2 ## Basic filesystem types and interfaces.
6 ## This module contains basic filesystem types and interfaces. This
9 ## <li>The concept of different file types including basic
10 ## files, mount points, tmp files, etc.</li>
11 ## <li>Access to groups of files and all files.</li>
12 ## <li>Types and interfaces for the basic filesystem layout
13 ## (/, /etc, /tmp, /usr, etc.).</li>
17 ## <required val="true">
18 ## Contains the concept of a file.
19 ## Comains the file initial SID.
22 ########################################
24 ## Make the specified type usable for files
29 ## Make the specified type usable for files
30 ## in a filesystem. Types used for files that
31 ## do not use this interface, or an interface that
32 ## calls this one, will have unexpected behaviors
33 ## while the system is running. If the type is used
34 ## for device nodes (character or block files), then
35 ## the dev_node() interface is more appropriate.
38 ## Related interfaces:
41 ## <li>application_domain()</li>
42 ## <li>application_executable_file()</li>
43 ## <li>corecmd_executable_file()</li>
44 ## <li>init_daemon_domain()</li>
45 ## <li>init_domaion()</li>
46 ## <li>init_ranged_daemon_domain()</li>
47 ## <li>init_ranged_domain()</li>
48 ## <li>init_ranged_system_domain()</li>
49 ## <li>init_script_file()</li>
50 ## <li>init_script_domain()</li>
51 ## <li>init_system_domain()</li>
52 ## <li>files_config_files()</li>
53 ## <li>files_lock_file()</li>
54 ## <li>files_mountpoint()</li>
55 ## <li>files_pid_file()</li>
56 ## <li>files_security_file()</li>
57 ## <li>files_security_mountpoint()</li>
58 ## <li>files_tmp_file()</li>
59 ## <li>files_tmpfs_file()</li>
60 ## <li>logging_log_file()</li>
61 ## <li>userdom_user_home_content()</li>
68 ## files_type(myfile_t)
69 ## allow mydomain_t myfile_t:file read_file_perms;
72 ## <param name="type">
74 ## Type to be used for files.
77 ## <infoflow type="none"/>
79 interface(`files_type',`
81 attribute file_type, non_security_file_type;
84 typeattribute $1 file_type, non_security_file_type;
87 ########################################
89 ## Make the specified type a file that
90 ## should not be dontaudited from
91 ## browsing from user domains.
93 ## <param name="file_type">
95 ## Type of the file to be used as a
100 interface(`files_security_file',`
102 attribute file_type, security_file_type;
105 typeattribute $1 file_type, security_file_type;
108 ########################################
110 ## Make the specified type usable for
113 ## <param name="type">
115 ## Type to be used for lock files.
119 interface(`files_lock_file',`
125 typeattribute $1 lockfile;
128 ########################################
130 ## Make the specified type usable for
131 ## filesystem mount points.
133 ## <param name="type">
135 ## Type to be used for mount points.
139 interface(`files_mountpoint',`
141 attribute mountpoint;
145 typeattribute $1 mountpoint;
148 ########################################
150 ## Make the specified type usable for
151 ## security file filesystem mount points.
153 ## <param name="type">
155 ## Type to be used for mount points.
159 interface(`files_security_mountpoint',`
161 attribute mountpoint;
164 files_security_file($1)
165 typeattribute $1 mountpoint;
168 ########################################
170 ## Make the specified type usable for
171 ## runtime process ID files.
175 ## Make the specified type usable for runtime process ID files,
176 ## typically found in /var/run.
177 ## This will also make the type usable for files, making
178 ## calls to files_type() redundant. Failure to use this interface
179 ## for a PID file type may result in problems with starting
180 ## or stopping services.
183 ## Related interfaces:
186 ## <li>files_pid_filetrans()</li>
189 ## Example usage with a domain that can create and
190 ## write its PID file with a private PID file type in the
191 ## /var/run directory:
195 ## files_pid_file(mypidfile_t)
196 ## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms };
197 ## files_pid_filetrans(mydomain_t, mypidfile_t, file)
200 ## <param name="type">
202 ## Type to be used for PID files.
205 ## <infoflow type="none"/>
207 interface(`files_pid_file',`
213 typeattribute $1 pidfile;
216 ########################################
218 ## Make the specified type a
219 ## configuration file.
223 ## Make the specified type usable for configuration files.
224 ## This will also make the type usable for files, making
225 ## calls to files_type() redundant. Failure to use this interface
226 ## for a temporary file may result in problems with
227 ## configuration management tools.
230 ## Example usage with a domain that can read
231 ## its configuration file /etc:
234 ## type myconffile_t;
235 ## files_config_file(myconffile_t)
236 ## allow mydomain_t myconffile_t:file read_file_perms;
237 ## files_search_etc(mydomain_t)
240 ## <param name="file_type">
242 ## Type to be used as a configuration file.
245 ## <infoflow type="none"/>
247 interface(`files_config_file',`
249 attribute configfile;
252 typeattribute $1 configfile;
255 ########################################
257 ## Make the specified type a
258 ## polyinstantiated directory.
260 ## <param name="file_type">
262 ## Type of the file to be used as a
263 ## polyinstantiated directory.
267 interface(`files_poly',`
273 typeattribute $1 polydir;
276 ########################################
278 ## Make the specified type a parent
279 ## of a polyinstantiated directory.
281 ## <param name="file_type">
283 ## Type of the file to be used as a
288 interface(`files_poly_parent',`
290 attribute polyparent;
294 typeattribute $1 polyparent;
297 ########################################
299 ## Make the specified type a
300 ## polyinstantiation member directory.
302 ## <param name="file_type">
304 ## Type of the file to be used as a
309 interface(`files_poly_member',`
311 attribute polymember;
315 typeattribute $1 polymember;
318 ########################################
320 ## Make the domain use the specified
321 ## type of polyinstantiated directory.
323 ## <param name="domain">
325 ## Domain using the polyinstantiated
329 ## <param name="file_type">
331 ## Type of the file to be used as a
336 interface(`files_poly_member_tmp',`
341 type_member $1 tmp_t:dir $2;
344 ########################################
346 ## Make the specified type a file
347 ## used for temporary files.
351 ## Make the specified type usable for temporary files.
352 ## This will also make the type usable for files, making
353 ## calls to files_type() redundant. Failure to use this interface
354 ## for a temporary file may result in problems with
355 ## purging temporary files.
358 ## Related interfaces:
361 ## <li>files_tmp_filetrans()</li>
364 ## Example usage with a domain that can create and
365 ## write its temporary file in the system temporary file
366 ## directories (/tmp or /var/tmp):
370 ## files_tmp_file(mytmpfile_t)
371 ## allow mydomain_t mytmpfile_t:file { create_file_perms write_file_perms };
372 ## files_tmp_filetrans(mydomain_t, mytmpfile_t, file)
375 ## <param name="file_type">
377 ## Type of the file to be used as a
381 ## <infoflow type="none"/>
383 interface(`files_tmp_file',`
390 files_poly_member($1)
391 typeattribute $1 tmpfile;
394 ########################################
396 ## Transform the type into a file, for use on a
397 ## virtual memory filesystem (tmpfs).
399 ## <param name="type">
401 ## The type to be transformed.
405 interface(`files_tmpfs_file',`
411 typeattribute $1 tmpfsfile;
414 ########################################
416 ## Get the attributes of all directories.
418 ## <param name="domain">
420 ## Domain allowed access.
424 interface(`files_getattr_all_dirs',`
429 getattr_dirs_pattern($1, file_type, file_type)
432 ########################################
434 ## Do not audit attempts to get the attributes
435 ## of all directories.
437 ## <param name="domain">
439 ## Domain to not audit.
443 interface(`files_dontaudit_getattr_all_dirs',`
448 dontaudit $1 file_type:dir getattr;
451 ########################################
453 ## List all non-security directories.
455 ## <param name="domain">
457 ## Domain allowed access.
461 interface(`files_list_non_security',`
463 attribute non_security_file_type;
466 list_dirs_pattern($1, non_security_file_type, non_security_file_type)
469 ########################################
471 ## Do not audit attempts to list all
472 ## non-security directories.
474 ## <param name="domain">
476 ## Domain to not audit.
480 interface(`files_dontaudit_list_non_security',`
482 attribute non_security_file_type;
485 dontaudit $1 non_security_file_type:dir list_dir_perms;
488 ########################################
490 ## Mount a filesystem on all non-security
491 ## directories and files.
493 ## <param name="domain">
495 ## Domain allowed access.
499 interface(`files_mounton_non_security',`
501 attribute non_security_file_type;
504 allow $1 non_security_file_type:dir mounton;
505 allow $1 non_security_file_type:file mounton;
508 ########################################
510 ## Allow attempts to modify any directory
512 ## <param name="domain">
514 ## Domain allowed access.
518 interface(`files_write_non_security_dirs',`
520 attribute non_security_file_type;
523 allow $1 non_security_file_type:dir write;
526 ########################################
528 ## Allow attempts to manage non-security directories
530 ## <param name="domain">
532 ## Domain allowed access.
536 interface(`files_manage_non_security_dirs',`
538 attribute non_security_file_type;
541 allow $1 non_security_file_type:dir manage_dir_perms;
544 ########################################
546 ## Get the attributes of all files.
548 ## <param name="domain">
550 ## Domain allowed access.
554 interface(`files_getattr_all_files',`
559 getattr_files_pattern($1, file_type, file_type)
560 getattr_lnk_files_pattern($1, file_type, file_type)
563 ########################################
565 ## Do not audit attempts to get the attributes
568 ## <param name="domain">
570 ## Domain to not audit.
574 interface(`files_dontaudit_getattr_all_files',`
579 dontaudit $1 file_type:file getattr;
582 ########################################
584 ## Do not audit attempts to get the attributes
585 ## of non security files.
587 ## <param name="domain">
589 ## Domain to not audit.
593 interface(`files_dontaudit_getattr_non_security_files',`
595 attribute non_security_file_type;
598 dontaudit $1 non_security_file_type:file getattr;
601 ########################################
605 ## <param name="domain">
607 ## Domain allowed access.
611 interface(`files_read_all_files',`
616 allow $1 file_type:dir list_dir_perms;
617 read_files_pattern($1, file_type, file_type)
624 ########################################
626 ## Allow shared library text relocations in all files.
630 ## Allow shared library text relocations in all files.
633 ## This is added to support WINE policy.
636 ## <param name="domain">
638 ## Domain allowed access.
642 interface(`files_execmod_all_files',`
647 allow $1 file_type:file execmod;
650 ########################################
652 ## Read all non-security files.
654 ## <param name="domain">
656 ## Domain allowed access.
661 interface(`files_read_non_security_files',`
663 attribute non_security_file_type;
666 read_files_pattern($1, non_security_file_type, non_security_file_type)
667 read_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
670 ########################################
672 ## Read all directories on the filesystem, except
673 ## the listed exceptions.
675 ## <param name="domain">
677 ## Domain allowed access.
680 ## <param name="exception_types" optional="true">
682 ## The types to be excluded. Each type or attribute
683 ## must be negated by the caller.
687 interface(`files_read_all_dirs_except',`
692 allow $1 { file_type $2 }:dir list_dir_perms;
695 ########################################
697 ## Read all files on the filesystem, except
698 ## the listed exceptions.
700 ## <param name="domain">
702 ## Domain allowed access.
705 ## <param name="exception_types" optional="true">
707 ## The types to be excluded. Each type or attribute
708 ## must be negated by the caller.
712 interface(`files_read_all_files_except',`
717 read_files_pattern($1, { file_type $2 }, { file_type $2 })
720 ########################################
722 ## Read all symbolic links on the filesystem, except
723 ## the listed exceptions.
725 ## <param name="domain">
727 ## Domain allowed access.
730 ## <param name="exception_types" optional="true">
732 ## The types to be excluded. Each type or attribute
733 ## must be negated by the caller.
737 interface(`files_read_all_symlinks_except',`
742 read_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
745 ########################################
747 ## Get the attributes of all symbolic links.
749 ## <param name="domain">
751 ## Domain allowed access.
755 interface(`files_getattr_all_symlinks',`
760 getattr_lnk_files_pattern($1, file_type, file_type)
763 ########################################
765 ## Do not audit attempts to get the attributes
766 ## of all symbolic links.
768 ## <param name="domain">
770 ## Domain to not audit.
774 interface(`files_dontaudit_getattr_all_symlinks',`
779 dontaudit $1 file_type:lnk_file getattr;
782 ########################################
784 ## Do not audit attempts to read all symbolic links.
786 ## <param name="domain">
788 ## Domain to not audit.
