Changeset 475

Show
Ignore:
Timestamp:
07/07/05 12:25:53 (3 years ago)
Author:
cpebenito
Message:

tag for 20050707 release

Files:

Legend:

Unmodified
Added
Removed
Modified
Copied
Moved

  • tags/RELEASE_20050707/docs/macro_conversion_guide

    r182 r475  
    99######################################## 
    1010# 
    11 # Object class sets 
    12 # 
    13  
    14 # 
    15 # devfile_class_set 
    16 # 
    17 { chr_file blk_file } 
    18  
    19 # 
    20 # dgram_socket_class_set 
    21 # 
    22 { udp_socket unix_dgram_socket } 
    23  
    24 # 
    25 # dir_file_class_set 
    26 # 
    27 { dir file lnk_file sock_file fifo_file chr_file blk_file } 
    28  
    29 # 
    30 # file_class_set 
    31 # 
    32 { file lnk_file sock_file fifo_file chr_file blk_file } 
    33  
    34 # 
    35 # notdevfile_class_set 
    36 # 
    37 { file lnk_file sock_file fifo_file } 
    38  
    39 # 
    40 # socket_class_set 
    41 # 
    42 { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } 
    43  
    44 # 
    45 # stream_socket_class_set 
    46 # 
    47 { tcp_socket unix_stream_socket } 
    48  
    49 # 
    50 # unpriv_socket_class_set 
    51 # 
    52 { tcp_socket udp_socket unix_stream_socket unix_dgram_socket } 
    53  
    54 ######################################## 
    55 # 
    56 # Permission Sets 
    57 # 
    58  
    59 # 
    60 # connected_socket_perms 
    61 # 
    62 { create ioctl read getattr write setattr append bind getopt setopt shutdown } 
    63  
    64 # 
    65 # connected_stream_socket_perms 
    66 # 
    67 { create ioctl read getattr write setattr append bind getopt setopt shutdown listen accept } 
    68  
    69 # 
    70 # create_dir_perms 
    71 # 
    72 { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir } 
    73  
    74 # 
    75 # create_file_perms 
    76 # 
    77 { create ioctl read getattr lock write setattr append link unlink rename } 
    78  
    79 # 
    80 # create_lnk_perms 
    81 # 
    82 { create read getattr setattr link unlink rename } 
    83  
    84 # 
    85 # create_msgq_perms 
    86 # 
    87 { associate getattr setattr create destroy read write enqueue unix_read unix_write } 
    88  
    89 # 
    90 # create_netlink_socket_perms 
    91 # 
    92 { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write } 
    93  
    94 # 
    95 # create_sem_perms 
    96 # 
    97 { associate getattr setattr create destroy read write unix_read unix_write } 
    98  
    99 # 
    100 # create_shm_perms 
    101 # 
    102 { associate getattr setattr create destroy read write lock unix_read unix_write } 
    103  
    104 # 
    105 # create_socket_perms 
    106 # 
    107 { create ioctl read getattr write setattr append bind connect getopt setopt shutdown } 
    108  
    109 # 
    110 # create_stream_socket_perms 
    111 # 
    112 { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept } 
    113  
    114 # 
    115 # link_file_perms 
    116 # 
    117 { getattr link unlink rename } 
    118  
    119 # 
    120 # mount_fs_perms 
    121 # 
    122 { mount remount unmount getattr } 
    123  
    124 # 
    125 # packet_perms 
    126 # 
    127 { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send } 
    128  
    129 # 
    130 # r_dir_perms 
    131 # 
    132 { read getattr lock search ioctl } 
    133  
    134 # 
    135 # r_file_perms 
    136 # 
    137 { read getattr lock ioctl } 
    138  
    139 # 
    140 # r_msgq_perms 
    141 # 
    142 { associate getattr read unix_read } 
    143  
    144 # 
    145 # r_netlink_socket_perms 
    146 # 
    147 { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read } 
    148  
    149 # 
    150 # r_sem_perms 
    151 # 
    152 { associate getattr read unix_read } 
    153  
    154 # 
    155 # r_shm_perms 
    156 # 
    157 { associate getattr read unix_read } 
    158  
    159 # 
    160 # ra_dir_perms 
    161 # 
    162 { read getattr lock search ioctl add_name write } 
    163  
    164 # 
    165 # ra_file_perms 
    166 # 
    167 { ioctl read getattr lock append } 
    168  
    169 # 
    170 # rw_dir_perms 
    171 # 
    172 { read getattr lock search ioctl add_name remove_name write } 
    173  
    174 # 
    175 # rw_file_perms 
    176 # 
    177 { getattr read write append ioctl lock } 
    178  
    179 # 
    180 # rw_msgq_perms 
    181 # 
    182 { associate getattr read write enqueue unix_read unix_write } 
    183  
    184 # 
    185 # rw_netlink_socket_perms 
    186 # 
    187 { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write } 
    188  
    189 # 
    190 # rw_sem_perms 
    191 # 
    192 { associate getattr read write unix_read unix_write } 
    193  
    194 # 
    195 # rw_shm_perms 
    196 # 
    197 { associate getattr read write lock unix_read unix_write } 
    198  
    199 # 
    200 # rw_socket_perms 
    201 # 
    202 { ioctl read getattr write setattr append bind connect getopt setopt shutdown } 
    203  
    204 # 
    205 # rw_stream_socket_perms 
    206 # 
    207 { ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept } 
    208  
    209 # 
    210 # rx_file_perms 
    211 # 
    212 { read getattr lock execute ioctl } 
    213  
    214 # 
    215 # signal_perms 
    216 # 
    217 { sigchld sigkill sigstop signull signal } 
    218  
    219 # 
    220 # stat_file_perms 
    221 # 
    222 { getattr } 
    223  
    224 # 
    225 # x_file_perms 
    226 # 
    227 { getattr execute } 
    228  
    229 ######################################## 
    230 # 
    23111# Attributes 
    23212# 
     
