2 ## Basic filesystem types and interfaces.
6 ## This module contains basic filesystem types and interfaces. This
9 ## <li>The concept of different file types including basic
10 ## files, mount points, tmp files, etc.</li>
11 ## <li>Access to groups of files and all files.</li>
12 ## <li>Types and interfaces for the basic filesystem layout
13 ## (/, /etc, /tmp, /usr, etc.).</li>
17 ## <required val="true">
18 ## Contains the concept of a file.
19 ## Comains the file initial SID.
22 ########################################
24 ## Make the specified type usable for files
29 ## Make the specified type usable for files
30 ## in a filesystem. Types used for files that
31 ## do not use this interface, or an interface that
32 ## calls this one, will have unexpected behaviors
33 ## while the system is running. If the type is used
34 ## for device nodes (character or block files), then
35 ## the dev_node() interface is more appropriate.
38 ## Related interfaces:
41 ## <li>application_domain()</li>
42 ## <li>application_executable_file()</li>
43 ## <li>corecmd_executable_file()</li>
44 ## <li>init_daemon_domain()</li>
45 ## <li>init_domaion()</li>
46 ## <li>init_ranged_daemon_domain()</li>
47 ## <li>init_ranged_domain()</li>
48 ## <li>init_ranged_system_domain()</li>
49 ## <li>init_script_file()</li>
50 ## <li>init_script_domain()</li>
51 ## <li>init_system_domain()</li>
52 ## <li>files_config_files()</li>
53 ## <li>files_lock_file()</li>
54 ## <li>files_mountpoint()</li>
55 ## <li>files_pid_file()</li>
56 ## <li>files_security_file()</li>
57 ## <li>files_security_mountpoint()</li>
58 ## <li>files_tmp_file()</li>
59 ## <li>files_tmpfs_file()</li>
60 ## <li>logging_log_file()</li>
61 ## <li>userdom_user_home_content()</li>
68 ## files_type(myfile_t)
69 ## allow mydomain_t myfile_t:file read_file_perms;
72 ## <param name="type">
74 ## Type to be used for files.
77 ## <infoflow type="none"/>
79 interface(`files_type',`
81 attribute file_type, non_security_file_type;
84 typeattribute $1 file_type, non_security_file_type;
87 ########################################
89 ## Make the specified type a file that
90 ## should not be dontaudited from
91 ## browsing from user domains.
93 ## <param name="file_type">
95 ## Type of the file to be used as a
100 interface(`files_security_file',`
102 attribute file_type, security_file_type;
105 typeattribute $1 file_type, security_file_type;
108 ########################################
110 ## Make the specified type usable for
113 ## <param name="type">
115 ## Type to be used for lock files.
119 interface(`files_lock_file',`
125 typeattribute $1 lockfile;
128 ########################################
130 ## Make the specified type usable for
131 ## filesystem mount points.
133 ## <param name="type">
135 ## Type to be used for mount points.
139 interface(`files_mountpoint',`
141 attribute mountpoint;
145 typeattribute $1 mountpoint;
148 ########################################
150 ## Make the specified type usable for
151 ## security file filesystem mount points.
153 ## <param name="type">
155 ## Type to be used for mount points.
159 interface(`files_security_mountpoint',`
161 attribute mountpoint;
164 files_security_file($1)
165 typeattribute $1 mountpoint;
168 ########################################
170 ## Make the specified type usable for
171 ## runtime process ID files.
175 ## Make the specified type usable for runtime process ID files,
176 ## typically found in /var/run.
177 ## This will also make the type usable for files, making
178 ## calls to files_type() redundant. Failure to use this interface
179 ## for a PID file type may result in problems with starting
180 ## or stopping services.
183 ## Related interfaces:
186 ## <li>files_pid_filetrans()</li>
189 ## Example usage with a domain that can create and
190 ## write its PID file with a private PID file type in the
191 ## /var/run directory:
195 ## files_pid_file(mypidfile_t)
196 ## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms };
197 ## files_pid_filetrans(mydomain_t, mypidfile_t, file)
200 ## <param name="type">
202 ## Type to be used for PID files.
205 ## <infoflow type="none"/>
207 interface(`files_pid_file',`
213 typeattribute $1 pidfile;
216 ########################################
218 ## Make the specified type a
219 ## configuration file.
