]> git.ipfire.org Git - people/stevee/selinux-policy.git/blame - policy/modules/system/libraries.if
projects / people / stevee / selinux-policy.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
trunk: whitespace fixes
[people/stevee/selinux-policy.git] / policy / modules / system / libraries.if
CommitLineData
48e0dbd6
CP		 1## <summary>Policy for system libraries.</summary>
2
3########################################
62a7b02c 4## <summary>
414e4151 5## Execute ldconfig in the ldconfig domain.
62a7b02c 6## </summary>
414e4151 7## <param name="domain">
885b83ec 8## <summary>
5afdf0bc 9## Domain allowed access.
885b83ec 10## </summary>
414e4151 11## </param>
48e0dbd6 12#
199895e2 13interface(`libs_domtrans_ldconfig',`
139520a2
CP		 14 gen_require(`
15 type ldconfig_t, ldconfig_exec_t;
139520a2
CP		 16 ')
17
8021cb4f 18 corecmd_search_bin($1)
3f67f722 19 domtrans_pattern($1, ldconfig_exec_t, ldconfig_t)
48e0dbd6
CP		 20')
21
48e0dbd6 22########################################
62a7b02c 23## <summary>
414e4151 24## Execute ldconfig in the ldconfig domain.
62a7b02c 25## </summary>
414e4151 26## <param name="domain">
885b83ec 27## <summary>
5afdf0bc 28## Domain allowed access.
885b83ec 29## </summary>
414e4151
CP		 30## </param>
31## <param name="role">
885b83ec 32## <summary>
414e4151 33## The role to allow the ldconfig domain.
885b83ec 34## </summary>
414e4151 35## </param>
bbcd3c97 36## <rolecap/>
48e0dbd6 37#
199895e2 38interface(`libs_run_ldconfig',`
139520a2
CP		 39 gen_require(`
40 type ldconfig_t;
139520a2 41 ')
0c73cd25 42
c9428d33 43 libs_domtrans_ldconfig($1)
0c73cd25 44 role $2 types ldconfig_t;
48e0dbd6 45')
e181fe05 46
b4cd1533 47########################################
62a7b02c 48## <summary>
414e4151
CP		 49## Use the dynamic link/loader for automatic loading
50## of shared libraries.
62a7b02c 51## </summary>
414e4151 52## <param name="domain">
885b83ec 53## <summary>
5afdf0bc 54## Domain allowed access.
885b83ec 55## </summary>
414e4151 56## </param>
b4cd1533 57#
199895e2 58interface(`libs_use_ld_so',`
139520a2
CP		 59 gen_require(`
60 type lib_t, ld_so_t, ld_so_cache_t;
139520a2
CP		 61 ')
62
63 files_list_etc($1)
c0868a7a
CP		 64 allow $1 lib_t:dir list_dir_perms;
65
3f67f722
CP		 66 read_lnk_files_pattern($1, lib_t, { lib_t ld_so_t })
67 mmap_files_pattern($1, lib_t, ld_so_t)
c0868a7a
CP		 68
69 allow $1 ld_so_cache_t:file read_file_perms;
b4cd1533
CP		 70')
71
8beec89d 72########################################
62a7b02c 73## <summary>
414e4151
CP		 74## Use the dynamic link/loader for automatic loading
75## of shared libraries with legacy support.
62a7b02c 76## </summary>
414e4151 77## <param name="domain">
885b83ec 78## <summary>
5afdf0bc 79## Domain allowed access.
885b83ec 80## </summary>
414e4151 81## </param>
8beec89d 82#
199895e2 83interface(`libs_legacy_use_ld_so',`
139520a2
CP		 84 gen_require(`
85 type ld_so_t, ld_so_cache_t;
139520a2 86 ')
0c73cd25 87
c9428d33 88 libs_use_ld_so($1)
0c73cd25
CP		 89 allow $1 ld_so_t:file execmod;
90 allow $1 ld_so_cache_t:file execute;
8beec89d
CP		 91')
92
075c4fda 93########################################
62a7b02c
CP		 94## <summary>
95## Execute the dynamic link/loader in the caller's domain.
96## </summary>
414e4151 97## <param name="domain">
885b83ec 98## <summary>
5afdf0bc 99## Domain allowed access.
