]>
Commit | Line | Data |
---|---|---|
48e0dbd6 CP |
1 | ## <summary>Policy for system libraries.</summary> |
2 | ||
3 | ######################################## | |
62a7b02c | 4 | ## <summary> |
414e4151 | 5 | ## Execute ldconfig in the ldconfig domain. |
62a7b02c | 6 | ## </summary> |
414e4151 | 7 | ## <param name="domain"> |
885b83ec | 8 | ## <summary> |
5afdf0bc | 9 | ## Domain allowed access. |
885b83ec | 10 | ## </summary> |
414e4151 | 11 | ## </param> |
48e0dbd6 | 12 | # |
199895e2 | 13 | interface(`libs_domtrans_ldconfig',` |
139520a2 CP |
14 | gen_require(` |
15 | type ldconfig_t, ldconfig_exec_t; | |
139520a2 CP |
16 | ') |
17 | ||
8021cb4f | 18 | corecmd_search_bin($1) |
3f67f722 | 19 | domtrans_pattern($1, ldconfig_exec_t, ldconfig_t) |
48e0dbd6 CP |
20 | ') |
21 | ||
48e0dbd6 | 22 | ######################################## |
62a7b02c | 23 | ## <summary> |
414e4151 | 24 | ## Execute ldconfig in the ldconfig domain. |
62a7b02c | 25 | ## </summary> |
414e4151 | 26 | ## <param name="domain"> |
885b83ec | 27 | ## <summary> |
5afdf0bc | 28 | ## Domain allowed access. |
885b83ec | 29 | ## </summary> |
414e4151 CP |
30 | ## </param> |
31 | ## <param name="role"> | |
885b83ec | 32 | ## <summary> |
414e4151 | 33 | ## The role to allow the ldconfig domain. |
885b83ec | 34 | ## </summary> |
414e4151 | 35 | ## </param> |
bbcd3c97 | 36 | ## <rolecap/> |
48e0dbd6 | 37 | # |
199895e2 | 38 | interface(`libs_run_ldconfig',` |
139520a2 CP |
39 | gen_require(` |
40 | type ldconfig_t; | |
139520a2 | 41 | ') |
0c73cd25 | 42 | |
c9428d33 | 43 | libs_domtrans_ldconfig($1) |
0c73cd25 | 44 | role $2 types ldconfig_t; |
48e0dbd6 | 45 | ') |
e181fe05 | 46 | |
b4cd1533 | 47 | ######################################## |
62a7b02c | 48 | ## <summary> |
414e4151 CP |
49 | ## Use the dynamic link/loader for automatic loading |
50 | ## of shared libraries. | |
62a7b02c | 51 | ## </summary> |
414e4151 | 52 | ## <param name="domain"> |
885b83ec | 53 | ## <summary> |
5afdf0bc | 54 | ## Domain allowed access. |
885b83ec | 55 | ## </summary> |
414e4151 | 56 | ## </param> |
b4cd1533 | 57 | # |
199895e2 | 58 | interface(`libs_use_ld_so',` |
139520a2 CP |
59 | gen_require(` |
60 | type lib_t, ld_so_t, ld_so_cache_t; | |
139520a2 CP |
61 | ') |
62 | ||
63 | files_list_etc($1) | |
c0868a7a CP |
64 | allow $1 lib_t:dir list_dir_perms; |
65 | ||
3f67f722 CP |
66 | read_lnk_files_pattern($1, lib_t, { lib_t ld_so_t }) |
67 | mmap_files_pattern($1, lib_t, ld_so_t) | |
c0868a7a CP |
68 | |
69 | allow $1 ld_so_cache_t:file read_file_perms; | |
b4cd1533 CP |
70 | ') |
71 | ||
8beec89d | 72 | ######################################## |
62a7b02c | 73 | ## <summary> |
414e4151 CP |
74 | ## Use the dynamic link/loader for automatic loading |
75 | ## of shared libraries with legacy support. | |
62a7b02c | 76 | ## </summary> |
414e4151 | 77 | ## <param name="domain"> |
885b83ec | 78 | ## <summary> |
5afdf0bc | 79 | ## Domain allowed access. |
885b83ec | 80 | ## </summary> |
414e4151 | 81 | ## </param> |
8beec89d | 82 | # |
199895e2 | 83 | interface(`libs_legacy_use_ld_so',` |
139520a2 CP |
84 | gen_require(` |
85 | type ld_so_t, ld_so_cache_t; | |
139520a2 | 86 | ') |
0c73cd25 | 87 | |
c9428d33 | 88 | libs_use_ld_so($1) |
0c73cd25 CP |
89 | allow $1 ld_so_t:file execmod; |
90 | allow $1 ld_so_cache_t:file execute; | |
8beec89d CP |
91 | ') |
92 | ||
075c4fda | 93 | ######################################## |
62a7b02c CP |
94 | ## <summary> |