    24121# auth: complete 
    24222# 
    243 authlogin_read_shadow_passwords($1) 
     23auth_read_shadow($1) 
    24424 
    24525# 
    24626# auth_chkpwd: complete 
    24727# 
    248 authlogin_check_password_transition($1) 
     28auth_domtrans_chk_passwd($1) 
    24929 
    25030# 
    25131# file_type: complete 
    25232# 
    253 files_make_file($1) 
     33files_file_type($1) 
    25434 
    25535# 
     
    26343# privfd: complete 
    26444# 
    265 domain_make_file_descriptors_widely_inheritable($1) 
     45domain_wide_inherit_fd($1) 
    26646 
    26747# 
    26848# privlog: complete 
    26949# 
    270 logging_send_system_log_message($1) 
     50logging_send_syslog_msg($1) 
    27151 
    27252# 
     
    28262# privmodule: complete 
    28363# 
    284 modutils_insmod_transition($1) 
     64modutils_domtrans_insmod($1) 
    28565 
    28666# 
    28767# privowner: complete 
    28868# 
    289 kernel_make_object_identity_change_constraint_exception($1) 
     69domain_obj_id_change_exempt($1) 
    29070 
    29171# 
    29272# privrole: complete 
    29373# 
    294 kernel_make_role_change_constraint_exception($1) 
     74domain_role_change_exempt($1) 
    29575 
    29676# 
    29777# privuser: complete 
    29878# 
    299 kernel_make_process_identity_change_constraint_exception($1) 
     79domain_subj_id_change_exempt($1) 
    30080 
    30181######################################## 
     
    31393 
    31494# 
    315 # admin_domain(): 
    316 # 
    317  
    318 # 
    31995# append_log_domain(): 
    32096# 
    32197type $1_log_t; 
    322 logging_make_log_file($1_log_t) 
     98logging_log_file($1_log_t) 
    32399allow $1_t var_log_t:dir ra_dir_perms; 
    324100allow $1_t $1_log_t:file  { create ra_file_perms }; 
     
    329105# 
    330106type $1_log_t; 
    331 logging_make_log_file($1_log_t) 
     107logging_log_file($1_log_t) 
    332108allow $1_t var_log_t:dir ra_dir_perms; 
    333109allow $1_t $1_log_t:dir { setattr ra_dir_perms }; 
     
    340116type $1_t; 
    341117type $1_exec_t; 
    342 domain_make_domain($1_t) 
    343 domain_make_entrypoint_file($1_t,$1_exec_t) 
     118domain_type($1_t) 
     119domain_entry_file($1_t,$1_exec_t) 
    344120role sysadm_r types $1_t; 
    345121domain_auto_trans(sysadm_t, $1_exec_t, $1_t) 
    346 libraries_use_dynamic_loader($1_t) 
    347 libraries_use_shared_libraries($1_t) 
     122libs_use_ld_so($1_t) 
     123libs_use_shared_libs($1_t) 
    348124 
    349125# 
    350126# base_can_network($1,$2): 
    351127# 
    352 allow $1 self:$2_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown }
    353 corenetwork_network_$2_on_all_interfaces($1) 
    354 corenetwork_network_raw_on_all_interfaces($1) 
    355 corenetwork_network_$2_on_all_nodes($1) 
    356 corenetwork_network_raw_on_all_nodes($1) 
    357 corenetwork_bind_$2_on_all_nodes($1) 
    358 corenetwork_network_$2_on_all_ports($1) 
    359 sysnetwork_read_network_config($1) 
     128allow $1 self:$2_socket connected_socket_perms
     129corenet_$2_sendrecv_all_if($1) 
     130corenet_raw_sendrecv_all_if($1) 
     131corenet_$2_sendrecv_all_nodes($1) 
     132corenet_raw_sendrecv_all_nodes($1) 
     133corenet_$2_sendrecv_all_ports($1) 
     134corenet_$2_bind_all_nodes($1) 
     135sysnet_read_config($1) 
    360136 
    361137# 
    362138# base_can_network($1,$2,$3): 
    363139# 
    364 allow $1 self:$2_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown }
    365 corenetwork_network_$2_on_all_interfaces($1) 
    366 corenetwork_network_raw_on_all_interfaces($1) 
    367 corenetwork_network_$2_on_all_nodes($1) 
    368 corenetwork_network_raw_on_all_nodes($1) 
    369 corenetwork_bind_$2_on_all_nodes($1) 
    370 corenetwork_network_$2_on_$3_port($1) 
    371 sysnetwork_read_network_config($1) 
     140allow $1 self:$2_socket connected_socket_perms
     141corenet_$2_sendrecv_all_if($1) 
     142corenet_raw_sendrecv_all_if($1) 
     143corenet_$2_sendrecv_all_nodes($1) 
     144corenet_raw_sendrecv_all_nodes($1) 
     145corenet_$2_bind_all_nodes($1) 
     146corenet_$2_sendrecv_$3_port($1) 
     147sysnet_read_config($1) 
    372148 
    373149# 
    374150# base_file_read_access(): 
    375151# 
    376 files_list_home_directories($1) 
    377 files_read_general_application_resources($1) 
     152files_list_home($1) 
     153files_read_usr_files($1) 
    378154allow $1 bin_t:dir r_dir_perms; 
    379155allow $1 bin_t:notdevfile_class_set r_file_perms; 
     
    381157allow $1 sbin_t:notdevfile_class_set r_file_perms; 
    382158kernel_read_kernel_sysctl($1) 
    383 selinux_read_config($1) 
     159seutil_read_config($1) 
    384160if (read_default_t) { 
    385161allow $1 default_t:dir r_dir_perms; 
     