223 ## Make the specified type usable for configuration files.
224 ## This will also make the type usable for files, making
225 ## calls to files_type() redundant. Failure to use this interface
226 ## for a temporary file may result in problems with
227 ## configuration management tools.
230 ## Example usage with a domain that can read
231 ## its configuration file /etc:
234 ## type myconffile_t;
235 ## files_config_file(myconffile_t)
236 ## allow mydomain_t myconffile_t:file read_file_perms;
237 ## files_search_etc(mydomain_t)
240 ## <param name="file_type">
242 ## Type to be used as a configuration file.
245 ## <infoflow type="none"/>
247 interface(`files_config_file',`
249 attribute configfile;
252 typeattribute $1 configfile;
255 ########################################
257 ## Make the specified type a
258 ## polyinstantiated directory.
260 ## <param name="file_type">
262 ## Type of the file to be used as a
263 ## polyinstantiated directory.
267 interface(`files_poly',`
273 typeattribute $1 polydir;
276 ########################################
278 ## Make the specified type a parent
279 ## of a polyinstantiated directory.
281 ## <param name="file_type">
283 ## Type of the file to be used as a
288 interface(`files_poly_parent',`
290 attribute polyparent;
294 typeattribute $1 polyparent;
297 ########################################
299 ## Make the specified type a
300 ## polyinstantiation member directory.
302 ## <param name="file_type">
304 ## Type of the file to be used as a
309 interface(`files_poly_member',`
311 attribute polymember;
315 typeattribute $1 polymember;
318 ########################################
320 ## Make the domain use the specified
321 ## type of polyinstantiated directory.
323 ## <param name="domain">
325 ## Domain using the polyinstantiated
329 ## <param name="file_type">
331 ## Type of the file to be used as a
336 interface(`files_poly_member_tmp',`
341 type_member $1 tmp_t:dir $2;
344 ########################################
346 ## Make the specified type a file
347 ## used for temporary files.
351 ## Make the specified type usable for temporary files.
352 ## This will also make the type usable for files, making
353 ## calls to files_type() redundant. Failure to use this interface
354 ## for a temporary file may result in problems with
355 ## purging temporary files.
358 ## Related interfaces:
361 ## <li>files_tmp_filetrans()</li>
364 ## Example usage with a domain that can create and
365 ## write its temporary file in the system temporary file
366 ## directories (/tmp or /var/tmp):
370 ## files_tmp_file(mytmpfile_t)
371 ## allow mydomain_t mytmpfile_t:file { create_file_perms write_file_perms };
372 ## files_tmp_filetrans(mydomain_t, mytmpfile_t, file)
375 ## <param name="file_type">
377 ## Type of the file to be used as a
381 ## <infoflow type="none"/>
383 interface(`files_tmp_file',`
390 files_poly_member($1)
391 typeattribute $1 tmpfile;
394 ########################################
396 ## Transform the type into a file, for use on a
397 ## virtual memory filesystem (tmpfs).
399 ## <param name="type">
401 ## The type to be transformed.
405 interface(`files_tmpfs_file',`
411 typeattribute $1 tmpfsfile;
414 ########################################
416 ## Get the attributes of all directories.
418 ## <param name="domain">
420 ## Domain allowed access.
424 interface(`files_getattr_all_dirs',`
429 getattr_dirs_pattern($1, file_type, file_type)
432 ########################################
434 ## Do not audit attempts to get the attributes
435 ## of all directories.
437 ## <param name="domain">
439 ## Domain to not audit.
443 interface(`files_dontaudit_getattr_all_dirs',`
448 dontaudit $1 file_type:dir getattr;
451 ########################################
453 ## List all non-security directories.
455 ## <param name="domain">
457 ## Domain allowed access.
461 interface(`files_list_non_security',`
463 attribute non_security_file_type;
466 list_dirs_pattern($1, non_security_file_type, non_security_file_type)
469 ########################################
471 ## Do not audit attempts to list all
472 ## non-security directories.
474 ## <param name="domain">
476 ## Domain to not audit.
480 interface(`files_dontaudit_list_non_security',`
482 attribute non_security_file_type;
485 dontaudit $1 non_security_file_type:dir list_dir_perms;
488 ########################################
490 ## Mount a filesystem on all non-security
491 ## directories and files.