95 | ## Execute the dynamic link/loader in the caller's domain. | |
96 | ## </summary> | |
414e4151 | 97 | ## <param name="domain"> |
885b83ec | 98 | ## <summary> |
5afdf0bc | 99 | ## Domain allowed access. |
885b83ec | 100 | ## </summary> |
414e4151 | 101 | ## </param> |
075c4fda | 102 | # |
199895e2 | 103 | interface(`libs_exec_ld_so',` |
139520a2 CP |
104 | gen_require(` |
105 | type lib_t, ld_so_t; | |
139520a2 | 106 | ') |
0c73cd25 | 107 | |
c0868a7a | 108 | allow $1 lib_t:dir list_dir_perms; |
3f67f722 CP |
109 | read_lnk_files_pattern($1, lib_t, { lib_t ld_so_t }) |
110 | exec_files_pattern($1, lib_t, ld_so_t) | |
075c4fda CP |
111 | ') |
112 | ||
2c243586 CP |
113 | ######################################## |
114 | ## <summary> | |
115 | ## Create, read, write, and delete the | |
116 | ## dynamic link/loader. | |
117 | ## </summary> | |
118 | ## <param name="domain"> | |
885b83ec | 119 | ## <summary> |
2c243586 | 120 | ## Domain allowed access. |
885b83ec | 121 | ## </summary> |
2c243586 CP |
122 | ## </param> |
123 | # | |
124 | # cjp: added for prelink | |
125 | interface(`libs_manage_ld_so',` | |
126 | gen_require(` | |
127 | type lib_t, ld_so_t; | |
128 | ') | |
129 | ||
3f67f722 | 130 | manage_files_pattern($1, lib_t, ld_so_t) |
2c243586 CP |
131 | ') |
132 | ||
133 | ######################################## | |
134 | ## <summary> | |
135 | ## Relabel to and from the type used for | |
136 | ## the dynamic link/loader. | |
137 | ## </summary> | |
138 | ## <param name="domain"> | |
885b83ec | 139 | ## <summary> |
2c243586 | 140 | ## Domain allowed access. |
885b83ec | 141 | ## </summary> |
2c243586 CP |
142 | ## </param> |
143 | # | |
144 | # cjp: added for prelink | |
145 | interface(`libs_relabel_ld_so',` | |
146 | gen_require(` | |
147 | type lib_t, ld_so_t; | |
148 | ') | |
149 | ||
3f67f722 | 150 | relabel_files_pattern($1, lib_t, ld_so_t) |
2c243586 CP |
151 | ') |
152 | ||
b4cd1533 | 153 | ######################################## |
62a7b02c | 154 | ## <summary> |
414e4151 CP |
155 | ## Modify the dynamic link/loader's cached listing |
156 | ## of shared libraries. | |
62a7b02c | 157 | ## </summary> |
414e4151 | 158 | ## <param name="domain"> |
885b83ec | 159 | ## <summary> |
5afdf0bc | 160 | ## Domain allowed access. |
885b83ec | 161 | ## </summary> |
414e4151 | 162 | ## </param> |
b4cd1533 | 163 | # |
199895e2 | 164 | interface(`libs_rw_ld_so_cache',` |
139520a2 CP |
165 | gen_require(` |
166 | type ld_so_cache_t; | |
139520a2 | 167 | ') |
0c73cd25 | 168 | |
139520a2 | 169 | files_list_etc($1) |
dd822947 | 170 | allow $1 ld_so_cache_t:file rw_file_perms; |
b4cd1533 CP |
171 | ') |
172 | ||
139520a2 | 173 | ######################################## |
62a7b02c | 174 | ## <summary> |
5afdf0bc | 175 | ## Search library directories. |
62a7b02c | 176 | ## </summary> |
414e4151 | 177 | ## <param name="domain"> |
885b83ec | 178 | ## <summary> |
5afdf0bc | 179 | ## Domain allowed access. |
885b83ec | 180 | ## </summary> |
414e4151 | 181 | ## </param> |
139520a2 | 182 | # |
199895e2 | 183 | interface(`libs_search_lib',` |
139520a2 CP |
184 | gen_require(` |
185 | type lib_t; | |
139520a2 | 186 | ') |
0c73cd25 | 187 | |
c0868a7a | 188 | allow $1 lib_t:dir search_dir_perms; |
b4cd1533 CP |
189 | ') |
190 | ||
3c3c0439 CP |
191 | ######################################## |
192 | ## <summary> | |
193 | ## Do not audit attempts to write to library directories. | |
194 | ## </summary> | |
195 | ## <desc> | |
196 | ## <p> | |