    396172 
    397173# 
    398 # base_user_domain(): 
    399 # 
    400  
    401 # 
    402174# can_create(): 
    403175# 
     
    423195# can_create_other_pty(): complete 
    424196# 
    425 terminal_create_private_pseudoterminal($1_t,$2_devpts_t) 
     197term_create_pty($1_t,$2_devpts_t) 
    426198allow $1_t $2_devpts_t:chr_file { setattr ioctl read getattr lock write append }; 
    427199 
     
    431203# $2 may require more conversion 
    432204type $1_devpts_t $2; 
    433 terminal_make_pseudoterminal($1_devpts_t) 
     205term_pty($1_devpts_t) 
    434206allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append }; 
    435 terminal_create_private_pseudoterminal($1_t,$1_devpts_t) 
    436  
    437 
    438 # can_exec(): complete 
    439 
    440 allow $1 $2:file { getattr read execute execute_no_trans }; 
     207term_create_pty($1_t,$1_devpts_t) 
    441208 
    442209# 
    443210# can_exec_any(): complete 
    444211# 
    445 domain_execute_all_entrypoint_programs($1) 
    446 files_execute_system_config_script($1) 
    447 corecommands_execute_general_programs($1) 
    448 corecommands_execute_system_programs($1) 
    449 libraries_use_dynamic_loader($1) 
    450 libraries_use_shared_libraries($1) 
    451 libraries_execute_dynamic_loader($1) 
    452 libraries_execute_library_scripts($1) 
     212domain_exec_all_entry_files($1) 
     213files_exec_generic_etc_files($1) 
     214corecmd_exec_bin($1) 
     215corecmd_exec_sbin($1) 
     216libs_use_ld_so($1) 
     217libs_use_shared_libs($1) 
     218libs_exec_ld_so($1) 
     219libs_exec_lib_files($1) 
    453220 
    454221# 
     
    461228# can_getsecurity(): complete 
    462229# 
    463 kernel_get_selinuxfs_mount_point($1) 
    464 kernel_validate_selinux_context($1) 
    465 kernel_compute_selinux_access_vector($1) 
    466 kernel_compute_selinux_create_context($1) 
    467 kernel_compute_selinux_relabel_context($1) 
    468 kernel_compute_selinux_reachable_user_contexts($1) 
    469  
    470 
    471 # can_kerberos(): 
    472 
    473 ifdef(`kerberos.te',` 
    474 if (allow_kerberos) { 
    475 can_network_client($1, `kerberos_port_t') 
    476 can_resolve($1) 
    477 
    478 ') dnl kerberos.te 
    479 dontaudit $1 krb5_conf_t:file write; 
    480 allow $1 krb5_conf_t:file { getattr read }; 
    481  
    482 
    483 # can_ldap(): 
    484 
    485 ifdef(`slapd.te',` 
    486 can_network_client_tcp($1, `ldap_port_t') 
     230selinux_get_fs_mount($1) 
     231selinux_validate_context($1) 
     232selinux_compute_access_vector($1) 
     233selinux_compute_create_context($1) 
     234selinux_compute_relabel_context($1) 
     235selinux_compute_user_contexts($1) 
     236 
     237
     238# can_kerberos(): complete 
     239
     240optional_policy(`kerberos.te',` 
     241        kerberos_use($1) 
     242') 
     243 
     244
     245# can_ldap(): complete 
     246
     247optional_policy(`ldap.te',` 
     248        allow $1 self:tcp_socket create_socket_perms; 
     249        corenet_tcp_sendrecv_all_if($1) 
     250        corenet_raw_sendrecv_all_if($1) 
     251        corenet_tcp_sendrecv_all_nodes($1) 
     252        corenet_raw_sendrecv_all_nodes($1) 
     253        corenet_tcp_sendrecv_ldap_port($1) 
     254        corenet_tcp_bind_all_nodes($1) 
     255        sysnet_read_config($1) 
    487256') 
    488257 
     
    490259# can_loadpol(): complete 
    491260# 
    492 kernel_get_selinuxfs_mount_point($1) 
    493 kernel_load_selinux_policy($1) 
     261selinux_get_fs_mount($1) 
     262selinux_load_policy($1) 
    494263 
    495264# 
     
    511280# can_network_client_tcp($1): complete 
    512281# 
    513 allow $1 self:tcp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown }
    514 corenetwork_network_tcp_on_all_interfaces($1) 
    515 corenetwork_network_raw_on_all_interfaces($1) 
    516 corenetwork_network_tcp_on_all_nodes($1) 
    517 corenetwork_network_raw_on_all_nodes($1) 
    518 corenetwork_bind_tcp_on_all_nodes($1) 
    519 corenetwork_network_tcp_on_all_ports($1) 
    520 sysnetwork_read_network_config($1) 
     282allow $1 self:tcp_socket create_socket_perms
     283corenet_tcp_sendrecv_all_if($1) 
     284corenet_raw_sendrecv_all_if($1) 
     285corenet_tcp_sendrecv_all_nodes($1) 
     286corenet_raw_sendrecv_all_nodes($1) 
     287corenet_tcp_sendrecv_all_ports($1) 
     288corenet_tcp_bind_all_nodes($1) 
     289sysnet_read_config($1) 
    521290 
    522291# 
     