493 ## <param name="domain">
495 ## Domain allowed access.
499 interface(`files_mounton_non_security',`
501 attribute non_security_file_type;
504 allow $1 non_security_file_type:dir mounton;
505 allow $1 non_security_file_type:file mounton;
508 ########################################
510 ## Allow attempts to modify any directory
512 ## <param name="domain">
514 ## Domain allowed access.
518 interface(`files_write_non_security_dirs',`
520 attribute non_security_file_type;
523 allow $1 non_security_file_type:dir write;
526 ########################################
528 ## Allow attempts to manage non-security directories
530 ## <param name="domain">
532 ## Domain allowed access.
536 interface(`files_manage_non_security_dirs',`
538 attribute non_security_file_type;
541 allow $1 non_security_file_type:dir manage_dir_perms;
544 ########################################
546 ## Get the attributes of all files.
548 ## <param name="domain">
550 ## Domain allowed access.
554 interface(`files_getattr_all_files',`
559 getattr_files_pattern($1, file_type, file_type)
560 getattr_lnk_files_pattern($1, file_type, file_type)
563 ########################################
565 ## Do not audit attempts to get the attributes
568 ## <param name="domain">
570 ## Domain to not audit.
574 interface(`files_dontaudit_getattr_all_files',`
579 dontaudit $1 file_type:file getattr;
582 ########################################
584 ## Do not audit attempts to get the attributes
585 ## of non security files.
587 ## <param name="domain">
589 ## Domain to not audit.
593 interface(`files_dontaudit_getattr_non_security_files',`
595 attribute non_security_file_type;
598 dontaudit $1 non_security_file_type:file getattr;
601 ########################################
605 ## <param name="domain">
607 ## Domain allowed access.
611 interface(`files_read_all_files',`
616 allow $1 file_type:dir list_dir_perms;
617 read_files_pattern($1, file_type, file_type)
624 ########################################
626 ## Allow shared library text relocations in all files.
630 ## Allow shared library text relocations in all files.
633 ## This is added to support WINE policy.
636 ## <param name="domain">
638 ## Domain allowed access.
642 interface(`files_execmod_all_files',`
647 allow $1 file_type:file execmod;
650 ########################################
652 ## Read all non-security files.
654 ## <param name="domain">
656 ## Domain allowed access.
661 interface(`files_read_non_security_files',`
663 attribute non_security_file_type;
666 read_files_pattern($1, non_security_file_type, non_security_file_type)
667 read_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
670 ########################################
672 ## Read all directories on the filesystem, except
673 ## the listed exceptions.
675 ## <param name="domain">
677 ## Domain allowed access.
680 ## <param name="exception_types" optional="true">
682 ## The types to be excluded. Each type or attribute
683 ## must be negated by the caller.
687 interface(`files_read_all_dirs_except',`
692 allow $1 { file_type $2 }:dir list_dir_perms;
695 ########################################
697 ## Read all files on the filesystem, except
698 ## the listed exceptions.
700 ## <param name="domain">
702 ## Domain allowed access.
705 ## <param name="exception_types" optional="true">
707 ## The types to be excluded. Each type or attribute
708 ## must be negated by the caller.
712 interface(`files_read_all_files_except',`
717 read_files_pattern($1, { file_type $2 }, { file_type $2 })
720 ########################################
722 ## Read all symbolic links on the filesystem, except
723 ## the listed exceptions.
725 ## <param name="domain">
727 ## Domain allowed access.
730 ## <param name="exception_types" optional="true">
732 ## The types to be excluded. Each type or attribute
733 ## must be negated by the caller.
737 interface(`files_read_all_symlinks_except',`
742 read_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
745 ########################################
747 ## Get the attributes of all symbolic links.
749 ## <param name="domain">
751 ## Domain allowed access.
755 interface(`files_getattr_all_symlinks',`
760 getattr_lnk_files_pattern($1, file_type, file_type)
763 ########################################
765 ## Do not audit attempts to get the attributes
766 ## of all symbolic links.
768 ## <param name="domain">
770 ## Domain to not audit.
774 interface(`files_dontaudit_getattr_all_symlinks',`
779 dontaudit $1 file_type:lnk_file getattr;
782 ########################################
784 ## Do not audit attempts to read all symbolic links.
786 ## <param name="domain">
788 ## Domain to not audit.