197 | ## Do not audit attempts to write to library directories. | |
198 | ## Typically this is used to quiet attempts to recompile | |
199 | ## python byte code. | |
200 | ## </p> | |
201 | ## </desc> | |
202 | ## <param name="domain"> | |
203 | ## <summary> | |
204 | ## Domain allowed access. | |
205 | ## </summary> | |
206 | ## </param> | |
207 | # | |
208 | interface(`libs_dontaudit_write_lib_dirs',` | |
209 | gen_require(` | |
210 | type lib_t; | |
211 | ') | |
212 | ||
213 | dontaudit $1 lib_t:dir write; | |
214 | ') | |
215 | ||
5afdf0bc CP |
216 | ######################################## |
217 | ## <summary> | |
218 | ## Create, read, write, and delete library directories. | |
219 | ## </summary> | |
220 | ## <param name="domain"> | |
221 | ## <summary> | |
222 | ## Domain allowed access. | |
223 | ## </summary> | |
224 | ## </param> | |
225 | # | |
226 | interface(`libs_manage_lib_dirs',` | |
227 | gen_require(` | |
228 | type lib_t; | |
229 | ') | |
230 | ||
231 | allow $1 lib_t:dir manage_dir_perms; | |
232 | ') | |
233 | ||
b4cd1533 | 234 | ######################################## |
62a7b02c | 235 | ## <summary> |
414e4151 CP |
236 | ## Read files in the library directories, such |
237 | ## as static libraries. | |
62a7b02c | 238 | ## </summary> |
414e4151 | 239 | ## <param name="domain"> |
885b83ec | 240 | ## <summary> |
5afdf0bc | 241 | ## Domain allowed access. |
885b83ec | 242 | ## </summary> |
414e4151 | 243 | ## </param> |
b4cd1533 | 244 | # |
1815bad1 | 245 | interface(`libs_read_lib_files',` |
139520a2 CP |
246 | gen_require(` |
247 | type lib_t; | |
139520a2 | 248 | ') |
0c73cd25 | 249 | |
139520a2 | 250 | files_search_usr($1) |
3f67f722 CP |
251 | list_dirs_pattern($1, lib_t, lib_t) |
252 | read_files_pattern($1, lib_t, lib_t) | |
253 | read_lnk_files_pattern($1, lib_t, lib_t) | |
f5c42bd8 CP |
254 | ') |
255 | ||
f5c42bd8 | 256 | ######################################## |
62a7b02c | 257 | ## <summary> |
414e4151 | 258 | ## Execute library scripts in the caller domain. |
62a7b02c | 259 | ## </summary> |
414e4151 | 260 | ## <param name="domain"> |
885b83ec | 261 | ## <summary> |
5afdf0bc | 262 | ## Domain allowed access. |
885b83ec | 263 | ## </summary> |
414e4151 | 264 | ## </param> |
f5c42bd8 | 265 | # |
199895e2 | 266 | interface(`libs_exec_lib_files',` |
139520a2 CP |
267 | gen_require(` |
268 | type lib_t; | |
139520a2 | 269 | ') |
0c73cd25 | 270 | |
139520a2 | 271 | files_search_usr($1) |
c0868a7a | 272 | allow $1 lib_t:dir list_dir_perms; |
3f67f722 CP |
273 | read_lnk_files_pattern($1, lib_t, lib_t) |
274 | exec_files_pattern($1, lib_t, lib_t) | |
f5c42bd8 CP |
275 | ') |
276 | ||
f932d8e3 CP |
277 | ######################################## |
278 | ## <summary> | |
279 | ## Load and execute functions from generic | |
280 | ## lib files as shared libraries. | |
281 | ## </summary> | |
282 | ## <param name="domain"> | |
885b83ec | 283 | ## <summary> |
5afdf0bc | 284 | ## Domain allowed access. |
885b83ec | 285 | ## </summary> |
f932d8e3 CP |
286 | ## </param> |
287 | # | |
1815bad1 | 288 | interface(`libs_use_lib_files',` |
350b6ab7 CP |
289 | refpolicywarn(`$0($*) has been deprecated, use libs_use_shared_libs() instead.') |
290 | libs_use_shared_libs($1) | |
f932d8e3 CP |
291 | ') |
292 | ||
2c243586 CP |
293 | ######################################## |
294 | ## <summary> | |
295 | ## Create, read, write, and delete generic | |
296 | ## files in library directories. | |