    524293# 
    525294# remove _port_t from $2 
    526 allow system_mail_t self:tcp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown }
    527 corenetwork_network_tcp_on_all_interfaces(system_mail_t
    528 corenetwork_network_raw_on_all_interfaces(system_mail_t
    529 corenetwork_network_tcp_on_all_nodes(system_mail_t
    530 corenetwork_network_raw_on_all_nodes(system_mail_t
    531 corenetwork_bind_tcp_on_all_nodes(system_mail_t
    532 corenetwork_network_tcp_on_$2_port(system_mail_t
    533 sysnetwork_read_network_config(system_mail_t
     295allow $1 self:tcp_socket create_socket_perms
     296corenet_tcp_sendrecv_all_if($1
     297corenet_raw_sendrecv_all_if($1
     298corenet_tcp_sendrecv_all_nodes($1
     299corenet_raw_sendrecv_all_nodes($1
     300corenet_tcp_sendrecv_$2_port($1
     301corenet_tcp_bind_all_nodes($1
     302sysnet_read_config($1
    534303 
    535304# 
    536305# can_network_server(): 
    537306# 
    538 allow $1 self:tcp_socket { listen accept }
     307allow $1 self:tcp_socket create_stream_socket_perms
    539308base_can_network($1, tcp, `$2') 
    540309 
     
    542311# can_network_server_tcp(): 
    543312# 
    544 allow $1 self:tcp_socket { listen accept }
     313allow $1 self:tcp_socket create_stream_socket_perms
    545314base_can_network($1, tcp, `$2') 
    546315 
     
    576345 
    577346# 
    578 # can_resolve(): 
     347# can_resolve(): complete 
    579348# 
    580349tunable_policy(`use_dns',` 
    581 allow $1 self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect }
    582 corenetwork_network_udp_on_all_interfaces($1) 
    583 corenetwork_network_raw_on_all_interfaces($1) 
    584 corenetwork_network_udp_on_all_nodes($1) 
    585 corenetwork_network_raw_on_all_nodes($1) 
    586 corenetwork_bind_udp_on_all_nodes($1) 
    587 corenetwork_network_udp_on_dns_port($1) 
    588 sysnetwork_read_network_config($1) 
     350       allow $1 self:udp_socket create_socket_perms
     351       corenet_udp_sendrecv_all_if($1) 
     352       corenet_raw_sendrecv_all_if($1) 
     353       corenet_udp_sendrecv_all_nodes($1) 
     354       corenet_raw_sendrecv_all_nodes($1) 
     355       corenet_udp_sendrecv_dns_port($1) 
     356       corenet_udp_bind_all_nodes($1) 
     357       sysnet_read_config($1) 
    589358') 
    590359 
     
    592361# can_setbool(): complete 
    593362# 
    594 kernel_get_selinuxfs_mount_point($1) 
    595 kernel_set_selinux_boolean($1) 
     363selinux_get_fs_mount($1) 
     364selinux_set_boolean($1) 
    596365 
    597366# 
     
    601370# 
    602371allow $1 self:process setcurrent; 
    603 kernel_get_selinuxfs_mount_point($1) 
     372selinux_get_fs_mount($1) 
    604373 
    605374# 
     
    608377# get mount point is due to libselinux init 
    609378# 
    610 kernel_get_selinuxfs_mount_point($1) 
    611 kernel_set_selinux_enforcement_mode($1) 
     379selinux_get_fs_mount($1) 
     380selinux_set_enforce_mode($1) 
    612381 
    613382# 
     
    617386# 
    618387allow $1 self:process setexec; 
    619 kernel_get_selinuxfs_mount_point($1) 
     388selinux_get_fs_mount($1) 
    620389 
    621390# 
     
    625394# 
    626395allow $1 self:process setfscreate; 
    627 kernel_get_selinuxfs_mount_point($1) 
     396selinux_get_fs_mount($1) 
    628397 
    629398# 
     
    632401# get mount point is due to libselinux init 
    633402# 
    634 kernel_get_selinuxfs_mount_point($1) 
     403selinux_get_fs_mount($1) 
    635404kernel_setsecparam($1) 
    636405 
     
    638407# can_sysctl(): complete 
    639408# 
    640 kernel_modify_all_sysctl($1) 
     409kernel_rw_all_sysctl($1) 
    641410 
    642411# 
    643412# can_tcp_connect 
    644 # (policy is commented out) 
    645 # Irrelevant until we have labeled networking. 
    646 
    647 #allow $1 $2:tcp_socket { connectto recvfrom }; 
    648 #allow $2 $1:tcp_socket { acceptfrom recvfrom }; 
    649 #allow $2 kernel_t:tcp_socket recvfrom; 
    650 #allow $1 kernel_t:tcp_socket recvfrom; 
     413
     414allow $1 $2:tcp_socket { connectto recvfrom }; 
     415allow $2 $1:tcp_socket { acceptfrom recvfrom }; 
     416allow $2 kernel_t:tcp_socket recvfrom; 
     417allow $1 kernel_t:tcp_socket recvfrom; 
    651418 
    652419# 
    653420# can_udp_send(): 
    654 # (policy is commented out) 
    655 # Irrelevant until we have labeled networking. 
    656 
    657 #allow $1 $2:udp_socket sendto; 
    658 #allow $2 $1:udp_socket recvfrom; 
     421
     422allow $1 $2:udp_socket sendto; 
     423allow $2 $1:udp_socket recvfrom; 
    659424 
    660425# 
     
    669434 
    670435# 
    671 # can_ypbind(): 
    672 
     436# can_ypbind(): complete 
     437
     438optional_policy(`nis.te',` 
     439        nis_use_ypbind($1) 
     440') 
    673441 
    674442# 
     
