[people/stevee/selinux-policy.git] / policy / modules / system / locallogin.if

## <summary>Policy for local logins.</summary>

########################################
## <summary>
##	Execute local logins in the local login domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`locallogin_domtrans',`
	gen_require(`
		type local_login_t;
	')

	auth_domtrans_login_program($1, local_login_t)

	ifdef(`enable_mcs',`
		auth_ranged_domtrans_login_program($1, local_login_t, s0 - mcs_systemhigh)
	')
')

########################################
## <summary>
##	Allow processes to inherit local login file descriptors.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`locallogin_use_fds',`
	gen_require(`
		type local_login_t;
	')

	allow $1 local_login_t:fd use;
')

########################################
## <summary>
##	Do not audit attempts to inherit local login file descriptors.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`locallogin_dontaudit_use_fds',`
	gen_require(`
		type local_login_t;
	')

	dontaudit $1 local_login_t:fd use;
')

########################################
## <summary>
##	Send a null signal to local login processes.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`locallogin_signull',`
	gen_require(`
		type local_login_t;
	')

	allow $1 local_login_t:process signull;
')

########################################
## <summary>
##	Search for key.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`locallogin_search_keys',`
	gen_require(`
		type local_login_t;
	')

	allow $1 local_login_t:key search;
')

########################################
## <summary>
##	Allow link to the local_login key ring.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`locallogin_link_keys',`
	gen_require(`
		type local_login_t;
	')

	allow $1 local_login_t:key link;
')

########################################
## <summary>
##	Execute local logins in the local login domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`locallogin_domtrans_sulogin',`
	gen_require(`
		type sulogin_exec_t, sulogin_t;
	')

	domtrans_pattern($1, sulogin_exec_t, sulogin_t)
')
Commit	Line	Data
3865d6b9	1	## <summary>Policy for local logins.</summary>
07efe969	2
3865d6b9	3	########################################
fd89e19f CP	4	## <summary>
	5	## Execute local logins in the local login domain.
	6	## </summary>
	7	## <param name="domain">
885b83ec	8	## <summary>
a0546c9d	9	## Domain allowed to transition.
885b83ec	10	## </summary>
fd89e19f	11	## </param>
07efe969	12	#
199895e2	13	interface(`locallogin_domtrans',`
139520a2 CP	14	gen_require(`
	15	type local_login_t;
	16	')
0c73cd25	17
3f67f722	18	auth_domtrans_login_program($1, local_login_t)
e070dd2d CP	19
e070dd2d CP	20	ifdef(`enable_mcs',`
3f67f722	21	auth_ranged_domtrans_login_program($1, local_login_t, s0 - mcs_systemhigh)
e070dd2d	22	')
07efe969 CP	23	')
07efe969 CP	24
3865d6b9	25	########################################
fd89e19f	26	## <summary>
605ba285	27	## Allow processes to inherit local login file descriptors.
fd89e19f CP	28	## </summary>
fd89e19f CP	29	## <param name="domain">
885b83ec	30	## <summary>
a0546c9d	31	## Domain allowed access.
885b83ec	32	## </summary>
fd89e19f	33	## </param>
3865d6b9	34	#
1c1ac67f	35	interface(`locallogin_use_fds',`
139520a2 CP	36	gen_require(`
139520a2 CP	37	type local_login_t;
139520a2	38	')
0c73cd25 CP	39
0c73cd25 CP	40	allow $1 local_login_t:fd use;
3ce6cb4a CP	41	')
3ce6cb4a CP	42
605ba285 CP	43	########################################
	44	## <summary>
	45	## Do not audit attempts to inherit local login file descriptors.
	46	## </summary>
	47	## <param name="domain">
885b83ec	48	## <summary>
605ba285	49	## Domain to not audit.
885b83ec	50	## </summary>
605ba285 CP	51	## </param>
605ba285 CP	52	#
1c1ac67f	53	interface(`locallogin_dontaudit_use_fds',`
605ba285 CP	54	gen_require(`
605ba285 CP	55	type local_login_t;
605ba285 CP	56	')
	57
	58	dontaudit $1 local_login_t:fd use;
	59	')
	60
fd89e19f CP	61	########################################
	62	## <summary>
	63	## Send a null signal to local login processes.
	64	## </summary>
	65	## <param name="domain">
885b83ec	66	## <summary>
fd89e19f	67	## Domain allowed access.
885b83ec	68	## </summary>
fd89e19f CP	69	## </param>
	70	#
	71	interface(`locallogin_signull',`
	72	gen_require(`
	73	type local_login_t;
fd89e19f CP	74	')
	75
	76	allow $1 local_login_t:process signull;
	77	')
d6d16b97 CP	78
	79	########################################
	80	## <summary>
	81	## Search for key.
	82	## </summary>
	83	## <param name="domain">
	84	## <summary>
	85	## Domain allowed access.
	86	## </summary>
	87	## </param>
	88	#
	89	interface(`locallogin_search_keys',`
	90	gen_require(`
	91	type local_login_t;
	92	')
	93
	94	allow $1 local_login_t:key search;
	95	')
	96
d6d16b97 CP	97	########################################
	98	## <summary>
	99	## Allow link to the local_login key ring.
	100	## </summary>
	101	## <param name="domain">
	102	## <summary>
	103	## Domain allowed access.
	104	## </summary>
	105	## </param>
	106	#
	107	interface(`locallogin_link_keys',`
	108	gen_require(`
	109	type local_login_t;
	110	')
	111
	112	allow $1 local_login_t:key link;
	113	')
d46cfe45 CP	114
	115	########################################
	116	## <summary>
	117	## Execute local logins in the local login domain.
	118	## </summary>
	119	## <param name="domain">
	120	## <summary>
a0546c9d	121	## Domain allowed to transition.
d46cfe45 CP	122	## </summary>
	123	## </param>
	124	#
	125	interface(`locallogin_domtrans_sulogin',`
	126	gen_require(`
	127	type sulogin_exec_t, sulogin_t;
	128	')
	129
3f67f722	130	domtrans_pattern($1, sulogin_exec_t, sulogin_t)
d46cfe45	131	')