792 interface(`files_dontaudit_read_all_symlinks',`
797 dontaudit $1 file_type:lnk_file read;
800 ########################################
802 ## Do not audit attempts to get the attributes
803 ## of non security symbolic links.
805 ## <param name="domain">
807 ## Domain to not audit.
811 interface(`files_dontaudit_getattr_non_security_symlinks',`
813 attribute non_security_file_type;
816 dontaudit $1 non_security_file_type:lnk_file getattr;
819 ########################################
821 ## Do not audit attempts to get the attributes
822 ## of non security block devices.
824 ## <param name="domain">
826 ## Domain to not audit.
830 interface(`files_dontaudit_getattr_non_security_blk_files',`
832 attribute non_security_file_type;
835 dontaudit $1 non_security_file_type:blk_file getattr;
838 ########################################
840 ## Do not audit attempts to get the attributes
841 ## of non security character devices.
843 ## <param name="domain">
845 ## Domain to not audit.
849 interface(`files_dontaudit_getattr_non_security_chr_files',`
851 attribute non_security_file_type;
854 dontaudit $1 non_security_file_type:chr_file getattr;
857 ########################################
859 ## Read all symbolic links.
861 ## <param name="domain">
863 ## Domain allowed access.
868 interface(`files_read_all_symlinks',`
873 allow $1 file_type:dir list_dir_perms;
874 read_lnk_files_pattern($1, file_type, file_type)
877 ########################################
879 ## Get the attributes of all named pipes.
881 ## <param name="domain">
883 ## Domain allowed access.
887 interface(`files_getattr_all_pipes',`
892 allow $1 file_type:dir list_dir_perms;
893 getattr_fifo_files_pattern($1, file_type, file_type)
896 ########################################
898 ## Do not audit attempts to get the attributes
899 ## of all named pipes.
901 ## <param name="domain">
903 ## Domain to not audit.
907 interface(`files_dontaudit_getattr_all_pipes',`
912 dontaudit $1 file_type:fifo_file getattr;
915 ########################################
917 ## Do not audit attempts to get the attributes
918 ## of non security named pipes.
920 ## <param name="domain">
922 ## Domain to not audit.
926 interface(`files_dontaudit_getattr_non_security_pipes',`
928 attribute non_security_file_type;
931 dontaudit $1 non_security_file_type:fifo_file getattr;
934 ########################################
936 ## Get the attributes of all named sockets.
938 ## <param name="domain">
940 ## Domain allowed access.
944 interface(`files_getattr_all_sockets',`
949 allow $1 file_type:dir list_dir_perms;
950 getattr_sock_files_pattern($1, file_type, file_type)
953 ########################################
955 ## Do not audit attempts to get the attributes
956 ## of all named sockets.
958 ## <param name="domain">
960 ## Domain to not audit.
964 interface(`files_dontaudit_getattr_all_sockets',`
969 dontaudit $1 file_type:sock_file getattr;
972 ########################################
974 ## Do not audit attempts to get the attributes
975 ## of non security named sockets.
977 ## <param name="domain">
979 ## Domain to not audit.
983 interface(`files_dontaudit_getattr_non_security_sockets',`
985 attribute non_security_file_type;
988 dontaudit $1 non_security_file_type:sock_file getattr;
991 ########################################
993 ## Read all block nodes with file types.
995 ## <param name="domain">
997 ## Domain allowed access.
1001 interface(`files_read_all_blk_files',`
1003 attribute file_type;
1006 read_blk_files_pattern($1, file_type, file_type)
1009 ########################################
1011 ## Read all character nodes with file types.
1013 ## <param name="domain">
1015 ## Domain allowed access.
1019 interface(`files_read_all_chr_files',`
1021 attribute file_type;
1024 read_chr_files_pattern($1, file_type, file_type)
1027 ########################################
1029 ## Relabel all files on the filesystem, except
1030 ## the listed exceptions.
1032 ## <param name="domain">
1034 ## Domain allowed access.
1037 ## <param name="exception_types" optional="true">
1039 ## The types to be excluded. Each type or attribute
1040 ## must be negated by the caller.
1045 interface(`files_relabel_all_files',`
1047 attribute file_type;
1050 allow $1 { file_type $2 }:dir list_dir_perms;
1051 relabel_dirs_pattern($1, { file_type $2 }, { file_type $2 })
1052 relabel_files_pattern($1, { file_type $2 }, { file_type $2 })
1053 relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
1054 relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
1055 relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
1056 relabel_blk_files_pattern($1, { file_type $2 }, { file_type $2 })
1057 relabel_chr_files_pattern($1, { file_type $2 }, { file_type $2 })
1059 # satisfy the assertions:
1060 seutil_relabelto_bin_policy($1)
1063 ########################################
1065 ## rw all files on the filesystem, except
1066 ## the listed exceptions.
1068 ## <param name="domain">
1070 ## Domain allowed access.
1073 ## <param name="exception_types" optional="true">
1075 ## The types to be excluded. Each type or attribute
1076 ## must be negated by the caller.
1081 interface(`files_rw_all_files',`
1083 attribute file_type;
1086 rw_files_pattern($1, { file_type $2 }, { file_type $2 })
1089 ########################################
1091 ## Manage all files on the filesystem, except
1092 ## the listed exceptions.
1094 ## <param name="domain">
1096 ## Domain allowed access.
1099 ## <param name="exception_types" optional="true">
1101 ## The types to be excluded. Each type or attribute
1102 ## must be negated by the caller.
1107 interface(`files_manage_all_files',`
1109 attribute file_type;
1112 manage_dirs_pattern($1, { file_type $2 }, { file_type $2 })
1113 manage_files_pattern($1, { file_type $2 }, { file_type $2 })
1114 manage_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
1115 manage_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
1116 manage_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
1118 # satisfy the assertions:
1119 seutil_create_bin_policy($1)
1120 files_manage_kernel_modules($1)
1123 ########################################
1125 ## Search the contents of all directories on
1126 ## extended attribute filesystems.
1128 ## <param name="domain">
1130 ## Domain allowed access.
1134 interface(`files_search_all',`
1136 attribute file_type;
1139 allow $1 file_type:dir search_dir_perms;
1142 ########################################
1144 ## List the contents of all directories on
1145 ## extended attribute filesystems.
1147 ## <param name="domain">
1149 ## Domain allowed access.
1153 interface(`files_list_all',`
1155 attribute file_type;
1158 allow $1 file_type:dir list_dir_perms;
1161 ########################################
1163 ## Do not audit attempts to search the
1164 ## contents of any directories on extended
1165 ## attribute filesystems.
1167 ## <param name="domain">
1169 ## Domain to not audit.
1173 interface(`files_dontaudit_search_all_dirs',`
1175 attribute file_type;
1178 dontaudit $1 file_type:dir search_dir_perms;
1181 ########################################
1183 ## Get the attributes of all filesystems
1184 ## with the type of a file.
1186 ## <param name="domain">
1188 ## Domain allowed access.
1192 # dwalsh: This interface is to allow quotacheck to work on a
1193 # a filesystem mounted with the --context switch
1194 # https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=212957
1196 interface(`files_getattr_all_file_type_fs',`
1198 attribute file_type;
1201 allow $1 file_type:filesystem getattr;
1204 ########################################
1206 ## Relabel a filesystem to the type of a file.
1208 ## <param name="domain">
1210 ## Domain allowed access.
1214 interface(`files_relabelto_all_file_type_fs',`
1216 attribute file_type;
1219 allow $1 file_type:filesystem relabelto;
1222 ########################################
1224 ## Relabel a filesystem to the type of a file.
1226 ## <param name="domain">
1228 ## Domain allowed access.
1232 interface(`files_relabel_all_file_type_fs',`
1234 attribute file_type;
1237 allow $1 file_type:filesystem { relabelfrom relabelto };
1240 ########################################
1242 ## Mount all filesystems with the type of a file.
1244 ## <param name="domain">
1246 ## Domain allowed access.
1250 interface(`files_mount_all_file_type_fs',`
1252 attribute file_type;
1255 allow $1 file_type:filesystem mount;
1258 ########################################
1260 ## Unmount all filesystems with the type of a file.
1262 ## <param name="domain">
1264 ## Domain allowed access.
1268 interface(`files_unmount_all_file_type_fs',`
1270 attribute file_type;
1273 allow $1 file_type:filesystem unmount;
1276 #############################################
1278 ## Manage all configuration directories on filesystem
1280 ## <param name="domain">
1282 ## Domain allowed access.
1287 interface(`files_manage_config_dirs',`
1289 attribute configfile;
1292 manage_dirs_pattern($1, configfile, configfile)
1295 #########################################
1297 ## Relabel configuration directories
1299 ## <param name="domain">
1301 ## Domain allowed access.
1306 interface(`files_relabel_config_dirs',`
1308 attribute configfile;
1311 relabel_dirs_pattern($1, configfile, configfile)
1314 ########################################
1316 ## Read config files in /etc.
1318 ## <param name="domain">
1320 ## Domain allowed access.
1324 interface(`files_read_config_files',`
1326 attribute configfile;
1329 allow $1 configfile:dir list_dir_perms;
1330 read_files_pattern($1, configfile, configfile)
1331 read_lnk_files_pattern($1, configfile, configfile)
1334 ###########################################
1336 ## Manage all configuration files on filesystem
1338 ## <param name="domain">
1340 ## Domain allowed access.
1345 interface(`files_manage_config_files',`
1347 attribute configfile;
1350 manage_files_pattern($1, configfile, configfile)
1353 #######################################
1355 ## Relabel configuration files
1357 ## <param name="domain">
1359 ## Domain allowed access.
1364 interface(`files_relabel_config_files',`
1366 attribute configfile;
1369 relabel_files_pattern($1, configfile, configfile)
1372 ########################################
1374 ## Mount a filesystem on all mount points.
1376 ## <param name="domain">
1378 ## Domain allowed access.
1382 interface(`files_mounton_all_mountpoints',`
1384 attribute mountpoint;
1387 allow $1 mountpoint:dir { search_dir_perms mounton };
1388 allow $1 mountpoint:file { getattr mounton };
1391 ########################################
1393 ## Get the attributes of all mount points.
1395 ## <param name="domain">
1397 ## Domain allowed access.
1401 interface(`files_getattr_all_mountpoints',`
1403 attribute mountpoint;
1406 allow $1 mountpoint:dir getattr;
1409 ########################################
1411 ## Search all mount points.
1413 ## <param name="domain">
1415 ## Domain allowed access.
1419 interface(`files_search_all_mountpoints',`
1421 attribute mountpoint;
1424 allow $1 mountpoint:dir search_dir_perms;
1427 ########################################
1429 ## Do not audit searching of all mount points.
1431 ## <param name="domain">
1433 ## Domain to not audit.
1437 interface(`files_dontaudit_search_all_mountpoints',`
1439 attribute mountpoint;
1442 dontaudit $1 mountpoint:dir search_dir_perms;
1445 ########################################
1447 ## Do not audit listing of all mount points.
1449 ## <param name="domain">
1451 ## Domain to not audit.
1455 interface(`files_dontaudit_list_all_mountpoints',`
1457 attribute mountpoint;
1460 dontaudit $1 mountpoint:dir list_dir_perms;
1463 ########################################
1465 ## Write all mount points.
1467 ## <param name="domain">
1469 ## Domain allowed access.
1473 interface(`files_write_all_mountpoints',`
1475 attribute mountpoint;
1478 allow $1 mountpoint:dir write;
1481 ########################################
1483 ## List the contents of the root directory.
1485 ## <param name="domain">
1487 ## Domain allowed access.
1491 interface(`files_list_root',`
1496 allow $1 root_t:dir list_dir_perms;
1497 allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock };
1500 ########################################
1502 ## Do not audit attempts to write
1503 ## files in the root directory.
1505 ## <param name="domain">
1507 ## Domain to not audit.
1511 interface(`files_dontaudit_rw_root_dir',`
1516 dontaudit $1 root_t:dir rw_dir_perms;
1519 ########################################
1521 ## Create an object in the root directory, with a private
1522 ## type using a type transition.
1524 ## <param name="domain">
1526 ## Domain allowed access.
1529 ## <param name="private type">
1531 ## The type of the object to be created.
1534 ## <param name="object">
1536 ## The object class of the object being created.
1540 interface(`files_root_filetrans',`
1545 filetrans_pattern($1, root_t, $2, $3)
1548 ########################################
1550 ## Do not audit attempts to read files in
1551 ## the root directory.
1553 ## <param name="domain">
1555 ## Domain to not audit.
1559 interface(`files_dontaudit_read_root_files',`
1564 dontaudit $1 root_t:file { getattr read };
1567 ########################################
1569 ## Do not audit attempts to read or write
1570 ## files in the root directory.