885b83ec 100## </summary>
414e4151 101## </param>
075c4fda 102#
199895e2 103interface(`libs_exec_ld_so',`
139520a2
CP		 104 gen_require(`
105 type lib_t, ld_so_t;
139520a2 106 ')
0c73cd25 107
c0868a7a 108 allow $1 lib_t:dir list_dir_perms;
3f67f722
CP		 109 read_lnk_files_pattern($1, lib_t, { lib_t ld_so_t })
110 exec_files_pattern($1, lib_t, ld_so_t)
075c4fda
CP		 111')
112
2c243586
CP		 113########################################
114## <summary>
115## Create, read, write, and delete the
116## dynamic link/loader.
117## </summary>
118## <param name="domain">
885b83ec 119## <summary>
2c243586 120## Domain allowed access.
885b83ec 121## </summary>
2c243586
CP		 122## </param>
123#
124# cjp: added for prelink
125interface(`libs_manage_ld_so',`
126 gen_require(`
127 type lib_t, ld_so_t;
128 ')
129
3f67f722 130 manage_files_pattern($1, lib_t, ld_so_t)
2c243586
CP		 131')
132
133########################################
134## <summary>
135## Relabel to and from the type used for
136## the dynamic link/loader.
137## </summary>
138## <param name="domain">
885b83ec 139## <summary>
2c243586 140## Domain allowed access.
885b83ec 141## </summary>
2c243586
CP		 142## </param>
143#
144# cjp: added for prelink
145interface(`libs_relabel_ld_so',`
146 gen_require(`
147 type lib_t, ld_so_t;
148 ')
149
3f67f722 150 relabel_files_pattern($1, lib_t, ld_so_t)
2c243586
CP		 151')
152
b4cd1533 153########################################
62a7b02c 154## <summary>
414e4151
CP		 155## Modify the dynamic link/loader's cached listing
156## of shared libraries.
62a7b02c 157## </summary>
414e4151 158## <param name="domain">
885b83ec 159## <summary>
5afdf0bc 160## Domain allowed access.
885b83ec 161## </summary>
414e4151 162## </param>
b4cd1533 163#
199895e2 164interface(`libs_rw_ld_so_cache',`
139520a2
CP		 165 gen_require(`
166 type ld_so_cache_t;
139520a2 167 ')
0c73cd25 168
139520a2 169 files_list_etc($1)
dd822947 170 allow $1 ld_so_cache_t:file rw_file_perms;
b4cd1533
CP		 171')
172
139520a2 173########################################
62a7b02c 174## <summary>
5afdf0bc 175## Search library directories.
62a7b02c 176## </summary>
414e4151 177## <param name="domain">
885b83ec 178## <summary>
5afdf0bc 179## Domain allowed access.
885b83ec 180## </summary>
414e4151 181## </param>
139520a2 182#
199895e2 183interface(`libs_search_lib',`
139520a2
CP		 184 gen_require(`
185 type lib_t;
139520a2 186 ')
0c73cd25 187
c0868a7a 188 allow $1 lib_t:dir search_dir_perms;
b4cd1533
CP		 189')
190
3c3c0439
CP		 191########################################
192## <summary>
193## Do not audit attempts to write to library directories.
194## </summary>
195## <desc>
196## <p>
197## Do not audit attempts to write to library directories.
198## Typically this is used to quiet attempts to recompile
199## python byte code.
200## </p>
201## </desc>
202## <param name="domain">
203## <summary>
204## Domain allowed access.
205## </summary>
206## </param>
207#
208interface(`libs_dontaudit_write_lib_dirs',`
209 gen_require(`
210 type lib_t;
211 ')
212
213 dontaudit $1 lib_t:dir write;
214')
215
5afdf0bc
CP		 216########################################
217## <summary>
218## Create, read, write, and delete library directories.
219## </summary>
220## <param name="domain">
221## <summary>
222## Domain allowed access.
223## </summary>
224## </param>
225#
226interface(`libs_manage_lib_dirs',`
227 gen_require(`
228 type lib_t;
229 ')
230
231 allow $1 lib_t:dir manage_dir_perms;
232')
233
b4cd1533 234########################################
62a7b02c 235## <summary>
414e4151
CP		 236## Read files in the library directories, such
237## as static libraries.