792 interface(`files_dontaudit_read_all_symlinks',`
797 dontaudit $1 file_type:lnk_file read;
800 ########################################
802 ## Do not audit attempts to get the attributes
803 ## of non security symbolic links.
805 ## <param name="domain">
807 ## Domain to not audit.
811 interface(`files_dontaudit_getattr_non_security_symlinks',`
813 attribute non_security_file_type;
816 dontaudit $1 non_security_file_type:lnk_file getattr;
819 ########################################
821 ## Do not audit attempts to get the attributes
822 ## of non security block devices.
824 ## <param name="domain">
826 ## Domain to not audit.
830 interface(`files_dontaudit_getattr_non_security_blk_files',`
832 attribute non_security_file_type;
835 dontaudit $1 non_security_file_type:blk_file getattr;
838 ########################################
840 ## Do not audit attempts to get the attributes
841 ## of non security character devices.
843 ## <param name="domain">
845 ## Domain to not audit.
849 interface(`files_dontaudit_getattr_non_security_chr_files',`
851 attribute non_security_file_type;
854 dontaudit $1 non_security_file_type:chr_file getattr;
857 ########################################
859 ## Read all symbolic links.
861 ## <param name="domain">
863 ## Domain allowed access.
868 interface(`files_read_all_symlinks',`
873 allow $1 file_type:dir list_dir_perms;
874 read_lnk_files_pattern($1, file_type, file_type)
877 ########################################
879 ## Get the attributes of all named pipes.
881 ## <param name="domain">
883 ## Domain allowed access.
887 interface(`files_getattr_all_pipes',`
892 allow $1 file_type:dir list_dir_perms;
893 getattr_fifo_files_pattern($1, file_type, file_type)
896 ########################################
898 ## Do not audit attempts to get the attributes
899 ## of all named pipes.
901 ## <param name="domain">
903 ## Domain to not audit.
907 interface(`files_dontaudit_getattr_all_pipes',`
912 dontaudit $1 file_type:fifo_file getattr;
915 ########################################
917 ## Do not audit attempts to get the attributes
918 ## of non security named pipes.
920 ## <param name="domain">
922 ## Domain to not audit.
926 interface(`files_dontaudit_getattr_non_security_pipes',`
928 attribute non_security_file_type;
931 dontaudit $1 non_security_file_type:fifo_file getattr;
934 ########################################
936 ## Get the attributes of all named sockets.
938 ## <param name="domain">
940 ## Domain allowed access.
944 interface(`files_getattr_all_sockets',`
949 allow $1 file_type:dir list_dir_perms;
950 getattr_sock_files_pattern($1, file_type, file_type)
953 ########################################
955 ## Do not audit attempts to get the attributes
956 ## of all named sockets.
958 ## <param name="domain">
960 ## Domain to not audit.
964 interface(`files_dontaudit_getattr_all_sockets',`
969 dontaudit $1 file_type:sock_file getattr;
972 ########################################
974 ## Do not audit attempts to get the attributes
975 ## of non security named sockets.
977 ## <param name="domain">
979 ## Domain to not audit.
983 interface(`files_dontaudit_getattr_non_security_sockets',`
985 attribute non_security_file_type;
988 dontaudit $1 non_security_file_type:sock_file getattr;
991 ########################################
993 ## Read all block nodes with file types.
995 ## <param name="domain">
997 ## Domain allowed access.
1001 interface(`files_read_all_blk_files',`
1003 attribute file_type;
1006 read_blk_files_pattern($1, file_type, file_type)
1009 ########################################
1011 ## Read all character nodes with file types.
1013 ## <param name="domain">
1015 ## Domain allowed access.
1019 interface(`files_read_all_chr_files',`
1021 attribute file_type;
1024 read_chr_files_pattern($1, file_type, file_type)
1027 ########################################
1029 ## Relabel all files on the filesystem, except
1030 ## the listed exceptions.
1032 ## <param name="domain">
1034 ## Domain allowed access.
1037 ## <param name="exception_types" optional="true">
1039 ## The types to be excluded. Each type or attribute
1040 ## must be negated by the caller.