    697465type $1_t; 
    698466type $1_exec_t; 
    699 init_make_daemon_domain($1_t,$1_exec_t) 
     467init_daemon_domain($1_t,$1_exec_t) 
    700468role system_r types $1_t; 
    701469dontaudit $1_t self:capability sys_tty_config; 
    702470allow $1_t self:process { sigchld sigkill sigstop signull signal }; 
    703471kernel_read_kernel_sysctl($1_t) 
    704 kernel_read_hardware_state($1_t) 
    705 terminal_ignore_use_console($1_t) 
    706 init_use_file_descriptors($1_t) 
    707 init_script_use_pseudoterminal($1_t) 
    708 domain_use_widely_inheritable_file_descriptors($1_t) 
    709 libraries_use_dynamic_loader($1_t) 
    710 libraries_use_shared_libraries($1_t) 
    711 logging_send_system_log_message($1_t) 
     472dev_read_sysfs($1_t) 
     473fs_search_auto_mountpoints($1_t) 
     474term_dontaudit_use_console($1_t) 
     475domain_use_wide_inherit_fd($1_t) 
     476init_use_fd($1_t) 
     477init_use_script_pty($1_t) 
     478libs_use_ld_so($1_t) 
     479libs_use_shared_libs($1_t) 
     480logging_send_syslog_msg($1_t) 
     481userdom_dontaudit_use_unpriv_user_fd($1_t) 
     482ifdef(`targeted_policy',` 
     483        term_dontaudit_use_unallocated_tty($1_t) 
     484        term_dontaudit_use_generic_pty($1_t) 
     485        files_dontaudit_read_root_file($1_t) 
     486') 
     487optional_policy(`rhgb.te',` 
     488        rhgb_domain($1_t) 
     489') 
     490optional_policy(`selinux.te',` 
     491        seutil_newrole_sigchld($1_t) 
     492') 
     493optional_policy(`udev.te', ` 
     494        udev_read_db($1_t) 
     495') 
    712496allow $1_t proc_t:dir r_dir_perms; 
    713497allow $1_t proc_t:lnk_file read; 
    714 tunable_policy(`direct_sysadm_daemon', ` 
    715 dontaudit $1_t admin_tty_type:chr_file rw_file_perms; 
    716 ') 
    717 tunable_policy(`targeted_policy', ` 
    718 terminal_ignore_use_general_physical_terminal($1_t) 
    719 terminal_ignore_use_general_pseudoterminal($1_t) 
    720 files_ignore_read_rootfs_file($1_t) 
    721 ') 
    722 optional_policy(`rhgb.te', ` 
    723 allow $1_t rhgb_t:process sigchld; 
    724 allow $1_t rhgb_t:fd use; 
    725 allow $1_t rhgb_t:fifo_file { read write }; 
    726 ') 
    727 optional_policy(`selinux.te',` 
    728 selinux_newrole_sigchld($1_t) 
    729 ') 
    730 optional_policy(`udev.te', ` 
    731 udev_read_database($1_t) 
    732 ') 
    733 dontaudit $1_t unpriv_userdomain:fd use; 
    734 allow $1_t autofs_t:dir { search getattr }; 
    735498 
    736499 
     
    740503type $1_t; 
    741504type $1_exec_t; 
    742 init_make_daemon_domain($1_t,$1_exec_t) 
     505init_daemon_domain($1_t,$1_exec_t) 
    743506type $1_var_run_t; 
    744 files_make_daemon_runtime_file($1_var_run_t) 
     507files_pid_file($1_var_run_t) 
     508dontaudit $1_t self:capability sys_tty_config; 
    745509allow $1_t $1_var_run_t:file { getattr create read write append setattr unlink }; 
    746 files_create_daemon_runtime_data($1_t,$1_var_run_t) 
    747 dontaudit $1_t self:capability sys_tty_config; 
     510files_create_pid($1_t,$1_var_run_t) 
    748511kernel_read_kernel_sysctl($1_t) 
    749 kernel_read_hardware_state($1_t) 
    750 filesystem_get_all_filesystems_attributes($1_t) 
    751 terminal_ignore_use_console($1_t) 
    752 init_use_file_descriptors($1_t) 
    753 init_script_use_pseudoterminal($1_t) 
    754 domain_use_widely_inheritable_file_descriptors($1_t) 
    755 logging_send_system_log_message($1_t) 
    756 libraries_use_dynamic_loader($1_t) 
    757 libraries_use_shared_libraries($1_t) 
     512dev_read_sysfs($1_t) 
     513fs_getattr_all_fs($1_t) 
     514fs_search_auto_mountpoints($1_t) 
     515term_dontaudit_use_console($1_t) 
     516domain_use_wide_inherit_fd($1_t) 
     517init_use_fd($1_t) 
     518init_use_script_pty($1_t) 
     519libs_use_ld_so($1_t) 
     520libs_use_shared_libs($1_t) 
     521logging_send_syslog_msg($1_t) 
    758522miscfiles_read_localization($1_t) 
    759 tunable_policy(`targeted_policy', ` 
    760 terminal_ignore_use_general_physical_terminal($1_t) 
    761 terminal_ignore_use_general_pseudoterminal($1_t) 
    762 files_ignore_read_rootfs_file($1_t) 
    763 ') 
    764 optional_policy(`rhgb.te', ` 
    765 allow $1_t rhgb_t:process sigchld; 
    766 allow $1_t rhgb_t:fd use; 
    767 allow $1_t rhgb_t:fifo_file { read write }; 
     523userdom_dontaudit_use_unpriv_user_fd($1_t) 
     524ifdef(`targeted_policy', ` 
     525        term_dontaudit_use_unallocated_tty($1_t) 
     526        term_dontaudit_use_generic_pty($1_t) 
     527        files_dontaudit_read_root_file($1_t) 
     528') 
     529optional_policy(`rhgb.te',` 
     530        rhgb_domain($1_t) 
    768531') 
    769532optional_policy(`selinux.te',` 
    770 selinux_newrole_sigchld($1_t) 
     533       seutil_newrole_sigchld($1_t) 
    771534') 
    772535optional_policy(`udev.te', ` 
    773 udev_read_database($1_t) 
     536       udev_read_db($1_t) 
    774537') 
    775538allow $1_t proc_t:dir r_dir_perms; 
    776539allow $1_t proc_t:lnk_file read; 
    777 dontaudit $1_t unpriv_userdomain:fd use; 
    778 allow $1_t autofs_t:dir { search getattr }; 
    779540dontaudit $1_t sysadm_home_dir_t:dir search; 
    780541 
     
