var_t, pidfile)
5006	read_files_pattern($1, pidfile, pidfile)
5007	')
5008
5009	########################################
5010	## <summary>
5011	## Mount filesystems on all polyinstantiation
5012	## member directories.
5013	## </summary>
5014	## <param name="domain">
5015	## <summary>
5016	## Domain allowed access.
5017	## </summary>
5018	## </param>
5019	#
5020	interface(`files_mounton_all_poly_members',`
5021	gen_require(`
5022	attribute polymember;
5023	')
5024
5025	allow $1 polymember:dir mounton;
5026	')
5027
5028	########################################
5029	## <summary>
5030	## Delete all process IDs.
5031	## </summary>
5032	## <param name="domain">
5033	## <summary>
5034	## Domain allowed access.
5035	## </summary>
5036	## </param>
5037	## <rolecap/>
5038	#
5039	interface(`files_delete_all_pids',`
5040	gen_require(`
5041	attribute pidfile;
5042	type var_t, var_run_t;
5043	')
5044
5045	allow $1 var_t:dir search_dir_perms;
5046	allow $1 var_run_t:dir rmdir;
5047	allow $1 var_run_t:lnk_file delete_lnk_file_perms;
5048	delete_files_pattern($1, pidfile, pidfile)
5049	delete_fifo_files_pattern($1, pidfile, pidfile)
5050	delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
5051	')
5052
5053	########################################
5054	## <summary>
5055	## Delete all process ID directories.
5056	## </summary>
5057	## <param name="domain">
5058	## <summary>
5059	## Domain allowed access.
5060	## </summary>
5061	## </param>
5062	#
5063	interface(`files_delete_all_pid_dirs',`
5064	gen_require(`
5065	attribute pidfile;
5066	type var_t;
5067	')
5068
5069	allow $1 var_t:dir search_dir_perms;
5070	delete_dirs_pattern($1, pidfile, pidfile)
5071	')
5072
5073	########################################
5074	## <summary>
5075	## Search the contents of generic spool
5076	## directories (/var/spool).
5077	## </summary>
5078	## <param name="domain">
5079	## <summary>
5080	## Domain allowed access.
5081	## </summary>
5082	## </param>
5083	#
5084	interface(`files_search_spool',`
5085	gen_require(`
5086	type var_t, var_spool_t;
5087	')
5088
5089	search_dirs_pattern($1, var_t, var_spool_t)
5090	')
5091
5092	########################################
5093	## <summary>
5094	## Do not audit attempts to search generic
5095	## spool directories.
5096	## </summary>
5097	## <param name="domain">
5098	## <summary>
5099	## Domain to not audit.
5100	## </summary>
5101	## </param>
5102	#
5103	interface(`files_dontaudit_search_spool',`
5104	gen_require(`
5105	type var_spool_t;
5106	')
5107
5108	dontaudit $1 var_spool_t:dir search_dir_perms;
5109	')
5110
5111	########################################
5112	## <summary>
5113	## List the contents of generic spool
5114	## (/var/spool) directories.
5115	## </summary>
5116	## <param name="domain">
5117	## <summary>
5118	## Domain allowed access.
5119	## </summary>
5120	## </param>
5121	#
5122	interface(`files_list_spool',`
5123	gen_require(`
5124	type var_t, var_spool_t;
5125	')
5126
5127	list_dirs_pattern($1, var_t, var_spool_t)
5128	')
5129
5130	########################################
5131	## <summary>
5132	## Create, read, write, and delete generic
5133	## spool directories (/var/spool).
5134	## </summary>
5135	## <param name="domain">
5136	## <summary>
5137	## Domain allowed access.
5138	## </summary>
5139	## </param>
5140	#
5141	interface(`files_manage_generic_spool_dirs',`
5142	gen_require(`
5143	type var_t, var_spool_t;
5144	')
5145
5146	allow $1 var_t:dir search_dir_perms;
5147	manage_dirs_pattern($1, var_spool_t, var_spool_t)
5148	')
5149
5150	########################################
5151	## <summary>
5152	## Read generic spool files.