1045 interface(`files_relabel_all_files',`
1047 attribute file_type;
1050 allow $1 { file_type $2 }:dir list_dir_perms;
1051 relabel_dirs_pattern($1, { file_type $2 }, { file_type $2 })
1052 relabel_files_pattern($1, { file_type $2 }, { file_type $2 })
1053 relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
1054 relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
1055 relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
1056 relabel_blk_files_pattern($1, { file_type $2 }, { file_type $2 })
1057 relabel_chr_files_pattern($1, { file_type $2 }, { file_type $2 })
1059 # satisfy the assertions:
1060 seutil_relabelto_bin_policy($1)
1063 ########################################
1065 ## rw all files on the filesystem, except
1066 ## the listed exceptions.
1068 ## <param name="domain">
1070 ## Domain allowed access.
1073 ## <param name="exception_types" optional="true">
1075 ## The types to be excluded. Each type or attribute
1076 ## must be negated by the caller.
1081 interface(`files_rw_all_files',`
1083 attribute file_type;
1086 rw_files_pattern($1, { file_type $2 }, { file_type $2 })
1089 ########################################
1091 ## Manage all files on the filesystem, except
1092 ## the listed exceptions.
1094 ## <param name="domain">
1096 ## Domain allowed access.
1099 ## <param name="exception_types" optional="true">
1101 ## The types to be excluded. Each type or attribute
1102 ## must be negated by the caller.
1107 interface(`files_manage_all_files',`
1109 attribute file_type;
1112 manage_dirs_pattern($1, { file_type $2 }, { file_type $2 })
1113 manage_files_pattern($1, { file_type $2 }, { file_type $2 })
1114 manage_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
1115 manage_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
1116 manage_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
1118 # satisfy the assertions:
1119 seutil_create_bin_policy($1)
1120 files_manage_kernel_modules($1)
1123 ########################################
1125 ## Search the contents of all directories on
1126 ## extended attribute filesystems.
1128 ## <param name="domain">
1130 ## Domain allowed access.
1134 interface(`files_search_all',`
1136 attribute file_type;
1139 allow $1 file_type:dir search_dir_perms;
1142 ########################################
1144 ## List the contents of all directories on
1145 ## extended attribute filesystems.
1147 ## <param name="domain">
1149 ## Domain allowed access.
1153 interface(`files_list_all',`
1155 attribute file_type;
1158 allow $1 file_type:dir list_dir_perms;
1161 ########################################
1163 ## Do not audit attempts to search the
1164 ## contents of any directories on extended
1165 ## attribute filesystems.
1167 ## <param name="domain">
1169 ## Domain to not audit.
1173 interface(`files_dontaudit_search_all_dirs',`
1175 attribute file_type;
1178 dontaudit $1 file_type:dir search_dir_perms;
1181 ########################################
1183 ## Get the attributes of all filesystems
1184 ## with the type of a file.
1186 ## <param name="domain">
1188 ## Domain allowed access.
1192 # dwalsh: This interface is to allow quotacheck to work on a
1193 # a filesystem mounted with the --context switch
1194 # https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=212957
1196 interface(`files_getattr_all_file_type_fs',`
1198 attribute file_type;
1201 allow $1 file_type:filesystem getattr;
1204 ########################################
1206 ## Relabel a filesystem to the type of a file.
1208 ## <param name="domain">
1210 ## Domain allowed access.
1214 interface(`files_relabelto_all_file_type_fs',`
1216 attribute file_type;
1219 allow $1 file_type:filesystem relabelto;
1222 ########################################
1224 ## Relabel a filesystem to the type of a file.
1226 ## <param name="domain">
1228 ## Domain allowed access.
1232 interface(`files_relabel_all_file_type_fs',`
1234 attribute file_type;
1237 allow $1 file_type:filesystem { relabelfrom relabelto };
1240 ########################################
1242 ## Mount all filesystems with the type of a file.
1244 ## <param name="domain">
1246 ## Domain allowed access.
1250 interface(`files_mount_all_file_type_fs',`
1252 attribute file_type;
1255 allow $1 file_type:filesystem mount;
1258 ########################################
1260 ## Unmount all filesystems with the type of a file.
1262 ## <param name="domain">
1264 ## Domain allowed access.
1268 interface(`files_unmount_all_file_type_fs',`
1270 attribute file_type;
1273 allow $1 file_type:filesystem unmount;
1276 #############################################
1278 ## Manage all configuration directories on filesystem
1280 ## <param name="domain">
1282 ## Domain allowed access.