1572 ## <param name="domain">
1574 ## Domain to not audit.
1578 interface(`files_dontaudit_rw_root_files',`
1583 dontaudit $1 root_t:file { read write };
1586 ########################################
1588 ## Do not audit attempts to read or write
1589 ## character device nodes in the root directory.
1591 ## <param name="domain">
1593 ## Domain to not audit.
1597 interface(`files_dontaudit_rw_root_chr_files',`
1602 dontaudit $1 root_t:chr_file { read write };
1605 ########################################
1607 ## Delete files in the root directory.
1609 ## <param name="domain">
1611 ## Domain allowed access.
1615 interface(`files_delete_root_files',`
1620 allow $1 root_t:file unlink;
1623 ########################################
1625 ## Remove entries from the root directory.
1627 ## <param name="domain">
1629 ## Domain allowed access.
1633 interface(`files_delete_root_dir_entry',`
1638 allow $1 root_t:dir rw_dir_perms;
1641 ########################################
1643 ## Unmount a rootfs filesystem.
1645 ## <param name="domain">
1647 ## Domain allowed access.
1651 interface(`files_unmount_rootfs',`
1656 allow $1 root_t:filesystem unmount;
1659 ########################################
1661 ## Get attributes of the /boot directory.
1663 ## <param name="domain">
1665 ## Domain allowed access.
1669 interface(`files_getattr_boot_dirs',`
1674 allow $1 boot_t:dir getattr;
1677 ########################################
1679 ## Do not audit attempts to get attributes
1680 ## of the /boot directory.
1682 ## <param name="domain">
1684 ## Domain to not audit.
1688 interface(`files_dontaudit_getattr_boot_dirs',`
1693 dontaudit $1 boot_t:dir getattr;
1696 ########################################
1698 ## Search the /boot directory.
1700 ## <param name="domain">
1702 ## Domain allowed access.
1706 interface(`files_search_boot',`
1711 allow $1 boot_t:dir search_dir_perms;
1714 ########################################
1716 ## Do not audit attempts to search the /boot directory.
1718 ## <param name="domain">
1720 ## Domain to not audit.
1724 interface(`files_dontaudit_search_boot',`
1729 dontaudit $1 boot_t:dir search_dir_perms;
1732 ########################################
1734 ## List the /boot directory.
1736 ## <param name="domain">
1738 ## Domain allowed access.
1742 interface(`files_list_boot',`
1747 allow $1 boot_t:dir list_dir_perms;
1750 ########################################
1752 ## Create directories in /boot
1754 ## <param name="domain">
1756 ## Domain allowed access.
1760 interface(`files_create_boot_dirs',`
1765 allow $1 boot_t:dir { create rw_dir_perms };
1768 ########################################
1770 ## Create, read, write, and delete
1771 ## directories in /boot.
1773 ## <param name="domain">
1775 ## Domain allowed access.
1779 interface(`files_manage_boot_dirs',`
1784 allow $1 boot_t:dir manage_dir_perms;
1787 ########################################
1789 ## Create a private type object in boot
1790 ## with an automatic type transition
1792 ## <param name="domain">
1794 ## Domain allowed access.
1797 ## <param name="private_type">
1799 ## The type of the object to be created.
1802 ## <param name="object_class">
1804 ## The object class of the object being created.
1808 interface(`files_boot_filetrans',`
1813 filetrans_pattern($1, boot_t, $2, $3)
1816 ########################################
1818 ## read files in the /boot directory.
1820 ## <param name="domain">
1822 ## Domain allowed access.
1827 interface(`files_read_boot_files',`
1832 read_files_pattern($1, boot_t, boot_t)
1835 ########################################
1837 ## Create, read, write, and delete files
1838 ## in the /boot directory.
1840 ## <param name="domain">
1842 ## Domain allowed access.
1847 interface(`files_manage_boot_files',`
1852 manage_files_pattern($1, boot_t, boot_t)
1855 ########################################
1857 ## Relabel from files in the /boot directory.
1859 ## <param name="domain">
1861 ## Domain allowed access.
1865 interface(`files_relabelfrom_boot_files',`
1870 relabelfrom_files_pattern($1, boot_t, boot_t)
1873 ########################################
1875 ## Read and write symbolic links
1876 ## in the /boot directory.
1878 ## <param name="domain">
1880 ## Domain allowed access.
1884 interface(`files_rw_boot_symlinks',`
1889 allow $1 boot_t:dir list_dir_perms;
1890 rw_lnk_files_pattern($1, boot_t, boot_t)
1893 ########################################
1895 ## Create, read, write, and delete symbolic links
1896 ## in the /boot directory.
1898 ## <param name="domain">
1900 ## Domain allowed access.
1904 interface(`files_manage_boot_symlinks',`
1909 manage_lnk_files_pattern($1, boot_t, boot_t)
1912 ########################################
1914 ## Read kernel files in the /boot directory.
1916 ## <param name="domain">
1918 ## Domain allowed access.
1922 interface(`files_read_kernel_img',`
1927 allow $1 boot_t:dir list_dir_perms;
1928 read_files_pattern($1, boot_t, boot_t)
1929 read_lnk_files_pattern($1, boot_t, boot_t)
1932 ########################################
1934 ## Install a kernel into the /boot directory.
1936 ## <param name="domain">
1938 ## Domain allowed access.
1943 interface(`files_create_kernel_img',`
1948 allow $1 boot_t:file { create_file_perms rw_file_perms };
1949 manage_lnk_files_pattern($1, boot_t, boot_t)
1952 ########################################
1954 ## Delete a kernel from /boot.
1956 ## <param name="domain">
1958 ## Domain allowed access.
1963 interface(`files_delete_kernel',`
1968 delete_files_pattern($1, boot_t, boot_t)
1971 ########################################
1973 ## Getattr of directories with the default file type.
1975 ## <param name="domain">
1977 ## Domain allowed access.
1981 interface(`files_getattr_default_dirs',`
1986 allow $1 default_t:dir getattr;
1989 ########################################
1991 ## Do not audit attempts to get the attributes of
1992 ## directories with the default file type.
1994 ## <param name="domain">
1996 ## Domain to not audit.
2000 interface(`files_dontaudit_getattr_default_dirs',`
2005 dontaudit $1 default_t:dir getattr;
2008 ########################################
2010 ## Search the contents of directories with the default file type.
2012 ## <param name="domain">
2014 ## Domain allowed access.
2018 interface(`files_search_default',`
2023 allow $1 default_t:dir search_dir_perms;
2026 ########################################
2028 ## List contents of directories with the default file type.
2030 ## <param name="domain">
2032 ## Domain allowed access.
2036 interface(`files_list_default',`
2041 allow $1 default_t:dir list_dir_perms;
2044 ########################################
2046 ## Do not audit attempts to list contents of
2047 ## directories with the default file type.
2049 ## <param name="domain">
2051 ## Domain to not audit.
2055 interface(`files_dontaudit_list_default',`
2060 dontaudit $1 default_t:dir list_dir_perms;
2063 ########################################
2065 ## Create, read, write, and delete directories with
2066 ## the default file type.
2068 ## <param name="domain">
2070 ## Domain allowed access.
2074 interface(`files_manage_default_dirs',`
2079 manage_dirs_pattern($1, default_t, default_t)
2082 ########################################
2084 ## Mount a filesystem on a directory with the default file type.
2086 ## <param name="domain">
2088 ## Domain allowed access.
2092 interface(`files_mounton_default',`
2097 allow $1 default_t:dir { search_dir_perms mounton };
2100 ########################################
2102 ## Do not audit attempts to get the attributes of
2103 ## files with the default file type.
2105 ## <param name="domain">
2107 ## Domain to not audit.
2111 interface(`files_dontaudit_getattr_default_files',`
2116 dontaudit $1 default_t:file getattr;
2119 ########################################
2121 ## Read files with the default file type.
2123 ## <param name="domain">
2125 ## Domain allowed access.
2129 interface(`files_read_default_files',`
2134 allow $1 default_t:file read_file_perms;
2137 ########################################
2139 ## Do not audit attempts to read files
2140 ## with the default file type.
2142 ## <param name="domain">
2144 ## Domain to not audit.
2148 interface(`files_dontaudit_read_default_files',`
2153 dontaudit $1 default_t:file read_file_perms;
2156 ########################################
2158 ## Create, read, write, and delete files with
2159 ## the default file type.
2161 ## <param name="domain">
2163 ## Domain allowed access.
2167 interface(`files_manage_default_files',`
2172 manage_files_pattern($1, default_t, default_t)
2175 ########################################
2177 ## Read symbolic links with the default file type.
2179 ## <param name="domain">
2181 ## Domain allowed access.
2185 interface(`files_read_default_symlinks',`
2190 allow $1 default_t:lnk_file read_lnk_file_perms;
2193 ########################################
2195 ## Read sockets with the default file type.
2197 ## <param name="domain">
2199 ## Domain allowed access.
2203 interface(`files_read_default_sockets',`
2208 allow $1 default_t:sock_file read_sock_file_perms;
2211 ########################################
2213 ## Read named pipes with the default file type.
2215 ## <param name="domain">
2217 ## Domain allowed access.
2221 interface(`files_read_default_pipes',`
2226 allow $1 default_t:fifo_file read_fifo_file_perms;
2229 ########################################
2231 ## Search the contents of /etc directories.
2233 ## <param name="domain">
2235 ## Domain allowed access.
2239 interface(`files_search_etc',`
2244 allow $1 etc_t:dir search_dir_perms;
2247 ########################################
2249 ## Set the attributes of the /etc directories.
2251 ## <param name="domain">
2253 ## Domain allowed access.
2257 interface(`files_setattr_etc_dirs',`
2262 allow $1 etc_t:dir setattr;
2265 ########################################
2267 ## List the contents of /etc directories.
2269 ## <param name="domain">
2271 ## Domain allowed access.
2275 interface(`files_list_etc',`
2280 allow $1 etc_t:dir list_dir_perms;
2283 ########################################
2285 ## Do not audit attempts to write to /etc dirs.
2287 ## <param name="domain">
2289 ## Domain to not audit.
2293 interface(`files_dontaudit_write_etc_dirs',`
2298 dontaudit $1 etc_t:dir write;
2301 ########################################
2303 ## Add and remove entries from /etc directories.
2305 ## <param name="domain">
2307 ## Domain allowed access.
2311 interface(`files_rw_etc_dirs',`
2316 allow $1 etc_t:dir rw_dir_perms;
2319 ##########################################
2321 ## Manage generic directories in /etc
2323 ## <param name="domain">
2325 ## Domain allowed access
2330 interface(`files_manage_etc_dirs',`
2335 manage_dirs_pattern($1, etc_t, etc_t)
2338 ########################################
2340 ## Read generic files in /etc.
2344 ## Allow the specified domain to read generic
2345 ## files in /etc. These files are typically
2346 ## general system configuration files that do
2347 ## not have more specific SELinux types. Some
2348 ## examples of these files are:
2351 ## <li>/etc/fstab</li>
2352 ## <li>/etc/passwd</li>
2353 ## <li>/etc/services</li>
2354 ## <li>/etc/shells</li>
2357 ## This interface does not include access to /etc/shadow.
2360 ## Generally, it is safe for many domains to have
2361 ## this access. However, since this interface provides
2362 ## access to the /etc/passwd file, caution must be
2363 ## exercised, as user account names can be leaked
2364 ## through this access.
2367 ## Related interfaces:
2370 ## <li>auth_read_shadow()</li>
2371 ## <li>files_read_etc_runtime_files()</li>
2372 ## <li>seutil_read_config()</li>
2375 ## <param name="domain">
2377 ## Domain allowed access.
2380 ## <infoflow type="read" weight="10"/>
2382 interface(`files_read_etc_files',`
2387 allow $1 etc_t:dir list_dir_perms;
2388 read_files_pattern($1, etc_t, etc_t)
2389 read_lnk_files_pattern($1, etc_t, etc_t)
2392 ########################################
2394 ## Do not audit attempts to write generic files in /etc.
2396 ## <param name="domain">
2398 ## Domain allowed access.
2402 interface(`files_dontaudit_write_etc_files',`
2407 dontaudit $1 etc_t:file write;
2410 ########################################
2412 ## Read and write generic files in /etc.
2414 ## <param name="domain">
2416 ## Domain allowed access.
2421 interface(`files_rw_etc_files',`
2426 allow $1 etc_t:dir list_dir_perms;
2427 rw_files_pattern($1, etc_t, etc_t)
2428 read_lnk_files_pattern($1, etc_t, etc_t)
2431 ########################################
2433 ## Create, read, write, and delete generic
2436 ## <param name="domain">
2438 ## Domain allowed access.