    791552allow $2_t $1:process sigchld; 
    792553allow $2_t self:process signal_perms; 
    793 libraries_use_dynamic_loader($2_t) 
    794 libraries_use_shared_libraries($2_t) 
     554libs_use_ld_so($2_t) 
     555libs_use_shared_libs($2_t) 
    795556allow $2_t proc_t:dir r_dir_perms; 
    796557allow $2_t proc_t:lnk_file read; 
     
    801562# 
    802563type $1_etc_t; #, usercanread; 
    803 files_make_file($1_etc_t) 
     564files_file_type($1_etc_t) 
    804565allow $1_t $1_etc_t:file { getattr read }; 
    805566 
     
    808569# 
    809570type $1_etc_t; #, usercanread; 
    810 files_make_file($1_etc_t) 
     571files_file_type($1_etc_t) 
    811572allow $1_t $1_etc_t:file r_file_perms; 
    812573allow $1_t $1_etc_t:dir r_dir_perms; 
     
    832593 
    833594# 
    834 # full_user_role(): 
    835 
    836  
    837 
    838 # general_domain_access(): 
     595# general_domain_access(): complete 
    839596# 
    840597allow $1 self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition }; 
    841598allow $1 self:fd use; 
    842 allow $1 self:fifo_file { read getattr lock ioctl write append }
    843 allow $1 self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }
    844 allow $1 self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }
     599allow $1 self:fifo_file rw_file_perms
     600allow $1 self:unix_dgram_socket create_socket_perms
     601allow $1 self:unix_stream_socket create_stream_socket_perms
    845602allow $1 self:unix_dgram_socket sendto; 
    846603allow $1 self:unix_stream_socket connectto; 
    847 allow $1 self:shm { associate getattr setattr create destroy read write lock unix_read unix_write }
    848 allow $1 self:sem { associate getattr setattr create destroy read write unix_read unix_write }
    849 allow $1 self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write }
     604allow $1 self:shm create_shm_perms
     605allow $1 self:sem create_sem_perms
     606allow $1 self:msgq create_msgq_perms
    850607allow $1 self:msg { send receive }; 
    851 allow $1 unpriv_userdomain:fd use; 
    852 can_ypbind($1) 
    853 ifdef(`automount.te',
    854 allow $1 autofs_t:dir { search getattr }; 
     608fs_search_auto_mountpoints($1) 
     609userdom_use_unpriv_user_fd($1) 
     610optional_policy(`nis.te',
     611        nis_use_ypbind($1) 
    855612') 
    856613 
     
    859616# 
    860617kernel_read_system_state($1) 
    861 kernel_read_network_state($1) 
     618kernel_read_sendrecv_state($1) 
    862619kernel_read_software_raid_state($1) 
    863 kernel_get_core_interface_attributes($1) 
    864 kernel_get_message_interface_attributes($1) 
     620kernel_getattr_core($1) 
     621kernel_getattr_message_if($1) 
    865622kernel_read_kernel_sysctl($1) 
    866623 
     
    892649type $1_t; 
    893650type $1_exec_t; 
    894 init_make_daemon_domain($1_t,$1_exec_t) 
     651init_daemon_domain($1_t,$1_exec_t) 
    895652dontaudit $1_t self:capability sys_tty_config; 
    896 kernel_read_hardware_state($1_t) 
    897 terminal_ignore_use_console($1_t) 
    898 init_use_file_descriptors($1_t) 
    899 libraries_use_dynamic_loader($1_t) 
    900 libraries_use_shared_libraries($1_t) 
    901 logging_send_system_log_message($1_t) 
     653dev_read_sysfs($1_t) 
     654term_dontaudit_use_console($1_t) 
     655init_use_fd($1_t) 
     656libs_use_ld_so($1_t) 
     657libs_use_shared_libs($1_t) 
     658logging_send_syslog_msg($1_t) 
    902659tunable_policy(`targeted_policy', ` 
    903 terminal_ignore_use_general_physical_terminal($1_t) 
    904 terminal_ignore_use_general_pseudoterminal($1_t) 
    905 files_ignore_read_rootfs_file($1_t) 
     660term_dontaudit_use_unallocated_tty($1_t) 
     661term_dontaudit_use_generic_pty($1_t) 
     662files_dontaudit_read_root_file($1_t) 
    906663')dnl end targeted_policy tunable 
    907664allow $1_t proc_t:dir r_dir_perms; 
    908665allow $1_t proc_t:lnk_file read; 
    909666optional_policy(`udev.te', ` 
    910 udev_read_database($1_t) 
     667udev_read_db($1_t) 
    911668') 
    912669allow $1_t autofs_t:dir { search getattr }; 
     