1287 interface(`files_manage_config_dirs',`
1289 attribute configfile;
1292 manage_dirs_pattern($1, configfile, configfile)
1295 #########################################
1297 ## Relabel configuration directories
1299 ## <param name="domain">
1301 ## Domain allowed access.
1306 interface(`files_relabel_config_dirs',`
1308 attribute configfile;
1311 relabel_dirs_pattern($1, configfile, configfile)
1314 ########################################
1316 ## Read config files in /etc.
1318 ## <param name="domain">
1320 ## Domain allowed access.
1324 interface(`files_read_config_files',`
1326 attribute configfile;
1329 allow $1 configfile:dir list_dir_perms;
1330 read_files_pattern($1, configfile, configfile)
1331 read_lnk_files_pattern($1, configfile, configfile)
1334 ###########################################
1336 ## Manage all configuration files on filesystem
1338 ## <param name="domain">
1340 ## Domain allowed access.
1345 interface(`files_manage_config_files',`
1347 attribute configfile;
1350 manage_files_pattern($1, configfile, configfile)
1353 #######################################
1355 ## Relabel configuration files
1357 ## <param name="domain">
1359 ## Domain allowed access.
1364 interface(`files_relabel_config_files',`
1366 attribute configfile;
1369 relabel_files_pattern($1, configfile, configfile)
1372 ########################################
1374 ## Mount a filesystem on all mount points.
1376 ## <param name="domain">
1378 ## Domain allowed access.
1382 interface(`files_mounton_all_mountpoints',`
1384 attribute mountpoint;
1387 allow $1 mountpoint:dir { search_dir_perms mounton };
1388 allow $1 mountpoint:file { getattr mounton };
1391 ########################################
1393 ## Get the attributes of all mount points.
1395 ## <param name="domain">
1397 ## Domain allowed access.
1401 interface(`files_getattr_all_mountpoints',`
1403 attribute mountpoint;
1406 allow $1 mountpoint:dir getattr;
1409 ########################################
1411 ## Set the attributes of all mount points.
1413 ## <param name="domain">
1415 ## Domain allowed access.
1419 interface(`files_setattr_all_mountpoints',`
1421 attribute mountpoint;
1424 allow $1 mountpoint:dir setattr;
1427 ########################################
1429 ## Search all mount points.
1431 ## <param name="domain">
1433 ## Domain allowed access.
1437 interface(`files_search_all_mountpoints',`
1439 attribute mountpoint;
1442 allow $1 mountpoint:dir search_dir_perms;
1445 ########################################
1447 ## Do not audit searching of all mount points.
1449 ## <param name="domain">
1451 ## Domain to not audit.
1455 interface(`files_dontaudit_search_all_mountpoints',`
1457 attribute mountpoint;
1460 dontaudit $1 mountpoint:dir search_dir_perms;
1463 ########################################
1465 ## Do not audit listing of all mount points.
1467 ## <param name="domain">
1469 ## Domain to not audit.
1473 interface(`files_dontaudit_list_all_mountpoints',`
1475 attribute mountpoint;
1478 dontaudit $1 mountpoint:dir list_dir_perms;
1481 ########################################
1483 ## Write all mount points.
1485 ## <param name="domain">
1487 ## Domain allowed access.
1491 interface(`files_write_all_mountpoints',`
1493 attribute mountpoint;
1496 allow $1 mountpoint:dir write;
1499 ########################################
1501 ## Write all file type directories.
1503 ## <param name="domain">
1505 ## Domain allowed access.
1509 interface(`files_write_all_dirs',`
1511 attribute file_type;
1514 allow $1 file_type:dir write;
1517 ########################################
1519 ## List the contents of the root directory.
1521 ## <param name="domain">
1523 ## Domain allowed access.
1527 interface(`files_list_root',`
1532 allow $1 root_t:dir list_dir_perms;
1533 allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock };
1536 ########################################
1538 ## Do not audit attempts to write to / dirs.
1540 ## <param name="domain">
1542 ## Domain to not audit.
1546 interface(`files_dontaudit_write_root_dirs',`
1551 dontaudit $1 root_t:dir write;
1556 ## Do not audit attempts to write
1557 ## files in the root directory.