62a7b02c 238## </summary>
414e4151 239## <param name="domain">
885b83ec 240## <summary>
5afdf0bc 241## Domain allowed access.
885b83ec 242## </summary>
414e4151 243## </param>
b4cd1533 244#
1815bad1 245interface(`libs_read_lib_files',`
139520a2
CP		 246 gen_require(`
247 type lib_t;
139520a2 248 ')
0c73cd25 249
139520a2 250 files_search_usr($1)
3f67f722
CP		 251 list_dirs_pattern($1, lib_t, lib_t)
252 read_files_pattern($1, lib_t, lib_t)
253 read_lnk_files_pattern($1, lib_t, lib_t)
f5c42bd8
CP		 254')
255
f5c42bd8 256########################################
62a7b02c 257## <summary>
414e4151 258## Execute library scripts in the caller domain.
62a7b02c 259## </summary>
414e4151 260## <param name="domain">
885b83ec 261## <summary>
5afdf0bc 262## Domain allowed access.
885b83ec 263## </summary>
414e4151 264## </param>
f5c42bd8 265#
199895e2 266interface(`libs_exec_lib_files',`
139520a2
CP		 267 gen_require(`
268 type lib_t;
139520a2 269 ')
0c73cd25 270
139520a2 271 files_search_usr($1)
c0868a7a 272 allow $1 lib_t:dir list_dir_perms;
3f67f722
CP		 273 read_lnk_files_pattern($1, lib_t, lib_t)
274 exec_files_pattern($1, lib_t, lib_t)
f5c42bd8
CP		 275')
276
f932d8e3
CP		 277########################################
278## <summary>
279## Load and execute functions from generic
280## lib files as shared libraries.
281## </summary>
282## <param name="domain">
885b83ec 283## <summary>
5afdf0bc 284## Domain allowed access.
885b83ec 285## </summary>
f932d8e3
CP		 286## </param>
287#
1815bad1 288interface(`libs_use_lib_files',`
350b6ab7
CP		 289 refpolicywarn(`$0($*) has been deprecated, use libs_use_shared_libs() instead.')
290 libs_use_shared_libs($1)
f932d8e3
CP		 291')
292
2c243586
CP		 293########################################
294## <summary>
295## Create, read, write, and delete generic
296## files in library directories.
297## </summary>
298## <param name="domain">
885b83ec 299## <summary>
2c243586 300## Domain allowed access.
885b83ec 301## </summary>
2c243586
CP		 302## </param>
303#
304# cjp: added for prelink
305interface(`libs_manage_lib_files',`
306 gen_require(`
307 type lib_t;
308 ')
309
3f67f722 310 manage_files_pattern($1, lib_t, lib_t)
2c243586
CP		 311')
312
f5c42bd8 313########################################
5f38a65a
CP		 314## <summary>
315## Relabel files to the type used in library directories.
316## </summary>
317## <param name="domain">
885b83ec 318## <summary>
5afdf0bc 319## Domain allowed access.
885b83ec 320## </summary>
5f38a65a
CP		 321## </param>
322#
323interface(`libs_relabelto_lib_files',`
324 gen_require(`
325 type lib_t;
5f38a65a
CP		 326 ')
327
3f67f722 328 relabelto_files_pattern($1, lib_t, lib_t)
5f38a65a
CP		 329')
330
2c243586
CP		 331########################################
332## <summary>
333## Relabel to and from the type used
334## for generic lib files.
335## </summary>
336## <param name="domain">
885b83ec 337## <summary>
2c243586 338## Domain allowed access.
885b83ec 339## </summary>
2c243586
CP		 340## </param>
341#
342# cjp: added for prelink
343interface(`libs_relabel_lib_files',`
344 gen_require(`
345 type lib_t;
346 ')
347
3f67f722 348 relabel_files_pattern($1, lib_t, lib_t)
2c243586
CP		 349')
350
8cf67141
CP		 351########################################
352## <summary>
353## Delete generic symlinks in library directories.
354## </summary>
355## <param name="domain">
356## <summary>
357## Domain allowed access.