    914671 
    915672# 
     673# inetd_child_domain(): 
     674# 
     675type $1_t; #, nscd_client_domain; 
     676type $1_exec_t; 
     677inetd_(udp_|tcp_)?service_domain($1_t,$1_exec_t) 
     678role system_r types $1_t; 
     679type $1_tmp_t; 
     680files_tmp_file($1_tmp_t) 
     681type $1_var_run_t; 
     682files_pid_file($1_var_run_t) 
     683allow $1_t self:process signal_perms; 
     684allow $1_t self:fifo_file rw_file_perms; 
     685allow $1_t self:tcp_socket { listen accept connected_socket_perms } 
     686# for identd 
     687# cjp: this should probably only be inetd_child rules? 
     688allow $1_t self:netlink_tcpdiag_socket r_netlink_socket_perms; 
     689allow $1_t self:capability { setuid setgid }; 
     690allow $1_t self:dir search; 
     691allow $1_t self:{ lnk_file file } { getattr read }; 
     692#allow $1_t home_root_t:dir search; 
     693#can_kerberos($1_t) 
     694#end for identd 
     695allow $1_t $1_tmp_t:dir create_dir_perms; 
     696allow $1_t $1_tmp_t:file create_file_perms; 
     697files_create_tmp_files($1_t, $1_tmp_t, { file dir }) 
     698allow $1_t $1_var_run_t:file create_file_perms; 
     699files_create_pid($1_t,$1_var_run_t) 
     700kernel_read_kernel_sysctl($1_t) 
     701kernel_read_system_state($1_t) 
     702kernel_read_network_state($1_t) 
     703corenet_sendrecv_tcp_on_all_interfaces($1_t) 
     704corenet_sendrecv_raw_on_all_interfaces($1_t) 
     705corenet_sendrecv_tcp_on_all_nodes($1_t) 
     706corenet_sendrecv_raw_on_all_nodes($1_t) 
     707corenet_bind_tcp_on_all_nodes($1_t) 
     708corenet_sendrecv_tcp_on_all_ports($1_t) 
     709dev_read_urand($1_t) 
     710fs_getattr_xattr_fs($1_t) 
     711files_read_generic_etc_files($1_t) 
     712libs_use_ld_so($1_t) 
     713libs_use_shared_libs($1_t) 
     714logging_send_syslog_msg($1_t) 
     715miscfiles_read_localization($1_t) 
     716sysnet_read_config($1_t) 
     717optional_policy(`nis.te',` 
     718        nis_use_ypbind($1_t) 
     719') 
     720 
     721# 
    916722# legacy_domain(): complete 
    917723# 
    918724allow $1_t self:process execmem; 
    919 libraries_legacy_use_shared_libraries($1_t) 
    920 libraries_legacy_use_dynamic_loader($1_t) 
     725libs_legacy_use_shared_libs($1_t) 
     726libs_legacy_use_ld_so($1_t) 
    921727 
    922728# 
     
    924730# 
    925731type $1_lock_t; 
    926 files_make_lock_file($1_lock_t) 
    927 allow $1_t $1_lock_t:file { create ioctl read getattr lock write setattr append link unlink rename }
    928 files_create_private_lock_file($1_t,$1_lock_t) 
     732files_lock_file($1_lock_t) 
     733allow $1_t $1_lock_t:file create_file_perms
     734files_create_lock_file($1_t,$1_lock_t) 
    929735 
    930736# 
     
    932738# 
    933739type $1_log_t; 
    934 logging_make_log_file($1_log_t) 
    935 allow $1_t $1_log_t:file { create ioctl read getattr lock write setattr append link unlink rename }
    936 logging_create_private_log($1_t,$1_log_t) 
     740logging_log_file($1_log_t) 
     741allow $1_t $1_log_t:file create_file_perms
     742logging_create_log($1_t,$1_log_t) 
    937743 
    938744# 
     
    940746# 
    941747type $1_log_t; 
    942 logging_make_log_file($1_log_t) 
    943 allow $1_t $1_log_t:file { create ioctl read getattr lock write setattr append link unlink rename }
    944 allow $1_t $1_log_t:dir { getattr search read lock ioctl add_name remove_name write setattr }
    945 logging_create_private_log($1_t,$1_log_t,{ file dir }) 
     748logging_log_file($1_log_t) 
     749allow $1_t $1_log_t:file create_file_perms
     750allow $1_t $1_log_t:dir rw_dir_perms
     751logging_search_logs($1_t,$1_log_t,{ file dir }) 
    946752 
    947753# 
     
    1027833# 
    1028834type $1_t; 
    1029 domain_make_domain($1_t) 
     835domain_type($1_t) 
    1030836role system_r types $1_t; 
    1031837type $1_exec_t; 
    1032 domain_make_entrypoint_file($1_t,$1_exec_t) 
    1033 libraries_use_dynamic_loader($1_t) 
    1034 libraries_use_shared_libraries($1_t) 
    1035 logging_send_system_log_message($1_t) 
     838domain_entry_file($1_t,$1_exec_t) 
     839libs_use_ld_so($1_t) 
     840libs_use_shared_libs($1_t) 
     841logging_send_syslog_msg($1_t) 
    1036842allow $1_t etc_t:dir r_dir_perms; 
    1037843 
     
    1042848# 
    1043849type $1_tmp_t $2; 
    1044 files_make_temporary_file($1_tmp_t) 
     850files_tmp_file($1_tmp_t) 
    1045851# no class specified: 
    1046 allow $1_t $1_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }
    1047 allow $1_t $1_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename }
    1048 files_create_private_tmp_data($1_t, $1_tmp_t, { file dir }) 
     852allow $1_t $1_tmp_t:dir create_dir_perms
     853allow $1_t $1_tmp_t:file create_file_perms
     854files_create_tmp_files($1_t, $1_tmp_t, { file dir }) 
    1049855# class specified: 
    1050 files_create_private_tmp_data($1_t, $1_tmp_t, $3) 
     856files_create_tmp_files($1_t, $1_tmp_t, $3) 
    1051857# $3 manage object perms here 
    1052858 
     