2443 interface(`files_manage_etc_files',`
2448 manage_files_pattern($1, etc_t, etc_t)
2449 read_lnk_files_pattern($1, etc_t, etc_t)
2452 ########################################
2454 ## Delete system configuration files in /etc.
2456 ## <param name="domain">
2458 ## Domain allowed access.
2462 interface(`files_delete_etc_files',`
2467 delete_files_pattern($1, etc_t, etc_t)
2470 ########################################
2472 ## Remove entries from the etc directory.
2474 ## <param name="domain">
2476 ## Domain allowed access.
2480 interface(`files_delete_etc_dir_entry',`
2485 allow $1 etc_t:dir del_entry_dir_perms;
2488 ########################################
2490 ## Execute generic files in /etc.
2492 ## <param name="domain">
2494 ## Domain allowed access.
2498 interface(`files_exec_etc_files',`
2503 allow $1 etc_t:dir list_dir_perms;
2504 read_lnk_files_pattern($1, etc_t, etc_t)
2505 exec_files_pattern($1, etc_t, etc_t)
2508 #######################################
2510 ## Relabel from and to generic files in /etc.
2512 ## <param name="domain">
2514 ## Domain allowed access.
2518 interface(`files_relabel_etc_files',`
2523 allow $1 etc_t:dir list_dir_perms;
2524 relabel_files_pattern($1, etc_t, etc_t)
2527 ########################################
2529 ## Read symbolic links in /etc.
2531 ## <param name="domain">
2533 ## Domain allowed access.
2537 interface(`files_read_etc_symlinks',`
2542 read_lnk_files_pattern($1, etc_t, etc_t)
2545 ########################################
2547 ## Create, read, write, and delete symbolic links in /etc.
2549 ## <param name="domain">
2551 ## Domain allowed access.
2555 interface(`files_manage_etc_symlinks',`
2560 manage_lnk_files_pattern($1, etc_t, etc_t)
2563 ########################################
2565 ## Create objects in /etc with a private
2566 ## type using a type_transition.
2568 ## <param name="domain">
2570 ## Domain allowed access.
2573 ## <param name="file_type">
2575 ## Private file type.
2578 ## <param name="class">
2580 ## Object classes to be created.
2584 interface(`files_etc_filetrans',`
2589 filetrans_pattern($1, etc_t, $2, $3)
2592 ########################################
2594 ## Create a boot flag.
2598 ## Create a boot flag, such as
2599 ## /.autorelabel and /.autofsck.
2602 ## <param name="domain">
2604 ## Domain allowed access.
2609 interface(`files_create_boot_flag',`
2611 type root_t, etc_runtime_t;
2614 allow $1 etc_runtime_t:file manage_file_perms;
2615 filetrans_pattern($1, root_t, etc_runtime_t, file)
2618 ########################################
2620 ## Read files in /etc that are dynamically
2621 ## created on boot, such as mtab.
2625 ## Allow the specified domain to read dynamically created
2626 ## configuration files in /etc. These files are typically
2627 ## general system configuration files that do
2628 ## not have more specific SELinux types. Some
2629 ## examples of these files are:
2632 ## <li>/etc/motd</li>
2633 ## <li>/etc/mtab</li>
2634 ## <li>/etc/nologin</li>
2637 ## This interface does not include access to /etc/shadow.
2640 ## <param name="domain">
2642 ## Domain allowed access.
2645 ## <infoflow type="read" weight="10" />
2648 interface(`files_read_etc_runtime_files',`
2650 type etc_t, etc_runtime_t;
2653 allow $1 etc_t:dir list_dir_perms;
2654 read_files_pattern($1, etc_t, etc_runtime_t)
2655 read_lnk_files_pattern($1, etc_t, etc_runtime_t)
2658 ########################################
2660 ## Do not audit attempts to read files
2661 ## in /etc that are dynamically
2662 ## created on boot, such as mtab.
2664 ## <param name="domain">
2666 ## Domain to not audit.
2670 interface(`files_dontaudit_read_etc_runtime_files',`
2675 dontaudit $1 etc_runtime_t:file { getattr read };
2678 ########################################
2680 ## Read and write files in /etc that are dynamically
2681 ## created on boot, such as mtab.
2683 ## <param name="domain">
2685 ## Domain allowed access.
2690 interface(`files_rw_etc_runtime_files',`
2692 type etc_t, etc_runtime_t;
2695 allow $1 etc_t:dir list_dir_perms;
2696 rw_files_pattern($1, etc_t, etc_runtime_t)
2699 ########################################
2701 ## Create, read, write, and delete files in
2702 ## /etc that are dynamically created on boot,
2705 ## <param name="domain">
2707 ## Domain allowed access.
2712 interface(`files_manage_etc_runtime_files',`
2714 type etc_t, etc_runtime_t;
2717 manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
2720 ########################################
2722 ## Create, etc runtime objects with an automatic
2725 ## <param name="domain">
2727 ## Domain allowed access.
2730 ## <param name="object">
2732 ## The class of the object being created.
2736 interface(`files_etc_filetrans_etc_runtime',`
2738 type etc_t, etc_runtime_t;
2741 filetrans_pattern($1, etc_t, etc_runtime_t, $2)
2744 ########################################
2746 ## Getattr of directories on new filesystems
2747 ## that have not yet been labeled.
2749 ## <param name="domain">
2751 ## Domain allowed access.
2755 interface(`files_getattr_isid_type_dirs',`
2760 allow $1 file_t:dir getattr;
2763 ########################################
2765 ## Do not audit attempts to search directories on new filesystems
2766 ## that have not yet been labeled.
2768 ## <param name="domain">
2770 ## Domain to not audit.
2774 interface(`files_dontaudit_search_isid_type_dirs',`
2779 dontaudit $1 file_t:dir search_dir_perms;
2782 ########################################
2784 ## List the contents of directories on new filesystems
2785 ## that have not yet been labeled.
2787 ## <param name="domain">
2789 ## Domain allowed access.
2793 interface(`files_list_isid_type_dirs',`
2798 allow $1 file_t:dir list_dir_perms;
2801 ########################################
2803 ## Read and write directories on new filesystems
2804 ## that have not yet been labeled.
2806 ## <param name="domain">
2808 ## Domain allowed access.
2812 interface(`files_rw_isid_type_dirs',`
2817 allow $1 file_t:dir rw_dir_perms;
2820 ########################################
2822 ## Delete directories on new filesystems
2823 ## that have not yet been labeled.
2825 ## <param name="domain">
2827 ## Domain allowed access.
2831 interface(`files_delete_isid_type_dirs',`
2836 delete_dirs_pattern($1, file_t, file_t)
2839 ########################################
2841 ## Create, read, write, and delete directories
2842 ## on new filesystems that have not yet been labeled.
2844 ## <param name="domain">
2846 ## Domain allowed access.
2850 interface(`files_manage_isid_type_dirs',`
2855 allow $1 file_t:dir manage_dir_perms;
2858 ########################################
2860 ## Mount a filesystem on a directory on new filesystems
2861 ## that has not yet been labeled.
2863 ## <param name="domain">
2865 ## Domain allowed access.
2869 interface(`files_mounton_isid_type_dirs',`
2874 allow $1 file_t:dir { search_dir_perms mounton };
2877 ########################################
2879 ## Read files on new filesystems
2880 ## that have not yet been labeled.
2882 ## <param name="domain">
2884 ## Domain allowed access.
2888 interface(`files_read_isid_type_files',`
2893 allow $1 file_t:file read_file_perms;
2896 ########################################
2898 ## Delete files on new filesystems
2899 ## that have not yet been labeled.
2901 ## <param name="domain">
2903 ## Domain allowed access.
2907 interface(`files_delete_isid_type_files',`
2912 delete_files_pattern($1, file_t, file_t)
2915 ########################################
2917 ## Delete symbolic links on new filesystems
2918 ## that have not yet been labeled.
2920 ## <param name="domain">
2922 ## Domain allowed access.
2926 interface(`files_delete_isid_type_symlinks',`
2931 delete_lnk_files_pattern($1, file_t, file_t)
2934 ########################################
2936 ## Delete named pipes on new filesystems
2937 ## that have not yet been labeled.
2939 ## <param name="domain">
2941 ## Domain allowed access.
2945 interface(`files_delete_isid_type_fifo_files',`
2950 delete_fifo_files_pattern($1, file_t, file_t)
2953 ########################################
2955 ## Delete named sockets on new filesystems
2956 ## that have not yet been labeled.
2958 ## <param name="domain">
2960 ## Domain allowed access.
2964 interface(`files_delete_isid_type_sock_files',`
2969 delete_sock_files_pattern($1, file_t, file_t)
2972 ########################################
2974 ## Delete block files on new filesystems
2975 ## that have not yet been labeled.
2977 ## <param name="domain">
2979 ## Domain allowed access.
2983 interface(`files_delete_isid_type_blk_files',`
2988 delete_blk_files_pattern($1, file_t, file_t)
2991 ########################################
2993 ## Do not audit attempts to write to character
2994 ## files that have not yet been labeled.
2996 ## <param name="domain">
2998 ## Domain to not audit.
3002 interface(`files_dontaudit_write_isid_chr_files',`
3007 dontaudit $1 file_t:chr_file write;
3010 ########################################
3012 ## Delete chr files on new filesystems
3013 ## that have not yet been labeled.
3015 ## <param name="domain">
3017 ## Domain allowed access.
3021 interface(`files_delete_isid_type_chr_files',`
3026 delete_chr_files_pattern($1, file_t, file_t)
3029 ########################################
3031 ## Create, read, write, and delete files
3032 ## on new filesystems that have not yet been labeled.
3034 ## <param name="domain">
3036 ## Domain allowed access.
3040 interface(`files_manage_isid_type_files',`
3045 allow $1 file_t:file manage_file_perms;
3048 ########################################
3050 ## Create, read, write, and delete symbolic links
3051 ## on new filesystems that have not yet been labeled.
3053 ## <param name="domain">
3055 ## Domain allowed access.
3059 interface(`files_manage_isid_type_symlinks',`
3064 allow $1 file_t:lnk_file manage_lnk_file_perms;
3067 ########################################
3069 ## Read and write block device nodes on new filesystems
3070 ## that have not yet been labeled.
3072 ## <param name="domain">
3074 ## Domain allowed access.
3078 interface(`files_rw_isid_type_blk_files',`
3083 allow $1 file_t:blk_file rw_blk_file_perms;
3086 ########################################
3088 ## Create, read, write, and delete block device nodes
3089 ## on new filesystems that have not yet been labeled.
3091 ## <param name="domain">
3093 ## Domain allowed access.
3097 interface(`files_manage_isid_type_blk_files',`
3102 allow $1 file_t:blk_file manage_blk_file_perms;
3105 ########################################
3107 ## Create, read, write, and delete character device nodes
3108 ## on new filesystems that have not yet been labeled.
3110 ## <param name="domain">
3112 ## Domain allowed access.
3116 interface(`files_manage_isid_type_chr_files',`
3121 allow $1 file_t:chr_file manage_chr_file_perms;
3124 ########################################
3126 ## Get the attributes of the home directories root
3129 ## <param name="domain">
3131 ## Domain allowed access.
3135 interface(`files_getattr_home_dir',`
3140 allow $1 home_root_t:dir getattr;
3141 allow $1 home_root_t:lnk_file getattr;
3144 ########################################
3146 ## Do not audit attempts to get the
3147 ## attributes of the home directories root
3150 ## <param name="domain">
3152 ## Domain to not audit.
3156 interface(`files_dontaudit_getattr_home_dir',`
3161 dontaudit $1 home_root_t:dir getattr;
3162 dontaudit $1 home_root_t:lnk_file getattr;
3165 ########################################
3167 ## Search home directories root (/home).
3169 ## <param name="domain">
3171 ## Domain allowed access.
3175 interface(`files_search_home',`
3180 allow $1 home_root_t:dir search_dir_perms;
3181 allow $1 home_root_t:lnk_file read_lnk_file_perms;
3184 ########################################
3186 ## Do not audit attempts to search
3187 ## home directories root (/home).
3189 ## <param name="domain">
3191 ## Domain to not audit.
3195 interface(`files_dontaudit_search_home',`
3200 dontaudit $1 home_root_t:dir search_dir_perms;
3201 dontaudit $1 home_root_t:lnk_file read_lnk_file_perms;
3204 ########################################
3206 ## Do not audit attempts to list
3207 ## home directories root (/home).
3209 ## <param name="domain">
3211 ## Domain to not audit.
3215 interface(`files_dontaudit_list_home',`
3220 dontaudit $1 home_root_t:dir list_dir_perms;
3221 dontaudit $1 home_root_t:lnk_file read_lnk_file_perms;
3224 ########################################
3226 ## Get listing of home directories.