1559 ## <param name="domain">
1561 ## Domain to not audit.
1565 interface(`files_dontaudit_rw_root_dir',`
1570 dontaudit $1 root_t:dir rw_dir_perms;
1573 ########################################
1575 ## Create an object in the root directory, with a private
1576 ## type using a type transition.
1578 ## <param name="domain">
1580 ## Domain allowed access.
1583 ## <param name="private type">
1585 ## The type of the object to be created.
1588 ## <param name="object">
1590 ## The object class of the object being created.
1594 interface(`files_root_filetrans',`
1599 filetrans_pattern($1, root_t, $2, $3)
1602 ########################################
1604 ## Do not audit attempts to read files in
1605 ## the root directory.
1607 ## <param name="domain">
1609 ## Domain to not audit.
1613 interface(`files_dontaudit_read_root_files',`
1618 dontaudit $1 root_t:file { getattr read };
1621 ########################################
1623 ## Do not audit attempts to read or write
1624 ## files in the root directory.
1626 ## <param name="domain">
1628 ## Domain to not audit.
1632 interface(`files_dontaudit_rw_root_files',`
1637 dontaudit $1 root_t:file { read write };
1640 ########################################
1642 ## Do not audit attempts to read or write
1643 ## character device nodes in the root directory.
1645 ## <param name="domain">
1647 ## Domain to not audit.
1651 interface(`files_dontaudit_rw_root_chr_files',`
1656 dontaudit $1 root_t:chr_file { read write };
1659 ########################################
1661 ## Delete files in the root directory.
1663 ## <param name="domain">
1665 ## Domain allowed access.
1669 interface(`files_delete_root_files',`
1674 allow $1 root_t:file unlink;
1677 ########################################
1679 ## Remove entries from the root directory.
1681 ## <param name="domain">
1683 ## Domain allowed access.
1687 interface(`files_delete_root_dir_entry',`
1692 allow $1 root_t:dir rw_dir_perms;
1695 ########################################
1697 ## Unmount a rootfs filesystem.
1699 ## <param name="domain">
1701 ## Domain allowed access.
1705 interface(`files_unmount_rootfs',`
1710 allow $1 root_t:filesystem unmount;
1713 ########################################
1715 ## Get attributes of the /boot directory.
1717 ## <param name="domain">
1719 ## Domain allowed access.
1723 interface(`files_getattr_boot_dirs',`
1728 allow $1 boot_t:dir getattr;
1731 ########################################
1733 ## Do not audit attempts to get attributes
1734 ## of the /boot directory.
1736 ## <param name="domain">
1738 ## Domain to not audit.
1742 interface(`files_dontaudit_getattr_boot_dirs',`
1747 dontaudit $1 boot_t:dir getattr;
1750 ########################################
1752 ## Search the /boot directory.
1754 ## <param name="domain">
1756 ## Domain allowed access.
1760 interface(`files_search_boot',`
1765 allow $1 boot_t:dir search_dir_perms;
1768 ########################################
1770 ## Do not audit attempts to search the /boot directory.
1772 ## <param name="domain">
1774 ## Domain to not audit.
1778 interface(`files_dontaudit_search_boot',`
1783 dontaudit $1 boot_t:dir search_dir_perms;
1786 ########################################
1788 ## List the /boot directory.
1790 ## <param name="domain">
1792 ## Domain allowed access.
1796 interface(`files_list_boot',`
1801 allow $1 boot_t:dir list_dir_perms;
1804 #######################################
1806 ## Dontaudit List the /boot directory.
1808 ## <param name="domain">
1810 ## Domain allowed access.
1814 interface(`files_dontaudit_list_boot',`
1819 dontaudit $1 boot_t:dir list_dir_perms;
1822 ########################################
1824 ## Create directories in /boot
1826 ## <param name="domain">
1828 ## Domain allowed access.
1832 interface(`files_create_boot_dirs',`
1837 allow $1 boot_t:dir { create rw_dir_perms };
1840 ########################################
1842 ## Create, read, write, and delete
1843 ## directories in /boot.
1845 ## <param name="domain">
1847 ## Domain allowed access.
1851 interface(`files_manage_boot_dirs',`
1856 allow $1 boot_t:dir manage_dir_perms;
1859 ########################################
1861 ## Create a private type object in boot
1862 ## with an automatic type transition
1864 ## <param name="domain">
1866 ## Domain allowed access.
