]> git.ipfire.org Git - people/stevee/selinux-policy.git/blob - policy/modules/apps/livecd.if
projects / people / stevee / selinux-policy.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge upstream
[people/stevee/selinux-policy.git] / policy / modules / apps / livecd.if
1 ## <summary>Livecd tool for building alternate livecd for different os and policy versions.</summary>
2
3 ########################################
4 ## <summary>
5 ## Execute a domain transition to run livecd.
6 ## </summary>
7 ## <param name="domain">
8 ## <summary>
9 ## Domain allowed to transition.
10 ## </summary>
11 ## </param>
12 #
13 interface(`livecd_domtrans',`
14 gen_require(`
15 type livecd_t, livecd_exec_t;
16 ')
17
18 domtrans_pattern($1, livecd_exec_t, livecd_t)
19 ')
20
21 ########################################
22 ## <summary>
23 ## Execute livecd in the livecd domain, and
24 ## allow the specified role the livecd domain.
25 ## </summary>
26 ## <param name="domain">
27 ## <summary>
28 ## Domain allowed to transition.
29 ## </summary>
30 ## </param>
31 ## <param name="role">
32 ## <summary>
33 ## Role allowed access.
34 ## </summary>
35 ## </param>
36 #
37 interface(`livecd_run',`
38 gen_require(`
39 type livecd_t;
40 ')
41
42 livecd_domtrans($1)
43 role $2 types livecd_t;
44
45 seutil_run_setfiles_mac(livecd_t, $2)
46
47 optional_policy(`
48 mount_run(livecd_t, $2)
49 ')
50 ')
51
52 ########################################
53 ## <summary>
54 ## Dontaudit read/write to a livecd leaks
55 ## </summary>
56 ## <param name="domain">
57 ## <summary>
58 ## Domain allowed access.
59 ## </summary>
60 ## </param>
61 #
62 interface(`livecd_dontaudit_leaks',`
63 gen_require(`
64 type livecd_t;
65 ')
66
67 dontaudit $1 livecd_t:unix_dgram_socket { read write };
68 ')
69
70 ########################################
71 ## <summary>
72 ## Read livecd temporary files.
73 ## </summary>
74 ## <param name="domain">
75 ## <summary>
76 ## Domain allowed access.
77 ## </summary>
78 ## </param>
79 #
80 interface(`livecd_read_tmp_files',`
81 gen_require(`
82 type livecd_tmp_t;
83 ')
84
85 files_search_tmp($1)
86 read_files_pattern($1, livecd_tmp_t, livecd_tmp_t)
87 ')
88
89 ########################################
90 ## <summary>
91 ## Read and write livecd temporary files.
92 ## </summary>
93 ## <param name="domain">
94 ## <summary>
95 ## Domain allowed access.
96 ## </summary>
97 ## </param>
98 #
99 interface(`livecd_rw_tmp_files',`
100 gen_require(`
101 type livecd_tmp_t;
102 ')
103
104 files_search_tmp($1)
105 rw_files_pattern($1, livecd_tmp_t, livecd_tmp_t)
106 ')
107
108 ########################################
109 ## <summary>
110 ## Allow read and write access to livecd semaphores.
111 ## </summary>
112 ## <param name="domain">
113 ## <summary>
114 ## Domain allowed access.
115 ## </summary>
116 ## </param>
117 #
118 interface(`livecd_rw_semaphores',`
119 gen_require(`
120 type livecd_t;
121 ')
122
123 allow $1 livecd_t:sem { unix_read unix_write associate read write };
124 ')
The IPFire selinux policy.