    1057863# 
    1058864type $1_tmp_t $2; 
    1059 files_make_temporary_file($1_tmp_t) 
    1060 files_create_private_tmp_data($1_t, $1_tmp_t, $3) 
     865files_tmp_file($1_tmp_t) 
     866files_create_tmp_files($1_t, $1_tmp_t, $3) 
    1061867allow $1_t $1_tmp_t:$3 manage_obj_perms; 
    1062868 
    1063869# 
    1064 # tmpfs_domain(): 
    1065 
    1066 type $1_tmpfs_t, file_type, sysadmfile, tmpfsfile; 
    1067 file_type_auto_trans($1_t, tmpfs_t, $1_tmpfs_t) 
    1068 allow $1_tmpfs_t tmpfs_t:filesystem associate; 
     870# tmpfs_domain(): complete 
     871
     872type $1_tmpfs_t; 
     873files_tmpfs_file($1_tmpfs_t) 
     874allow $1_t $1_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write }; 
     875allow $1_t $1_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename }; 
     876allow $1_t $1_tmpfs_t:lnk_file { create read getattr setattr link unlink rename }; 
     877allow $1_t $1_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; 
     878allow $1_t $1_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename }; 
     879filesystem_create_private_tmpfs_data($1_t,$1_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) 
    1069880 
    1070881# 
     
    1079890role sysadm_r types $1_t; 
    1080891domain_auto_trans(sysadm_t, $1_exec_t, $1_t) 
    1081 libraries_use_dynamic_loader($1_t) 
    1082 libraries_use_shared_libraries($1_t) 
     892libs_use_ld_so($1_t) 
     893libs_use_shared_libs($1_t) 
    1083894in_user_role($1_t) 
    1084895domain_auto_trans(userdomain, $1_exec_t, $1_t) 
    1085  
    1086 # 
    1087 # user_domain(): 
    1088 # 
    1089896 
    1090897# 
     
    1097904 
    1098905# 
    1099 # uses_shlib(): complete 
    1100 # 
    1101 libraries_use_dynamic_loader($1) 
    1102 libraries_use_shared_libraries($1) 
    1103  
    1104 # 
    1105906# var_lib_domain(): 
    1106907# 
     
    1108909typealias $1_var_lib_t alias var_lib_$1_t; 
    1109910file_type_auto_trans($1_t, var_lib_t, $1_var_lib_t, file) 
    1110 allow $1_t $1_var_lib_t:dir { read getattr lock search ioctl add_name remove_name write }
     911allow $1_t $1_var_lib_t:dir rw_dir_perms
    1111912 
    1112913# 
    1113914# var_run_domain($1): 
    1114915# 
    1115 type $1_var_run_t, file_type, sysadmfile, pidfile
    1116 file_type_auto_trans($1_t, var_run_t, $1_var_run_t, file
    1117 allow $1_t var_t:dir search
    1118 allow $1_t $1_var_run_t:dir { read getattr lock search ioctl add_name remove_name write }; 
     916type $1_var_run_t
     917files_pid_file($1_var_run_t
     918allow $1_t $1_var_run_t:file create_file_perms
     919files_create_pid($1_t,$1_var_run_t) 
    1119920 
    1120921# 

  • tags/RELEASE_20050707/refpolicy/VERSION

    r347 r475  
    1 20050615 
     120050707 

  • trunk/docs/macro_conversion_guide

    r182 r475  
    99######################################## 
    1010# 
    11 # Object class sets 
    12 # 
    13  
    14 # 
    15 # devfile_class_set 
    16 # 
    17 { chr_file blk_file } 
    18  
    19 # 
    20 # dgram_socket_class_set 
    21 # 
    22 { udp_socket unix_dgram_socket } 
    23  
    24 # 
    25 # dir_file_class_set 
    26 # 
    27 { dir file lnk_file sock_file fifo_file chr_file blk_file } 
    28  
    29 # 
    30 # file_class_set 
    31 # 
    32 { file lnk_file sock_file fifo_file chr_file blk_file } 
    33  
    34 # 
    35 # notdevfile_class_set 
    36 # 
    37 { file lnk_file sock_file fifo_file } 
    38  
    39 # 
    40 # socket_class_set 
    41 # 
    42 { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } 
    43  
    44 # 
    45 # stream_socket_class_set 
    46 # 
    47 { tcp_socket unix_stream_socket } 
    48  
    49 # 
    50 # unpriv_socket_class_set 
    51 # 
    52 { tcp_socket udp_socket unix_stream_socket unix_dgram_socket } 
    53  
    54 ######################################## 
    55 # 
    56 # Permission Sets 
    57 # 
    58  
    59 # 
    60 # connected_socket_perms 
    61 # 
    62 { create ioctl read getattr write setattr append bind getopt setopt shutdown } 
    63  
    64 # 
    65 # connected_stream_socket_perms 
    66 # 
    67 { create ioctl read getattr write setattr append bind getopt setopt shutdown listen accept } 
    68  
    69 # 
    70 # create_dir_perms 
    71 # 
    72 { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir } 
    73  
    74 # 
    75 # create_file_perms 
    76 # 
    77 { create ioctl read getattr lock write setattr append link unlink rename } 
    78  
    79 # 
    80 # create_lnk_perms 
    81 # 
    82 { create read getattr setattr link unlink rename } 
    83  
    84 # 
    85 # create_msgq_perms 
    86 # 
    87 { associate getattr setattr create destroy read write enqueue unix_read unix_write } 
    88  
    89 # 
    90 # create_netlink_socket_perms 
    91 # 
    92 { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write } 
    93  
    94 # 
    95 # create_sem_perms 
    96 # 
    97 { associate getattr setattr create destroy read write unix_read unix_write } 
    98  
    99 # 
    100 # create_shm_perms 
    101 # 
    102 { associate getattr setattr create destroy read write lock unix_read unix_write } 
    103  
    104 # </