297 | ## </summary> | |
298 | ## <param name="domain"> | |
885b83ec | 299 | ## <summary> |
2c243586 | 300 | ## Domain allowed access. |
885b83ec | 301 | ## </summary> |
2c243586 CP |
302 | ## </param> |
303 | # | |
304 | # cjp: added for prelink | |
305 | interface(`libs_manage_lib_files',` | |
306 | gen_require(` | |
307 | type lib_t; | |
308 | ') | |
309 | ||
3f67f722 | 310 | manage_files_pattern($1, lib_t, lib_t) |
2c243586 CP |
311 | ') |
312 | ||
f5c42bd8 | 313 | ######################################## |
5f38a65a CP |
314 | ## <summary> |
315 | ## Relabel files to the type used in library directories. | |
316 | ## </summary> | |
317 | ## <param name="domain"> | |
885b83ec | 318 | ## <summary> |
5afdf0bc | 319 | ## Domain allowed access. |
885b83ec | 320 | ## </summary> |
5f38a65a CP |
321 | ## </param> |
322 | # | |
323 | interface(`libs_relabelto_lib_files',` | |
324 | gen_require(` | |
325 | type lib_t; | |
5f38a65a CP |
326 | ') |
327 | ||
3f67f722 | 328 | relabelto_files_pattern($1, lib_t, lib_t) |
5f38a65a CP |
329 | ') |
330 | ||
2c243586 CP |
331 | ######################################## |
332 | ## <summary> | |
333 | ## Relabel to and from the type used | |
334 | ## for generic lib files. | |
335 | ## </summary> | |
336 | ## <param name="domain"> | |
885b83ec | 337 | ## <summary> |
2c243586 | 338 | ## Domain allowed access. |
885b83ec | 339 | ## </summary> |
2c243586 CP |
340 | ## </param> |
341 | # | |
342 | # cjp: added for prelink | |
343 | interface(`libs_relabel_lib_files',` | |
344 | gen_require(` | |
345 | type lib_t; | |
346 | ') | |
347 | ||
3f67f722 | 348 | relabel_files_pattern($1, lib_t, lib_t) |
2c243586 CP |
349 | ') |
350 | ||
8cf67141 CP |
351 | ######################################## |
352 | ## <summary> | |
353 | ## Delete generic symlinks in library directories. | |
354 | ## </summary> | |
355 | ## <param name="domain"> | |
356 | ## <summary> | |
357 | ## Domain allowed access. | |
358 | ## </summary> | |
359 | ## </param> | |
360 | # | |
361 | # cjp: added for prelink | |
362 | interface(`libs_delete_lib_symlinks',` | |
363 | gen_require(` | |
364 | type lib_t; | |
365 | ') | |
366 | ||
3f67f722 | 367 | delete_lnk_files_pattern($1, lib_t, lib_t) |
8cf67141 CP |
368 | ') |
369 | ||
2c243586 CP |
370 | ######################################## |
371 | ## <summary> | |
372 | ## Create, read, write, and delete shared libraries. | |
373 | ## </summary> | |
374 | ## <param name="domain"> | |
885b83ec | 375 | ## <summary> |
2c243586 | 376 | ## Domain allowed access. |
885b83ec | 377 | ## </summary> |
2c243586 CP |
378 | ## </param> |
379 | # | |
380 | # cjp: added for prelink | |
381 | interface(`libs_manage_shared_libs',` | |
382 | gen_require(` | |
350b6ab7 | 383 | type lib_t, textrel_shlib_t; |
2c243586 CP |
384 | ') |
385 | ||
3f67f722 | 386 | manage_files_pattern($1, lib_t, { lib_t textrel_shlib_t }) |
2c243586 CP |
387 | ') |
388 | ||
5f38a65a | 389 | ######################################## |
62a7b02c | 390 | ## <summary> |
414e4151 | 391 | ## Load and execute functions from shared libraries. |
62a7b02c | 392 | ## </summary> |
414e4151 | 393 | ## <param name="domain"> |
885b83ec | 394 | ## <summary> |
5afdf0bc | 395 | ## Domain allowed access. |
885b83ec | 396 | ## </summary> |
414e4151 | 397 | ## </param> |
b4cd1533 | 398 | # |
199895e2 | 399 | interface(`libs_use_shared_libs',` |
139520a2 | 400 | gen_require(` |
350b6ab7 | 401 | type lib_t, textrel_shlib_t; |
139520a2 | 402 | ') |