5153	## </summary>
5154	## <param name="domain">
5155	## <summary>
5156	## Domain allowed access.
5157	## </summary>
5158	## </param>
5159	#
5160	interface(`files_read_generic_spool',`
5161	gen_require(`
5162	type var_t, var_spool_t;
5163	')
5164
5165	list_dirs_pattern($1, var_t, var_spool_t)
5166	read_files_pattern($1, var_spool_t, var_spool_t)
5167	')
5168
5169	########################################
5170	## <summary>
5171	## Create, read, write, and delete generic
5172	## spool files.
5173	## </summary>
5174	## <param name="domain">
5175	## <summary>
5176	## Domain allowed access.
5177	## </summary>
5178	## </param>
5179	#
5180	interface(`files_manage_generic_spool',`
5181	gen_require(`
5182	type var_t, var_spool_t;
5183	')
5184
5185	allow $1 var_t:dir search_dir_perms;
5186	manage_files_pattern($1, var_spool_t, var_spool_t)
5187	')
5188
5189	########################################
5190	## <summary>
5191	## Create objects in the spool directory
5192	## with a private type with a type transition.
5193	## </summary>
5194	## <param name="domain">
5195	## <summary>
5196	## Domain allowed access.
5197	## </summary>
5198	## </param>
5199	## <param name="file">
5200	## <summary>
5201	## Type to which the created node will be transitioned.
5202	## </summary>
5203	## </param>
5204	## <param name="class">
5205	## <summary>
5206	## Object class(es) (single or set including {}) for which this
5207	## the transition will occur.
5208	## </summary>
5209	## </param>
5210	#
5211	interface(`files_spool_filetrans',`
5212	gen_require(`
5213	type var_t, var_spool_t;
5214	')
5215
5216	allow $1 var_t:dir search_dir_perms;
5217	filetrans_pattern($1, var_spool_t, $2, $3)
5218	')
5219
5220	########################################
5221	## <summary>
5222	## Allow access to manage all polyinstantiated
5223	## directories on the system.
5224	## </summary>
5225	## <param name="domain">
5226	## <summary>
5227	## Domain allowed access.
5228	## </summary>
5229	## </param>
5230	#
5231	interface(`files_polyinstantiate_all',`
5232	gen_require(`
5233	attribute polydir, polymember, polyparent;
5234	type poly_t;
5235	')
5236
5237	# Need to give access to /selinux/member
5238	selinux_compute_member($1)
5239
5240	# Need sys_admin capability for mounting
5241	allow $1 self:capability { chown fsetid sys_admin fowner };
5242
5243	# Need to give access to the directories to be polyinstantiated
5244	allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
5245
5246	# Need to give access to the polyinstantiated subdirectories
5247	allow $1 polymember:dir search_dir_perms;
5248
5249	# Need to give access to parent directories where original
5250	# is remounted for polyinstantiation aware programs (like gdm)
5251	allow $1 polyparent:dir { getattr mounton };
5252
5253	# Need to give permission to create directories where applicable
5254	allow $1 self:process setfscreate;
5255	allow $1 polymember: dir { create setattr relabelto };
5256	allow $1 polydir: dir { write add_name open };
5257	allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
5258
5259	# Default type for mountpoints
5260	allow $1 poly_t:dir { create mounton };
5261	fs_unmount_xattr_fs($1)
5262
5263	ifdef(`distro_redhat',`
5264	# namespace.init
5265	files_search_home($1)
5266	corecmd_exec_bin($1)
5267	seutil_domtrans_setfiles($1)
5268	mount_domtrans($1)
5269	')
5270	')
5271
5272	########################################
5273	## <summary>
5274	## Unconfined access to files.
5275	## </summary>
5276	## <param name="domain">
5277	## <summary>
5278	## Domain allowed access.
5279	## </summary>
5280	## </param>
5281	#
5282	interface(`files_unconfined',`
5283	gen_require(`
5284	attribute files_unconfined_type;
5285	')
5286
5287	typeattribute $1 files_unconfined_type;
5288	')

Note: See TracBrowser for help on using the browser.