358## </summary>
359## </param>
360#
361# cjp: added for prelink
362interface(`libs_delete_lib_symlinks',`
363 gen_require(`
364 type lib_t;
365 ')
366
3f67f722 367 delete_lnk_files_pattern($1, lib_t, lib_t)
8cf67141
CP		 368')
369
2c243586
CP		 370########################################
371## <summary>
372## Create, read, write, and delete shared libraries.
373## </summary>
374## <param name="domain">
885b83ec 375## <summary>
2c243586 376## Domain allowed access.
885b83ec 377## </summary>
2c243586
CP		 378## </param>
379#
380# cjp: added for prelink
381interface(`libs_manage_shared_libs',`
382 gen_require(`
350b6ab7 383 type lib_t, textrel_shlib_t;
2c243586
CP		 384 ')
385
3f67f722 386 manage_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
2c243586
CP		 387')
388
5f38a65a 389########################################
62a7b02c 390## <summary>
414e4151 391## Load and execute functions from shared libraries.
62a7b02c 392## </summary>
414e4151 393## <param name="domain">
885b83ec 394## <summary>
5afdf0bc 395## Domain allowed access.
885b83ec 396## </summary>
414e4151 397## </param>
b4cd1533 398#
199895e2 399interface(`libs_use_shared_libs',`
139520a2 400 gen_require(`
350b6ab7 401 type lib_t, textrel_shlib_t;
139520a2 402 ')
0c73cd25 403
6942484b 404 files_list_usr($1)
c0868a7a 405 allow $1 lib_t:dir list_dir_perms;
3f67f722
CP		 406 read_lnk_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
407 mmap_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
a324ef13 408 allow $1 textrel_shlib_t:file execmod;
b4cd1533
CP		 409')
410
b4cd1533 411########################################
62a7b02c 412## <summary>
414e4151
CP		 413## Load and execute functions from shared libraries,
414## with legacy support.
62a7b02c 415## </summary>
414e4151 416## <param name="domain">
885b83ec 417## <summary>
5afdf0bc 418## Domain allowed access.
885b83ec 419## </summary>
414e4151 420## </param>
8beec89d 421#
199895e2 422interface(`libs_legacy_use_shared_libs',`
139520a2 423 gen_require(`
350b6ab7 424 type lib_t;
139520a2 425 ')
0c73cd25 426
c9428d33 427 libs_use_shared_libs($1)
350b6ab7 428 allow $1 lib_t:file execmod;
8beec89d
CP		 429')
430
2c243586
CP		 431########################################
432## <summary>
433## Relabel to and from the type used for
434## shared libraries.
435## </summary>
436## <param name="domain">
885b83ec 437## <summary>
2c243586 438## Domain allowed access.
885b83ec 439## </summary>
2c243586
CP		 440## </param>
441#
442# cjp: added for prelink
443interface(`libs_relabel_shared_libs',`
444 gen_require(`
350b6ab7 445 type lib_t, textrel_shlib_t;
2c243586
CP		 446 ')
447
3f67f722 448 relabel_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
2c243586 449')
5afdf0bc
CP		 450
451########################################
452## <summary>
453## Create an object in lib directories, with
454## the shared libraries type using a type transition.
455## </summary>
456## <param name="domain">
457## <summary>
458## Domain allowed access.
459## </summary>
460## </param>
461## <param name="object">
462## <summary>
463## The object class of the object being created.
464## </summary>
465## </param>
466#
113b4fc4 467interface(`lib_filetrans_shared_lib',`
350b6ab7 468 refpolicywarn(`$0($*) has been deprecated.')
5afdf0bc 469')
113b4fc4
CP		 470
471########################################
472## <summary>
473## Create an object in lib directories, with
474## the shared libraries type using a type transition. (Deprecated)
475## </summary>
476## <desc>
477## <p>
478## Create an object in lib directories, with
479## the shared libraries type using a type transition. (Deprecated)
480## </p>
481## <p>
482## lib_filetrans_shared_lib() should be used instead.
483## </p>
484## </desc>
485## <param name="domain">
486## <summary>
487## Domain allowed access.
488## </summary>
489## </param>
490## <param name="object">
491## <summary>
492## The object class of the object being created.
493## </summary>
494## </param>
495#
496interface(`files_lib_filetrans_shared_lib',`
350b6ab7 497 refpolicywarn(`$0($*) has been deprecated.')
113b4fc4 498')
The IPFire selinux policy.