3228 ## <param name="domain">
3230 ## Domain allowed access.
3234 interface(`files_list_home',`
3239 allow $1 home_root_t:dir list_dir_perms;
3240 allow $1 home_root_t:lnk_file read_lnk_file_perms;
3243 ########################################
3245 ## Relabel to user home root (/home).
3247 ## <param name="domain">
3249 ## Domain allowed access.
3253 interface(`files_relabelto_home',`
3258 allow $1 home_root_t:dir relabelto;
3261 ########################################
3263 ## Create objects in /home.
3265 ## <param name="domain">
3267 ## Domain allowed access.
3270 ## <param name="home_type">
3272 ## The private type.
3275 ## <param name="object">
3277 ## The class of the object being created.
3281 interface(`files_home_filetrans',`
3286 filetrans_pattern($1, home_root_t, $2, $3)
3289 ########################################
3291 ## Get the attributes of lost+found directories.
3293 ## <param name="domain">
3295 ## Domain allowed access.
3299 interface(`files_getattr_lost_found_dirs',`
3304 allow $1 lost_found_t:dir getattr;
3307 ########################################
3309 ## Do not audit attempts to get the attributes of
3310 ## lost+found directories.
3312 ## <param name="domain">
3314 ## Domain to not audit.
3318 interface(`files_dontaudit_getattr_lost_found_dirs',`
3323 dontaudit $1 lost_found_t:dir getattr;
3326 ########################################
3328 ## Create, read, write, and delete objects in
3329 ## lost+found directories.
3331 ## <param name="domain">
3333 ## Domain allowed access.
3338 interface(`files_manage_lost_found',`
3343 manage_dirs_pattern($1, lost_found_t, lost_found_t)
3344 manage_files_pattern($1, lost_found_t, lost_found_t)
3345 manage_lnk_files_pattern($1, lost_found_t, lost_found_t)
3346 manage_fifo_files_pattern($1, lost_found_t, lost_found_t)
3347 manage_sock_files_pattern($1, lost_found_t, lost_found_t)
3350 ########################################
3352 ## Search the contents of /mnt.
3354 ## <param name="domain">
3356 ## Domain allowed access.
3360 interface(`files_search_mnt',`
3365 allow $1 mnt_t:dir search_dir_perms;
3368 ########################################
3370 ## Do not audit attempts to search /mnt.
3372 ## <param name="domain">
3374 ## Domain to not audit.
3378 interface(`files_dontaudit_search_mnt',`
3383 dontaudit $1 mnt_t:dir search_dir_perms;
3386 ########################################
3388 ## List the contents of /mnt.
3390 ## <param name="domain">
3392 ## Domain allowed access.
3396 interface(`files_list_mnt',`
3401 allow $1 mnt_t:dir list_dir_perms;
3404 ######################################
3406 ## dontaudit List the contents of /mnt.
3408 ## <param name="domain">
3410 ## Domain allowed access.
3414 interface(`files_dontaudit_list_mnt',`
3419 dontaudit $1 mnt_t:dir list_dir_perms;
3422 ########################################
3424 ## Mount a filesystem on /mnt.
3426 ## <param name="domain">
3428 ## Domain allowed access.
3432 interface(`files_mounton_mnt',`
3437 allow $1 mnt_t:dir { search_dir_perms mounton };
3440 ########################################
3442 ## Create, read, write, and delete directories in /mnt.
3444 ## <param name="domain">
3446 ## Domain allowed access.
3451 interface(`files_manage_mnt_dirs',`
3456 allow $1 mnt_t:dir manage_dir_perms;
3459 ########################################
3461 ## Create, read, write, and delete files in /mnt.
3463 ## <param name="domain">
3465 ## Domain allowed access.
3469 interface(`files_manage_mnt_files',`
3474 manage_files_pattern($1, mnt_t, mnt_t)
3477 ########################################
3479 ## read files in /mnt.
3481 ## <param name="domain">
3483 ## Domain allowed access.
3487 interface(`files_read_mnt_files',`
3492 read_files_pattern($1, mnt_t, mnt_t)
3495 ######################################
3497 ## Read symbolic links in /mnt.
3499 ## <param name="domain">
3501 ## Domain allowed access.
3505 interface(`files_read_mnt_symlinks',`
3510 read_lnk_files_pattern($1, mnt_t, mnt_t)
3513 ########################################
3515 ## Create, read, write, and delete symbolic links in /mnt.
3517 ## <param name="domain">
3519 ## Domain allowed access.
3523 interface(`files_manage_mnt_symlinks',`
3528 manage_lnk_files_pattern($1, mnt_t, mnt_t)
3531 ########################################
3533 ## Search the contents of the kernel module directories.
3535 ## <param name="domain">
3537 ## Domain allowed access.
3541 interface(`files_search_kernel_modules',`
3543 type modules_object_t;
3546 allow $1 modules_object_t:dir search_dir_perms;
3547 read_lnk_files_pattern($1, modules_object_t, modules_object_t)
3550 ########################################
3552 ## List the contents of the kernel module directories.
3554 ## <param name="domain">
3556 ## Domain allowed access.
3560 interface(`files_list_kernel_modules',`
3562 type modules_object_t;
3565 allow $1 modules_object_t:dir list_dir_perms;
3568 ########################################
3570 ## Get the attributes of kernel module files.
3572 ## <param name="domain">
3574 ## Domain allowed access.
3578 interface(`files_getattr_kernel_modules',`
3580 type modules_object_t;
3583 getattr_files_pattern($1, modules_object_t, modules_object_t)
3586 ########################################
3588 ## Read kernel module files.
3590 ## <param name="domain">
3592 ## Domain allowed access.
3596 interface(`files_read_kernel_modules',`
3598 type modules_object_t;
3601 allow $1 modules_object_t:dir list_dir_perms;
3602 read_files_pattern($1, modules_object_t, modules_object_t)
3603 read_lnk_files_pattern($1, modules_object_t, modules_object_t)
3606 ########################################
3608 ## Write kernel module files.
3610 ## <param name="domain">
3612 ## Domain allowed access.
3616 interface(`files_write_kernel_modules',`
3618 type modules_object_t;
3621 allow $1 modules_object_t:dir list_dir_perms;
3622 write_files_pattern($1, modules_object_t, modules_object_t)
3625 ########################################
3627 ## Delete kernel module files.
3629 ## <param name="domain">
3631 ## Domain allowed access.
3635 interface(`files_delete_kernel_modules',`
3637 type modules_object_t;
3640 delete_files_pattern($1, modules_object_t, modules_object_t)
3643 ########################################
3645 ## Create, read, write, and delete
3646 ## kernel module files.
3648 ## <param name="domain">
3650 ## Domain allowed access.
3655 interface(`files_manage_kernel_modules',`
3657 type modules_object_t;
3660 manage_files_pattern($1, modules_object_t, modules_object_t)
3663 ########################################
3665 ## Relabel from and to kernel module files.
3667 ## <param name="domain">
3669 ## Domain allowed access.
3673 interface(`files_relabel_kernel_modules',`
3675 type modules_object_t;
3678 relabel_files_pattern($1, modules_object_t, modules_object_t)
3679 allow $1 modules_object_t:dir list_dir_perms;
3682 ########################################
3684 ## Create objects in the kernel module directories
3685 ## with a private type via an automatic type transition.
3687 ## <param name="domain">
3689 ## Domain allowed access.
3692 ## <param name="private_type">
3694 ## The type of the object to be created.
3697 ## <param name="object_class">
3699 ## The object class of the object being created.
3703 interface(`files_kernel_modules_filetrans',`
3705 type modules_object_t;
3708 filetrans_pattern($1, modules_object_t, $2, $3)
3711 ########################################
3713 ## List world-readable directories.
3715 ## <param name="domain">
3717 ## Domain allowed access.
3722 interface(`files_list_world_readable',`
3727 allow $1 readable_t:dir list_dir_perms;
3730 ########################################
3732 ## Read world-readable files.
3734 ## <param name="domain">
3736 ## Domain allowed access.
3741 interface(`files_read_world_readable_files',`
3746 allow $1 readable_t:file read_file_perms;
3749 ########################################
3751 ## Read world-readable symbolic links.
3753 ## <param name="domain">
3755 ## Domain allowed access.
3760 interface(`files_read_world_readable_symlinks',`
3765 allow $1 readable_t:lnk_file read_lnk_file_perms;
3768 ########################################
3770 ## Read world-readable named pipes.
3772 ## <param name="domain">
3774 ## Domain allowed access.
3778 interface(`files_read_world_readable_pipes',`
3783 allow $1 readable_t:fifo_file read_fifo_file_perms;
3786 ########################################
3788 ## Read world-readable sockets.
3790 ## <param name="domain">
3792 ## Domain allowed access.
3796 interface(`files_read_world_readable_sockets',`
3801 allow $1 readable_t:sock_file read_sock_file_perms;
3804 #######################################
3806 ## Read manageable system configuration files in /etc
3808 ## <param name="domain">
3810 ## Domain allowed access.
3815 interface(`files_read_system_conf_files',`
3817 type etc_t, system_conf_t;
3820 allow $1 etc_t:dir list_dir_perms;
3821 read_files_pattern($1, etc_t, system_conf_t)
3822 read_lnk_files_pattern($1, etc_t, system_conf_t)
3825 ######################################
3827 ## Manage manageable system configuration files in /etc.
3829 ## <param name="domain">
3831 ## Domain allowed access.
3835 interface(`files_manage_system_conf_files',`
3837 type etc_t, system_conf_t;
3840 manage_files_pattern($1, { etc_t system_conf_t }, system_conf_t)
3843 ######################################
3845 ## Relabel manageable system configuration files in /etc.
3847 ## <param name="domain">
3849 ## Domain allowed access.
3853 interface(`files_relabelto_system_conf_files',`
3858 relabelto_files_pattern($1, system_conf_t, system_conf_t)
3861 ######################################
3863 ## Relabel manageable system configuration files in /etc.
3865 ## <param name="domain">
3867 ## Domain allowed access.
3871 interface(`files_relabelfrom_system_conf_files',`
3876 relabelfrom_files_pattern($1, system_conf_t, system_conf_t)
3879 ###################################
3881 ## Create files in /etc with the type used for
3882 ## the manageable system config files.
3884 ## <param name="domain">
3886 ## The type of the process performing this action.
3890 interface(`files_etc_filetrans_system_conf',`
3892 type etc_t, system_conf_t;
3895 filetrans_pattern($1, etc_t, system_conf_t, file)
3898 ########################################
3900 ## Allow the specified type to associate
3901 ## to a filesystem with the type of the
3902 ## temporary directory (/tmp).
3904 ## <param name="file_type">
3906 ## Type of the file to associate.
3910 interface(`files_associate_tmp',`
3915 allow $1 tmp_t:filesystem associate;
3918 ########################################
3920 ## Get the attributes of the tmp directory (/tmp).
3922 ## <param name="domain">
3924 ## Domain allowed access.
3928 interface(`files_getattr_tmp_dirs',`
3933 allow $1 tmp_t:dir getattr;
3936 ########################################
3938 ## Do not audit attempts to get the
3939 ## attributes of the tmp directory (/tmp).
3941 ## <param name="domain">
3943 ## Domain allowed access.
3947 interface(`files_dontaudit_getattr_tmp_dirs',`
3952 dontaudit $1 tmp_t:dir getattr;
3955 ########################################
3957 ## Search the tmp directory (/tmp).
3959 ## <param name="domain">
3961 ## Domain allowed access.
3965 interface(`files_search_tmp',`
3970 allow $1 tmp_t:dir search_dir_perms;
3973 ########################################
3975 ## Do not audit attempts to search the tmp directory (/tmp).
3977 ## <param name="domain">
3979 ## Domain to not audit.
3983 interface(`files_dontaudit_search_tmp',`
3988 dontaudit $1 tmp_t:dir search_dir_perms;
3991 ########################################
3993 ## Read the tmp directory (/tmp).
3995 ## <param name="domain">
3997 ## Domain allowed access.
4001 interface(`files_list_tmp',`
4006 allow $1 tmp_t:dir list_dir_perms;
4009 ########################################
4011 ## Do not audit listing of the tmp directory (/tmp).
4013 ## <param name="domain">
4015 ## Domain not to audit.
4019 interface(`files_dontaudit_list_tmp',`
4024 dontaudit $1 tmp_t:dir list_dir_perms;
4027 ########################################
4029 ## Remove entries from the tmp directory.
4031 ## <param name="domain">
4033 ## Domain allowed access.
4037 interface(`files_delete_tmp_dir_entry',`
4042 allow $1 tmp_t:dir del_entry_dir_perms;
4045 ########################################
4047 ## Read files in the tmp directory (/tmp).
