]> git.ipfire.org Git - people/stevee/selinux-policy.git/blame - policy/modules/system/libraries.te
trunk: add an empty m4 string so the index macro is not invoked, to prevent a warning.
[people/stevee/selinux-policy.git] / policy / modules / system / libraries.te
CommitLineData
e181fe05 1
cfcf5004 2policy_module(libraries, 2.2.0)
960373dd 3
48e0dbd6
CP
4########################################
5#
6# Declarations
7#
8
b4cd1533
CP
9#
10# ld_so_cache_t is the type of /etc/ld.so.cache.
11#
12type ld_so_cache_t;
8fd36732 13files_type(ld_so_cache_t)
b4cd1533 14
48e0dbd6 15#
b4cd1533
CP
16# ld_so_t is the type of the system dynamic loaders.
17#
18type ld_so_t;
8fd36732 19files_type(ld_so_t)
b4cd1533 20
19b2dee3
CP
21type ldconfig_t;
22type ldconfig_exec_t;
23init_system_domain(ldconfig_t,ldconfig_exec_t)
24role system_r types ldconfig_t;
25
26type ldconfig_tmp_t;
27files_tmp_file(ldconfig_tmp_t)
28
b4cd1533
CP
29#
30# lib_t is the type of files in the system lib directories.
31#
350b6ab7 32type lib_t alias shlib_t;
8fd36732 33files_type(lib_t)
b4cd1533 34
b4cd1533 35#
0c4bf1c5 36# textrel_shlib_t is the type of shared objects in the system lib
b4cd1533
CP
37# directories, which require text relocation.
38#
a324ef13
CP
39type textrel_shlib_t alias texrel_shlib_t;
40files_type(textrel_shlib_t)
48e0dbd6 41
e8cb08ae
CP
42optional_policy(`
43 postgresql_loadable_module(lib_t)
44 postgresql_loadable_module(textrel_shlib_t)
45')
46
48e0dbd6
CP
47########################################
48#
49# ldconfig local policy
50#
19b2dee3
CP
51
52allow ldconfig_t self:capability sys_chroot;
48e0dbd6 53
c0868a7a 54allow ldconfig_t ld_so_cache_t:file manage_file_perms;
103fe280 55files_etc_filetrans(ldconfig_t,ld_so_cache_t,file)
48e0dbd6 56
19b2dee3
CP
57manage_dirs_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t)
58manage_files_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t)
d534d35a
CP
59manage_lnk_files_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t)
60files_tmp_filetrans(ldconfig_t, ldconfig_tmp_t, { file dir lnk_file })
19b2dee3 61
c0868a7a 62manage_lnk_files_pattern(ldconfig_t,lib_t,lib_t)
48e0dbd6
CP
63
64kernel_read_system_state(ldconfig_t)
65
0fd9dc55 66fs_getattr_xattr_fs(ldconfig_t)
48e0dbd6 67
15722ec9 68domain_use_interactive_fds(ldconfig_t)
48e0dbd6 69
7a2f20a3 70files_search_var_lib(ldconfig_t)
8fd36732 71files_read_etc_files(ldconfig_t)
ebdc3b79 72files_search_tmp(ldconfig_t)
b0d2243c 73files_search_usr(ldconfig_t)
48e0dbd6 74# for when /etc/ld.so.cache is mislabeled:
8fd36732 75files_delete_etc_files(ldconfig_t)
48e0dbd6 76
1815bad1 77init_use_script_ptys(ldconfig_t)
48e0dbd6 78
c0868a7a
CP
79libs_use_ld_so(ldconfig_t)
80libs_use_shared_libs(ldconfig_t)
81
19b2dee3
CP
82miscfiles_read_localization(ldconfig_t)
83
c9428d33 84logging_send_syslog_msg(ldconfig_t)
48e0dbd6 85
15722ec9 86userdom_use_all_users_fds(ldconfig_t)
48e0dbd6 87
12cf805e
CP
88ifdef(`distro_ubuntu',`
89 optional_policy(`
90 unconfined_domain(ldconfig_t)
91 ')
92')
93
a42ca7eb 94ifdef(`hide_broken_symptoms',`
bb7170f6 95 optional_policy(`
1815bad1 96 unconfined_dontaudit_rw_tcp_sockets(ldconfig_t)
0c73cd25 97 ')
48e0dbd6
CP
98')
99
bb7170f6 100optional_policy(`
a42ca7eb 101 # dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway
c6d4c8f1 102 apache_dontaudit_search_modules(ldconfig_t)
a42ca7eb 103')
82e284bb 104
e065ac8a
CP
105optional_policy(`
106 apt_rw_pipes(ldconfig_t)
107 apt_use_fds(ldconfig_t)
108 apt_use_ptys(ldconfig_t)
109')
110
82e284bb
CP
111optional_policy(`
112 # When you install a kernel the postinstall builds a initrd image in tmp
113 # and executes ldconfig on it. If you dont allow this kernel installs
114 # blow up.
115 rpm_manage_script_tmp_files(ldconfig_t)
116')