0c73cd25 | 403 | |
6942484b | 404 | files_list_usr($1) |
c0868a7a | 405 | allow $1 lib_t:dir list_dir_perms; |
3f67f722 CP |
406 | read_lnk_files_pattern($1, lib_t, { lib_t textrel_shlib_t }) |
407 | mmap_files_pattern($1, lib_t, { lib_t textrel_shlib_t }) | |
a324ef13 | 408 | allow $1 textrel_shlib_t:file execmod; |
b4cd1533 CP |
409 | ') |
410 | ||
b4cd1533 | 411 | ######################################## |
62a7b02c | 412 | ## <summary> |
414e4151 CP |
413 | ## Load and execute functions from shared libraries, |
414 | ## with legacy support. | |
62a7b02c | 415 | ## </summary> |
414e4151 | 416 | ## <param name="domain"> |
885b83ec | 417 | ## <summary> |
5afdf0bc | 418 | ## Domain allowed access. |
885b83ec | 419 | ## </summary> |
414e4151 | 420 | ## </param> |
8beec89d | 421 | # |
199895e2 | 422 | interface(`libs_legacy_use_shared_libs',` |
139520a2 | 423 | gen_require(` |
350b6ab7 | 424 | type lib_t; |
139520a2 | 425 | ') |
0c73cd25 | 426 | |
c9428d33 | 427 | libs_use_shared_libs($1) |
350b6ab7 | 428 | allow $1 lib_t:file execmod; |
8beec89d CP |
429 | ') |
430 | ||
2c243586 CP |
431 | ######################################## |
432 | ## <summary> | |
433 | ## Relabel to and from the type used for | |
434 | ## shared libraries. | |
435 | ## </summary> | |
436 | ## <param name="domain"> | |
885b83ec | 437 | ## <summary> |
2c243586 | 438 | ## Domain allowed access. |
885b83ec | 439 | ## </summary> |
2c243586 CP |
440 | ## </param> |
441 | # | |
442 | # cjp: added for prelink | |
443 | interface(`libs_relabel_shared_libs',` | |
444 | gen_require(` | |
350b6ab7 | 445 | type lib_t, textrel_shlib_t; |
2c243586 CP |
446 | ') |
447 | ||
3f67f722 | 448 | relabel_files_pattern($1, lib_t, { lib_t textrel_shlib_t }) |
2c243586 | 449 | ') |
5afdf0bc CP |
450 | |
451 | ######################################## | |
452 | ## <summary> | |
453 | ## Create an object in lib directories, with | |
454 | ## the shared libraries type using a type transition. | |
455 | ## </summary> | |
456 | ## <param name="domain"> | |
457 | ## <summary> | |
458 | ## Domain allowed access. | |
459 | ## </summary> | |
460 | ## </param> | |
461 | ## <param name="object"> | |
462 | ## <summary> | |
463 | ## The object class of the object being created. | |
464 | ## </summary> | |
465 | ## </param> | |
466 | # | |
113b4fc4 | 467 | interface(`lib_filetrans_shared_lib',` |
350b6ab7 | 468 | refpolicywarn(`$0($*) has been deprecated.') |
5afdf0bc | 469 | ') |
113b4fc4 CP |
470 | |
471 | ######################################## | |
472 | ## <summary> | |
473 | ## Create an object in lib directories, with | |
474 | ## the shared libraries type using a type transition. (Deprecated) | |
475 | ## </summary> | |
476 | ## <desc> | |
477 | ## <p> | |
478 | ## Create an object in lib directories, with | |
479 | ## the shared libraries type using a type transition. (Deprecated) | |
480 | ## </p> | |
481 | ## <p> | |
482 | ## lib_filetrans_shared_lib() should be used instead. | |
483 | ## </p> | |
484 | ## </desc> | |
485 | ## <param name="domain"> | |
486 | ## <summary> | |
487 | ## Domain allowed access. | |
488 | ## </summary> | |
489 | ## </param> | |
490 | ## <param name="object"> | |
491 | ## <summary> | |
492 | ## The object class of the object being created. | |
493 | ## </summary> | |
494 | ## </param> | |
495 | # | |
496 | interface(`files_lib_filetrans_shared_lib',` | |
350b6ab7 | 497 | refpolicywarn(`$0($*) has been deprecated.') |
113b4fc4 | 498 | ') |