4049 ## <param name="domain">
4051 ## Domain allowed access.
4055 interface(`files_read_generic_tmp_files',`
4060 read_files_pattern($1, tmp_t, tmp_t)
4063 ########################################
4065 ## Manage temporary directories in /tmp.
4067 ## <param name="domain">
4069 ## Domain allowed access.
4073 interface(`files_manage_generic_tmp_dirs',`
4078 manage_dirs_pattern($1, tmp_t, tmp_t)
4081 ########################################
4083 ## Allow shared library text relocations in tmp files.
4087 ## Allow shared library text relocations in tmp files.
4090 ## This is added to support java policy.
4093 ## <param name="domain">
4095 ## Domain allowed access.
4099 interface(`files_execmod_tmp',`
4104 allow $1 tmpfile:file execmod;
4107 ########################################
4109 ## Manage temporary files and directories in /tmp.
4111 ## <param name="domain">
4113 ## Domain allowed access.
4117 interface(`files_manage_generic_tmp_files',`
4122 manage_files_pattern($1, tmp_t, tmp_t)
4125 ########################################
4127 ## Read symbolic links in the tmp directory (/tmp).
4129 ## <param name="domain">
4131 ## Domain allowed access.
4135 interface(`files_read_generic_tmp_symlinks',`
4140 read_lnk_files_pattern($1, tmp_t, tmp_t)
4143 ########################################
4145 ## Read and write generic named sockets in the tmp directory (/tmp).
4147 ## <param name="domain">
4149 ## Domain allowed access.
4153 interface(`files_rw_generic_tmp_sockets',`
4158 rw_sock_files_pattern($1, tmp_t, tmp_t)
4161 ########################################
4163 ## Set the attributes of all tmp directories.
4165 ## <param name="domain">
4167 ## Domain allowed access.
4171 interface(`files_setattr_all_tmp_dirs',`
4176 allow $1 tmpfile:dir { search_dir_perms setattr };
4179 ########################################
4181 ## List all tmp directories.
4183 ## <param name="domain">
4185 ## Domain allowed access.
4189 interface(`files_list_all_tmp',`
4194 allow $1 tmpfile:dir list_dir_perms;
4197 ########################################
4199 ## Do not audit attempts to get the attributes
4200 ## of all tmp files.
4202 ## <param name="domain">
4204 ## Domain not to audit.
4208 interface(`files_dontaudit_getattr_all_tmp_files',`
4213 dontaudit $1 tmpfile:file getattr;
4216 ########################################
4218 ## Allow attempts to get the attributes
4219 ## of all tmp files.
4221 ## <param name="domain">
4223 ## Domain allowed access.
4227 interface(`files_getattr_all_tmp_files',`
4232 allow $1 tmpfile:file getattr;
4235 ########################################
4237 ## Do not audit attempts to get the attributes
4238 ## of all tmp sock_file.
4240 ## <param name="domain">
4242 ## Domain not to audit.
4246 interface(`files_dontaudit_getattr_all_tmp_sockets',`
4251 dontaudit $1 tmpfile:sock_file getattr;
4254 ########################################
4256 ## Read all tmp files.
4258 ## <param name="domain">
4260 ## Domain allowed access.
4264 interface(`files_read_all_tmp_files',`
4269 read_files_pattern($1, tmpfile, tmpfile)
4272 ########################################
4274 ## Create an object in the tmp directories, with a private
4275 ## type using a type transition.
4277 ## <param name="domain">
4279 ## Domain allowed access.
4282 ## <param name="private type">
4284 ## The type of the object to be created.
4287 ## <param name="object">
4289 ## The object class of the object being created.
4293 interface(`files_tmp_filetrans',`
4298 filetrans_pattern($1, tmp_t, $2, $3)
4301 ########################################
4303 ## Delete the contents of /tmp.
4305 ## <param name="domain">
4307 ## Domain allowed access.
4311 interface(`files_purge_tmp',`
4316 allow $1 tmpfile:dir list_dir_perms;
4317 delete_dirs_pattern($1, tmpfile, tmpfile)
4318 delete_files_pattern($1, tmpfile, tmpfile)
4319 delete_lnk_files_pattern($1, tmpfile, tmpfile)
4320 delete_fifo_files_pattern($1, tmpfile, tmpfile)
4321 delete_sock_files_pattern($1, tmpfile, tmpfile)
4322 files_delete_isid_type_dirs($1)
4323 files_delete_isid_type_files($1)
4324 files_delete_isid_type_symlinks($1)
4325 files_delete_isid_type_fifo_files($1)
4326 files_delete_isid_type_sock_files($1)
4327 files_delete_isid_type_blk_files($1)
4328 files_delete_isid_type_chr_files($1)
4331 ########################################
4333 ## Set the attributes of the /usr directory.
4335 ## <param name="domain">
4337 ## Domain allowed access.
4341 interface(`files_setattr_usr_dirs',`
4346 allow $1 usr_t:dir setattr;
4349 ########################################
4351 ## Search the content of /etc.
4353 ## <param name="domain">
4355 ## Domain allowed access.
4359 interface(`files_search_usr',`
4364 allow $1 usr_t:dir search_dir_perms;
4367 ########################################
4369 ## List the contents of generic
4370 ## directories in /usr.
4372 ## <param name="domain">
4374 ## Domain allowed access.
4378 interface(`files_list_usr',`
4383 allow $1 usr_t:dir list_dir_perms;
4386 ########################################
4388 ## Do not audit write of /usr dirs
4390 ## <param name="domain">
4392 ## Domain to not audit.
4396 interface(`files_dontaudit_write_usr_dirs',`
4401 dontaudit $1 usr_t:dir write;
4404 ########################################
4406 ## Add and remove entries from /usr directories.
4408 ## <param name="domain">
4410 ## Domain allowed access.
4414 interface(`files_rw_usr_dirs',`
4419 allow $1 usr_t:dir rw_dir_perms;
4422 ########################################
4424 ## Do not audit attempts to add and remove
4425 ## entries from /usr directories.
4427 ## <param name="domain">
4429 ## Domain to not audit.
4433 interface(`files_dontaudit_rw_usr_dirs',`
4438 dontaudit $1 usr_t:dir rw_dir_perms;
4441 ########################################
4443 ## Delete generic directories in /usr in the caller domain.
4445 ## <param name="domain">
4447 ## Domain allowed access.
4451 interface(`files_delete_usr_dirs',`
4456 delete_dirs_pattern($1, usr_t, usr_t)
4459 ########################################
4461 ## Delete generic files in /usr in the caller domain.
4463 ## <param name="domain">
4465 ## Domain allowed access.
4469 interface(`files_delete_usr_files',`
4474 delete_files_pattern($1, usr_t, usr_t)
4477 ########################################
4479 ## Get the attributes of files in /usr.
4481 ## <param name="domain">
4483 ## Domain allowed access.
4487 interface(`files_getattr_usr_files',`
4492 getattr_files_pattern($1, usr_t, usr_t)
4495 ########################################
4497 ## Read generic files in /usr.
4501 ## Allow the specified domain to read generic
4502 ## files in /usr. These files are various program
4503 ## files that do not have more specific SELinux types.
4504 ## Some examples of these files are:
4507 ## <li>/usr/include/*</li>
4508 ## <li>/usr/share/doc/*</li>
4509 ## <li>/usr/share/info/*</li>
4512 ## Generally, it is safe for many domains to have
4516 ## <param name="domain">
4518 ## Domain allowed access.
4521 ## <infoflow type="read" weight="10"/>
4523 interface(`files_read_usr_files',`
4528 allow $1 usr_t:dir list_dir_perms;
4529 read_files_pattern($1, usr_t, usr_t)
4530 read_lnk_files_pattern($1, usr_t, usr_t)
4533 ########################################
4535 ## Execute generic programs in /usr in the caller domain.
4537 ## <param name="domain">
4539 ## Domain allowed access.
4543 interface(`files_exec_usr_files',`
4548 allow $1 usr_t:dir list_dir_perms;
4549 exec_files_pattern($1, usr_t, usr_t)
4550 read_lnk_files_pattern($1, usr_t, usr_t)
4553 ########################################
4555 ## dontaudit write of /usr files
4557 ## <param name="domain">
4559 ## Domain to not audit.
4563 interface(`files_dontaudit_write_usr_files',`
4568 dontaudit $1 usr_t:file write;
4571 ########################################
4573 ## Create, read, write, and delete files in the /usr directory.
4575 ## <param name="domain">
4577 ## Domain allowed access.
4581 interface(`files_manage_usr_files',`
4586 manage_files_pattern($1, usr_t, usr_t)
4589 ########################################
4591 ## Relabel a file to the type used in /usr.
4593 ## <param name="domain">
4595 ## Domain allowed access.
4599 interface(`files_relabelto_usr_files',`
4604 relabelto_files_pattern($1, usr_t, usr_t)
4607 ########################################
4609 ## Relabel a file from the type used in /usr.
4611 ## <param name="domain">
4613 ## Domain allowed access.
4617 interface(`files_relabelfrom_usr_files',`
4622 relabelfrom_files_pattern($1, usr_t, usr_t)
4625 ########################################
4627 ## Read symbolic links in /usr.
4629 ## <param name="domain">
4631 ## Domain allowed access.
4635 interface(`files_read_usr_symlinks',`
4640 read_lnk_files_pattern($1, usr_t, usr_t)
4643 ########################################
4645 ## Create objects in the /usr directory
4647 ## <param name="domain">
4649 ## Domain allowed access.
4652 ## <param name="file_type">
4654 ## The type of the object to be created
4657 ## <param name="object_class">
4659 ## The object class.
4663 interface(`files_usr_filetrans',`
4668 filetrans_pattern($1, usr_t, $2, $3)
4671 ########################################
4673 ## Do not audit attempts to search /usr/src.
4675 ## <param name="domain">
4677 ## Domain to not audit.
4681 interface(`files_dontaudit_search_src',`
4686 dontaudit $1 src_t:dir search_dir_perms;
4689 ########################################
4691 ## Get the attributes of files in /usr/src.
4693 ## <param name="domain">
4695 ## Domain allowed access.
4699 interface(`files_getattr_usr_src_files',`
4704 getattr_files_pattern($1, src_t, src_t)
4706 # /usr/src/linux symlink:
4707 read_lnk_files_pattern($1, usr_t, src_t)
4710 ########################################
4712 ## Read files in /usr/src.
4714 ## <param name="domain">
4716 ## Domain allowed access.
4720 interface(`files_read_usr_src_files',`
4725 allow $1 usr_t:dir search_dir_perms;
4726 read_files_pattern($1, { usr_t src_t }, src_t)
4727 read_lnk_files_pattern($1, { usr_t src_t }, src_t)
4728 allow $1 src_t:dir list_dir_perms;
4731 ########################################
4733 ## Execute programs in /usr/src in the caller domain.
4735 ## <param name="domain">
4737 ## Domain allowed access.
4741 interface(`files_exec_usr_src_files',`
4746 list_dirs_pattern($1, usr_t, src_t)
4747 exec_files_pattern($1, src_t, src_t)
4748 read_lnk_files_pattern($1, src_t, src_t)
4751 ########################################
4753 ## Install a system.map into the /boot directory.
4755 ## <param name="domain">
4757 ## Domain allowed access.
4761 interface(`files_create_kernel_symbol_table',`
4763 type boot_t, system_map_t;
4766 allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms };
4767 allow $1 system_map_t:file { create_file_perms rw_file_perms };
4770 ########################################
4772 ## Read system.map in the /boot directory.
4774 ## <param name="domain">
4776 ## Domain allowed access.
4780 interface(`files_read_kernel_symbol_table',`
4782 type boot_t, system_map_t;
4785 allow $1 boot_t:dir list_dir_perms;
4786 read_files_pattern($1, boot_t, system_map_t)
4789 ########################################
4791 ## Delete a system.map in the /boot directory.
4793 ## <param name="domain">
4795 ## Domain allowed access.
4799 interface(`files_delete_kernel_symbol_table',`
4801 type boot_t, system_map_t;
4804 allow $1 boot_t:dir list_dir_perms;
4805 delete_files_pattern($1, boot_t, system_map_t)
4808 ########################################
4810 ## Search the contents of /var.
4812 ## <param name="domain">
4814 ## Domain allowed access.
4818 interface(`files_search_var',`
4823 allow $1 var_t:dir search_dir_perms;
4826 ########################################
4828 ## Do not audit attempts to write to /var.
4830 ## <param name="domain">
4832 ## Domain to not audit.
4836 interface(`files_dontaudit_write_var_dirs',`
4841 dontaudit $1 var_t:dir write;
4844 ########################################
4846 ## Allow attempts to write to /var.dirs
4848 ## <param name="domain">
4850 ## Domain allowed access.
4854 interface(`files_write_var_dirs',`
4859 allow $1 var_t:dir write;
4862 ########################################
4864 ## Do not audit attempts to search
4865 ## the contents of /var.
4867 ## <param name="domain">
4869 ## Domain to not audit.
4873 interface(`files_dontaudit_search_var',`
4878 dontaudit $1 var_t:dir search_dir_perms;
4881 ########################################
4883 ## List the contents of /var.
4885 ## <param name="domain">
4887 ## Domain allowed access.
4891 interface(`files_list_var',`
4896 allow $1 var_t:dir list_dir_perms;
4899 ########################################
4901 ## Create, read, write, and delete directories
4902 ## in the /var directory.
4904 ## <param name="domain">
4906 ## Domain allowed access.
4910 interface(`files_manage_var_dirs',`
4915 allow $1 var_t:dir manage_dir_perms;
4918 ########################################
4920 ## Read files in the /var directory.
4922 ## <param name="domain">
4924 ## Domain allowed access.
4928 interface(`files_read_var_files',`
4933 read_files_pattern($1, var_t, var_t)
4936 ########################################
4938 ## Append files in the /var directory.
4940 ## <param name="domain">
4942 ## Domain allowed access.
4946 interface(`files_append_var_files',`
4951 append_files_pattern($1, var_t, var_t)
4954 ########################################
4956 ## Read and write files in the /var directory.
4958 ## <param name="domain">
4960 ## Domain allowed access.
4964 interface(`files_rw_var_files',`
4969 rw_files_pattern($1, var_t, var_t)
4972 ########################################
4974 ## Do not audit attempts to read and write
4975 ## files in the /var directory.
4977 ## <param name="domain">
4979 ## Domain to not audit.
4983 interface(`files_dontaudit_rw_var_files',`
4988 dontaudit $1 var_t:file rw_file_perms;
4991 ########################################
4993 ## Create, read, write, and delete files in the /var directory.
4995 ## <param name="domain">
4997 ## Domain allowed access.
5001 interface(`files_manage_var_files',`
5006 manage_files_pattern($1, var_t, var_t)
5009 ########################################
5011 ## Read symbolic links in the /var directory.
5013 ## <param name="domain">
5015 ## Domain allowed access.
5019 interface(`files_read_var_symlinks',`
5024 read_lnk_files_pattern($1, var_t, var_t)
5027 ########################################
5029 ## Create, read, write, and delete symbolic
5030 ## links in the /var directory.
5032 ## <param name="domain">
5034 ## Domain allowed access.
5038 interface(`files_manage_var_symlinks',`
5043 manage_lnk_files_pattern($1, var_t, var_t)
5046 ########################################
5048 ## Create objects in the /var directory
5050 ## <param name="domain">
5052 ## Domain allowed access.
5055 ## <param name="file_type">
5057 ## The type of the object to be created
5060 ## <param name="object_class">
5062 ## The object class.
5066 interface(`files_var_filetrans',`
5071 filetrans_pattern($1, var_t, $2, $3)
5074 ########################################
5076 ## Get the attributes of the /var/lib directory.
5078 ## <param name="domain">
5080 ## Domain allowed access.
5084 interface(`files_getattr_var_lib_dirs',`
5086 type var_t, var_lib_t;
5089 getattr_dirs_pattern($1, var_t, var_lib_t)
5092 ########################################
5094 ## Search the /var/lib directory.
5098 ## Search the /var/lib directory. This is
5099 ## necessary to access files or directories under
5100 ## /var/lib that have a private type. For example, a
5101 ## domain accessing a private library file in the
5102 ## /var/lib directory:
5105 ## allow mydomain_t mylibfile_t:file read_file_perms;
5106 ## files_search_var_lib(mydomain_t)
5109 ## <param name="domain">
5111 ## Domain allowed access.
5114 ## <infoflow type="read" weight="5"/>
5116 interface(`files_search_var_lib',`
5118 type var_t, var_lib_t;
5121 search_dirs_pattern($1, var_t, var_lib_t)
5124 ########################################
5126 ## Do not audit attempts to search the
5127 ## contents of /var/lib.
5129 ## <param name="domain">
5131 ## Domain to not audit.
5134 ## <infoflow type="read" weight="5"/>
5136 interface(`files_dontaudit_search_var_lib',`
5141 dontaudit $1 var_lib_t:dir search_dir_perms;
5144 ########################################
5146 ## List the contents of the /var/lib directory.
5148 ## <param name="domain">
5150 ## Domain allowed access.
5154 interface(`files_list_var_lib',`
5156 type var_t, var_lib_t;
5159 list_dirs_pattern($1, var_t, var_lib_t)
5162 ###########################################
5164 ## Read-write /var/lib directories
5166 ## <param name="domain">
5168 ## Domain allowed access.
5172 interface(`files_rw_var_lib_dirs',`
5177 rw_dirs_pattern($1, var_lib_t, var_lib_t)
5180 ########################################
5182 ## Create objects in the /var/lib directory
5184 ## <param name="domain">
5186 ## Domain allowed access.
5189 ## <param name="file_type">
5191 ## The type of the object to be created
5194 ## <param name="object_class">
5196 ## The object class.
5200 interface(`files_var_lib_filetrans',`
5202 type var_t, var_lib_t;
5205 allow $1 var_t:dir search_dir_perms;
5206 filetrans_pattern($1, var_lib_t, $2, $3)
5209 ########################################
5211 ## Read generic files in /var/lib.
5213 ## <param name="domain">
5215 ## Domain allowed access.
5219 interface(`files_read_var_lib_files',`
5221 type var_t, var_lib_t;
5224 allow $1 var_lib_t:dir list_dir_perms;
5225 read_files_pattern($1, { var_t var_lib_t }, var_lib_t)
5228 ########################################
5230 ## Read generic symbolic links in /var/lib
5232 ## <param name="domain">
5234 ## Domain allowed access.
5238 interface(`files_read_var_lib_symlinks',`
5240 type var_t, var_lib_t;
5243 read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
5246 # cjp: the next two interfaces really need to be fixed
5247 # in some way. They really neeed their own types.
5249 ########################################
5251 ## Create, read, write, and delete the
5252 ## pseudorandom number generator seed.
5254 ## <param name="domain">
5256 ## Domain allowed access.
5260 interface(`files_manage_urandom_seed',`
5262 type var_t, var_lib_t;
5265 allow $1 var_t:dir search_dir_perms;
5266 manage_files_pattern($1, var_lib_t, var_lib_t)
5269 ########################################
5271 ## Allow domain to manage mount tables
5272 ## necessary for rpcd, nfsd, etc.
5274 ## <param name="domain">
5276 ## Domain allowed access.
5280 interface(`files_manage_mounttab',`
5282 type var_t, var_lib_t;
5285 allow $1 var_t:dir search_dir_perms;
5286 manage_files_pattern($1, var_lib_t, var_lib_t)
5289 ########################################
5291 ## Search the locks directory (/var/lock).
5293 ## <param name="domain">
5295 ## Domain allowed access.
5299 interface(`files_search_locks',`
5301 type var_t, var_lock_t;
5304 search_dirs_pattern($1, var_t, var_lock_t)
5307 ########################################
5309 ## Do not audit attempts to search the
5310 ## locks directory (/var/lock).
5312 ## <param name="domain">
5314 ## Domain to not audit.
5318 interface(`files_dontaudit_search_locks',`
5323 dontaudit $1 var_lock_t:dir search_dir_perms;
5326 ########################################
5328 ## Add and remove entries in the /var/lock
5331 ## <param name="domain">
5333 ## Domain allowed access.
5337 interface(`files_rw_lock_dirs',`
5339 type var_t, var_lock_t;
5342 rw_dirs_pattern($1, var_t, var_lock_t)
5345 ########################################
5347 ## Get the attributes of generic lock files.
5349 ## <param name="domain">
5351 ## Domain allowed access.
5355 interface(`files_getattr_generic_locks',`
5357 type var_t, var_lock_t;
5360 allow $1 var_t:dir search_dir_perms;
5361 allow $1 var_lock_t:dir list_dir_perms;
5362 getattr_files_pattern($1, var_lock_t, var_lock_t)
5365 ########################################
5367 ## Delete generic lock files.
5369 ## <param name="domain">
5371 ## Domain allowed access.
5375 interface(`files_delete_generic_locks',`
5377 type var_t, var_lock_t;
5380 allow $1 var_t:dir search_dir_perms;
5381 delete_files_pattern($1, var_lock_t, var_lock_t)
5384 ########################################
5386 ## Create, read, write, and delete generic
5389 ## <param name="domain">
5391 ## Domain allowed access.
5395 interface(`files_manage_generic_locks',`
5397 type var_t, var_lock_t;
5400 allow $1 var_t:dir search_dir_perms;
5401 manage_files_pattern($1, var_lock_t, var_lock_t)
5404 ########################################
5406 ## Delete all lock files.
5408 ## <param name="domain">
5410 ## Domain allowed access.
5415 interface(`files_delete_all_locks',`
5421 allow $1 var_t:dir search_dir_perms;
5422 delete_files_pattern($1, lockfile, lockfile)
5425 ########################################
5427 ## Read all lock files.
5429 ## <param name="domain">
5431 ## Domain allowed access.
5435 interface(`files_read_all_locks',`
5438 type var_t, var_lock_t;
5441 allow $1 { var_t var_lock_t }:dir search_dir_perms;
5442 allow $1 lockfile:dir list_dir_perms;
5443 read_files_pattern($1, lockfile, lockfile)
5444 read_lnk_files_pattern($1, lockfile, lockfile)
5447 ########################################
5449 ## manage all lock files.
5451 ## <param name="domain">
5453 ## Domain allowed access.
5457 interface(`files_manage_all_locks',`
5460 type var_t, var_lock_t;
5463 allow $1 { var_t var_lock_t }:dir search_dir_perms;
5464 manage_dirs_pattern($1, lockfile, lockfile)
5465 manage_files_pattern($1, lockfile, lockfile)
5466 manage_lnk_files_pattern($1, lockfile, lockfile)
5469 ########################################
5471 ## Create an object in the locks directory, with a private
5472 ## type using a type transition.
5474 ## <param name="domain">
5476 ## Domain allowed access.
5479 ## <param name="private type">
5481 ## The type of the object to be created.
5484 ## <param name="object">
5486 ## The object class of the object being created.
5490 interface(`files_lock_filetrans',`
5492 type var_t, var_lock_t;
5495 allow $1 var_t:dir search_dir_perms;
5496 filetrans_pattern($1, var_lock_t, $2, $3)
5499 ########################################
5501 ## Do not audit attempts to get the attributes
5502 ## of the /var/run directory.
5504 ## <param name="domain">
5506 ## Domain to not audit.
5510 interface(`files_dontaudit_getattr_pid_dirs',`
5515 dontaudit $1 var_run_t:dir getattr;
5518 ########################################
5520 ## Set the attributes of the /var/run directory.
5522 ## <param name="domain">
5524 ## Domain allowed access.
5528 interface(`files_setattr_pid_dirs',`
5533 allow $1 var_run_t:dir setattr;
5536 ########################################
5538 ## Search the contents of runtime process
5539 ## ID directories (/var/run).
5541 ## <param name="domain">
5543 ## Domain allowed access.
5547 interface(`files_search_pids',`
5549 type var_t, var_run_t;
5552 search_dirs_pattern($1, var_t, var_run_t)
5555 ######################################
5557 ## Add and remove entries from pid directories.
5559 ## <param name="domain">
5561 ## Domain allowed access.
5565 interface(`files_rw_pid_dirs',`
5570 allow $1 var_run_t:dir rw_dir_perms;
5573 #######################################
5575 ## Create generic pid directory.
5577 ## <param name="domain">
5579 ## Domain allowed access.
5583 interface(`files_create_var_run_dirs',`
5585 type var_t, var_run_t;
5588 allow $1 var_t:dir search_dir_perms;
5589 allow $1 var_run_t:dir create_dir_perms;
5592 ########################################
5594 ## Do not audit attempts to search
5595 ## the /var/run directory.
5597 ## <param name="domain">
5599 ## Domain to not audit.
5603 interface(`files_dontaudit_search_pids',`
5608 dontaudit $1 var_run_t:dir search_dir_perms;
5611 ########################################
5613 ## List the contents of the runtime process
5614 ## ID directories (/var/run).
5616 ## <param name="domain">
5618 ## Domain allowed access.
5622 interface(`files_list_pids',`
5624 type var_t, var_run_t;
5627 list_dirs_pattern($1, var_t, var_run_t)
5630 ########################################
5632 ## Read generic process ID files.
5634 ## <param name="domain">
5636 ## Domain allowed access.
5640 interface(`files_read_generic_pids',`
5642 type var_t, var_run_t;
5645 list_dirs_pattern($1, var_t, var_run_t)
5646 read_files_pattern($1, var_run_t, var_run_t)
5649 ########################################
5651 ## Write named generic process ID pipes
5653 ## <param name="domain">
5655 ## Domain allowed access.
5659 interface(`files_write_generic_pid_pipes',`
5664 allow $1 var_run_t:fifo_file write;
5667 ########################################
5669 ## Create an object in the process ID directory, with a private type.
5673 ## Create an object in the process ID directory (e.g., /var/run)
5674 ## with a private type. Typically this is used for creating
5675 ## private PID files in /var/run with the private type instead
5676 ## of the general PID file type. To accomplish this goal,
5677 ## either the program must be SELinux-aware, or use this interface.
5680 ## Related interfaces:
5683 ## <li>files_pid_file()</li>
5686 ## Example usage with a domain that can create and
5687 ## write its PID file with a private PID file type in the
5688 ## /var/run directory:
5691 ## type mypidfile_t;
5692 ## files_pid_file(mypidfile_t)
5693 ## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms };
5694 ## files_pid_filetrans(mydomain_t, mypidfile_t, file)
5697 ## <param name="domain">
5699 ## Domain allowed access.
5702 ## <param name="private type">
5704 ## The type of the object to be created.
5707 ## <param name="object">
5709 ## The object class of the object being created.
5712 ## <infoflow type="write" weight="10"/>
5714 interface(`files_pid_filetrans',`
5716 type var_t, var_run_t;
5719 allow $1 var_t:dir search_dir_perms;
5720 filetrans_pattern($1, var_run_t, $2, $3)
5723 ########################################
5725 ## Read and write generic process ID files.
5727 ## <param name="domain">
5729 ## Domain allowed access.
5733 interface(`files_rw_generic_pids',`
5735 type var_t, var_run_t;
5738 list_dirs_pattern($1, var_t, var_run_t)
5739 rw_files_pattern($1, var_run_t, var_run_t)
5742 ########################################
5744 ## Do not audit attempts to get the attributes of
5745 ## daemon runtime data files.
5747 ## <param name="domain">
5749 ## Domain to not audit.
5753 interface(`files_dontaudit_getattr_all_pids',`
5758 dontaudit $1 pidfile:file getattr;
5761 ########################################
5763 ## Do not audit attempts to write to daemon runtime data files.
5765 ## <param name="domain">
5767 ## Domain to not audit.
5771 interface(`files_dontaudit_write_all_pids',`
5776 dontaudit $1 pidfile:file write;
5779 ########################################
5781 ## Do not audit attempts to ioctl daemon runtime data files.
5783 ## <param name="domain">
5785 ## Domain to not audit.
5789 interface(`files_dontaudit_ioctl_all_pids',`
5794 dontaudit $1 pidfile:file ioctl;
5797 ########################################
5799 ## manage all pidfile directories
5800 ## in the /var/run directory.
5802 ## <param name="domain">
5804 ## Domain allowed access.
5808 interface(`files_manage_all_pids_dirs',`
5813 manage_dirs_pattern($1,pidfile,pidfile)
5817 ########################################
5819 ## Read all process ID files.
5821 ## <param name="domain">
5823 ## Domain allowed access.
5828 interface(`files_read_all_pids',`
5834 list_dirs_pattern($1, var_t, pidfile)
5835 read_files_pattern($1, pidfile, pidfile)
5836 read_lnk_files_pattern($1, pidfile, pidfile)
5839 ########################################
5841 ## Mount filesystems on all polyinstantiation
5842 ## member directories.
5844 ## <param name="domain">
5846 ## Domain allowed access.
5850 interface(`files_mounton_all_poly_members',`
5852 attribute polymember;
5855 allow $1 polymember:dir mounton;
5858 ########################################
5860 ## Delete all process IDs.
5862 ## <param name="domain">
5864 ## Domain allowed access.
5869 interface(`files_delete_all_pids',`
5872 type var_t, var_run_t;
5875 allow $1 var_t:dir search_dir_perms;
5876 allow $1 var_run_t:dir rmdir;
5877 allow $1 var_run_t:lnk_file delete_lnk_file_perms;
5878 delete_files_pattern($1, pidfile, pidfile)
5879 delete_fifo_files_pattern($1, pidfile, pidfile)
5880 delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
5883 ########################################
5885 ## Delete all process ID directories.
5887 ## <param name="domain">
5889 ## Domain allowed access.
5893 interface(`files_delete_all_pid_dirs',`
5899 allow $1 var_t:dir search_dir_perms;
5900 delete_dirs_pattern($1, pidfile, pidfile)
5903 ########################################
5905 ## Search the contents of generic spool
5906 ## directories (/var/spool).
5908 ## <param name="domain">
5910 ## Domain allowed access.
5914 interface(`files_search_spool',`
5916 type var_t, var_spool_t;
5919 search_dirs_pattern($1, var_t, var_spool_t)
5922 ########################################
5924 ## Do not audit attempts to search generic
5925 ## spool directories.
5927 ## <param name="domain">
5929 ## Domain to not audit.
5933 interface(`files_dontaudit_search_spool',`
5938 dontaudit $1 var_spool_t:dir search_dir_perms;
5941 ########################################
5943 ## List the contents of generic spool
5944 ## (/var/spool) directories.
5946 ## <param name="domain">
5948 ## Domain allowed access.
5952 interface(`files_list_spool',`
5954 type var_t, var_spool_t;
5957 list_dirs_pattern($1, var_t, var_spool_t)
5960 ########################################
5962 ## Create, read, write, and delete generic
5963 ## spool directories (/var/spool).
5965 ## <param name="domain">
5967 ## Domain allowed access.
5971 interface(`files_manage_generic_spool_dirs',`
5973 type var_t, var_spool_t;
5976 allow $1 var_t:dir search_dir_perms;
5977 manage_dirs_pattern($1, var_spool_t, var_spool_t)
5980 ########################################
5982 ## Read generic spool files.
5984 ## <param name="domain">
5986 ## Domain allowed access.
5990 interface(`files_read_generic_spool',`
5992 type var_t, var_spool_t;
5995 list_dirs_pattern($1, var_t, var_spool_t)
5996 read_files_pattern($1, var_spool_t, var_spool_t)
5999 ########################################
6001 ## Create, read, write, and delete generic
6004 ## <param name="domain">
6006 ## Domain allowed access.
6010 interface(`files_manage_generic_spool',`
6012 type var_t, var_spool_t;
6015 allow $1 var_t:dir search_dir_perms;
6016 manage_files_pattern($1, var_spool_t, var_spool_t)
6019 ########################################
6021 ## Create objects in the spool directory
6022 ## with a private type with a type transition.
6024 ## <param name="domain">
6026 ## Domain allowed access.
6029 ## <param name="file">
6031 ## Type to which the created node will be transitioned.
6034 ## <param name="class">
6036 ## Object class(es) (single or set including {}) for which this
6037 ## the transition will occur.
6041 interface(`files_spool_filetrans',`
6043 type var_t, var_spool_t;
6046 allow $1 var_t:dir search_dir_perms;
6047 filetrans_pattern($1, var_spool_t, $2, $3)
6050 ########################################
6052 ## Allow access to manage all polyinstantiated
6053 ## directories on the system.
6055 ## <param name="domain">
6057 ## Domain allowed access.
6061 interface(`files_polyinstantiate_all',`
6063 attribute polydir, polymember, polyparent;
6067 # Need to give access to /selinux/member
6068 selinux_compute_member($1)
6070 # Need sys_admin capability for mounting
6071 allow $1 self:capability { chown fsetid sys_admin fowner };
6073 # Need to give access to the directories to be polyinstantiated
6074 allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
6076 # Need to give access to the polyinstantiated subdirectories
6077 allow $1 polymember:dir search_dir_perms;
6079 # Need to give access to parent directories where original
6080 # is remounted for polyinstantiation aware programs (like gdm)
6081 allow $1 polyparent:dir { getattr mounton };
6083 # Need to give permission to create directories where applicable
6084 allow $1 self:process setfscreate;
6085 allow $1 polymember: dir { create setattr relabelto };
6086 allow $1 polydir: dir { write add_name open };
6087 allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
6089 # Default type for mountpoints
6090 allow $1 poly_t:dir { create mounton };
6091 fs_unmount_xattr_fs($1)
6094 fs_unmount_tmpfs($1)
6096 ifdef(`distro_redhat',`
6098 files_search_tmp($1)
6099 files_search_home($1)
6100 corecmd_exec_bin($1)
6101 seutil_domtrans_setfiles($1)
6105 ########################################
6107 ## Unconfined access to files.
6109 ## <param name="domain">
6111 ## Domain allowed access.
6115 interface(`files_unconfined',`
6117 attribute files_unconfined_type;
6120 typeattribute $1 files_unconfined_type;
6123 ########################################
6125 ## Create a core files in /
6129 ## Create a core file in /,
6132 ## <param name="domain">
6134 ## Domain allowed access.
6139 interface(`files_manage_root_files',`
6144 manage_files_pattern($1, root_t, root_t)
6147 ########################################
6149 ## Create a default directory
6153 ## Create a default_t direcrory
6156 ## <param name="domain">
6158 ## Domain allowed access.
6163 interface(`files_create_default_dir',`
6168 allow $1 default_t:dir create;
6171 ########################################
6173 ## Create, default_t objects with an automatic
6176 ## <param name="domain">
6178 ## Domain allowed access.
6181 ## <param name="object">
6183 ## The class of the object being created.
6187 interface(`files_root_filetrans_default',`
6189 type root_t, default_t;
6192 filetrans_pattern($1, root_t, default_t, $2)
6195 ########################################
6197 ## manage generic symbolic links
6198 ## in the /var/run directory.
6200 ## <param name="domain">
6202 ## Domain allowed access.
6206 interface(`files_manage_generic_pids_symlinks',`
6211 manage_lnk_files_pattern($1,var_run_t,var_run_t)
6214 ########################################
6216 ## Do not audit attempts to getattr
6219 ## <param name="domain">
6221 ## Domain to not audit.
6225 interface(`files_dontaudit_getattr_tmpfs_files',`
6227 attribute tmpfsfile;
6230 allow $1 tmpfsfile:file getattr;
6233 ########################################
6235 ## Do not audit attempts to read security files
6237 ## <param name="domain">
6239 ## Domain to not audit.
6243 interface(`files_dontaudit_read_security_files',`
6245 attribute security_file_type;
6248 dontaudit $1 security_file_type:file read_file_perms;
6251 ########################################
6253 ## rw any files inherited from another process
6255 ## <param name="domain">
6257 ## Domain allowed access.
6262 interface(`files_rw_all_inherited_files',`
6264 attribute file_type;
6267 allow $1 { file_type $2 }:file rw_inherited_file_perms;
6268 allow $1 { file_type $2 }:fifo_file rw_inherited_fifo_file_perms;
6269 allow $1 { file_type $2 }:sock_file rw_inherited_sock_file_perms;
6270 allow $1 { file_type $2 }:chr_file rw_inherited_chr_file_perms;
6273 ########################################
6275 ## Allow any file point to be the entrypoint of this domain
6277 ## <param name="domain">
6279 ## Domain allowed access.
6284 interface(`files_entrypoint_all_files',`
6286 attribute file_type;
6288 allow $1 file_type:file entrypoint;
6291 ########################################
6293 ## Do not audit attempts to rw inherited file perms
6294 ## of non security files.
6296 ## <param name="domain">
6298 ## Domain to not audit.
6302 interface(`files_dontaudit_all_non_security_leaks',`
6304 attribute non_security_file_type;
6307 dontaudit $1 non_security_file_type:file_class_set rw_inherited_file_perms;
6310 ########################################
6312 ## Do not audit attempts to read or write
6313 ## all leaked files.
6315 ## <param name="domain">
6317 ## Domain allowed access.
6321 interface(`files_dontaudit_leaks',`
6323 attribute file_type;
6326 dontaudit $1 file_type:file rw_inherited_file_perms;
6327 dontaudit $1 file_type:lnk_file { read };
6330 ########################################
6332 ## Allow domain to create_file_ass all types
6334 ## <param name="domain">
6336 ## Domain allowed access.
6340 interface(`files_create_as_is_all_files',`
6342 attribute file_type;
6343 class kernel_service create_files_as;
6346 allow $1 file_type:kernel_service create_files_as;
projects / people / stevee / selinux-policy.git / blob