1869 ## <param name="private_type">
1871 ## The type of the object to be created.
1874 ## <param name="object_class">
1876 ## The object class of the object being created.
1880 interface(`files_boot_filetrans',`
1885 filetrans_pattern($1, boot_t, $2, $3)
1888 ########################################
1890 ## read files in the /boot directory.
1892 ## <param name="domain">
1894 ## Domain allowed access.
1899 interface(`files_read_boot_files',`
1904 read_files_pattern($1, boot_t, boot_t)
1907 ########################################
1909 ## Create, read, write, and delete files
1910 ## in the /boot directory.
1912 ## <param name="domain">
1914 ## Domain allowed access.
1919 interface(`files_manage_boot_files',`
1924 manage_files_pattern($1, boot_t, boot_t)
1927 ########################################
1929 ## Relabel from files in the /boot directory.
1931 ## <param name="domain">
1933 ## Domain allowed access.
1937 interface(`files_relabelfrom_boot_files',`
1942 relabelfrom_files_pattern($1, boot_t, boot_t)
1945 ######################################
1947 ## Read symbolic links
1948 ## in the /boot directory.
1950 ## <param name="domain">
1952 ## Domain allowed access.
1956 interface(`files_read_boot_symlinks',`
1961 read_lnk_files_pattern($1, boot_t, boot_t)
1964 ########################################
1966 ## Read and write symbolic links
1967 ## in the /boot directory.
1969 ## <param name="domain">
1971 ## Domain allowed access.
1975 interface(`files_rw_boot_symlinks',`
1980 allow $1 boot_t:dir list_dir_perms;
1981 rw_lnk_files_pattern($1, boot_t, boot_t)
1984 ########################################
1986 ## Create, read, write, and delete symbolic links
1987 ## in the /boot directory.
1989 ## <param name="domain">
1991 ## Domain allowed access.
1995 interface(`files_manage_boot_symlinks',`
2000 manage_lnk_files_pattern($1, boot_t, boot_t)
2003 ########################################
2005 ## Read kernel files in the /boot directory.
2007 ## <param name="domain">
2009 ## Domain allowed access.
2013 interface(`files_read_kernel_img',`
2018 allow $1 boot_t:dir list_dir_perms;
2019 read_files_pattern($1, boot_t, boot_t)
2020 read_lnk_files_pattern($1, boot_t, boot_t)
2023 ########################################
2025 ## Install a kernel into the /boot directory.
2027 ## <param name="domain">
2029 ## Domain allowed access.
2034 interface(`files_create_kernel_img',`
2039 allow $1 boot_t:file { create_file_perms rw_file_perms };
2040 manage_lnk_files_pattern($1, boot_t, boot_t)
2043 ########################################
2045 ## Delete a kernel from /boot.
2047 ## <param name="domain">
2049 ## Domain allowed access.
2054 interface(`files_delete_kernel',`
2059 delete_files_pattern($1, boot_t, boot_t)
2062 ########################################
2064 ## Getattr of directories with the default file type.
2066 ## <param name="domain">
2068 ## Domain allowed access.
2072 interface(`files_getattr_default_dirs',`
2077 allow $1 default_t:dir getattr;
2080 ########################################
2082 ## Do not audit attempts to get the attributes of
2083 ## directories with the default file type.
2085 ## <param name="domain">
2087 ## Domain to not audit.
2091 interface(`files_dontaudit_getattr_default_dirs',`
2096 dontaudit $1 default_t:dir getattr;
2099 ########################################
2101 ## Search the contents of directories with the default file type.
2103 ## <param name="domain">
2105 ## Domain allowed access.
2109 interface(`files_search_default',`
2114 allow $1 default_t:dir search_dir_perms;
2117 ########################################
2119 ## List contents of directories with the default file type.
2121 ## <param name="domain">
2123 ## Domain allowed access.
2127 interface(`files_list_default',`
2132 allow $1 default_t:dir list_dir_perms;
2135 ########################################
2137 ## Do not audit attempts to list contents of
2138 ## directories with the default file type.
2140 ## <param name="domain">
2142 ## Domain to not audit.
2146 interface(`files_dontaudit_list_default',`
2151 dontaudit $1 default_t:dir list_dir_perms;
2154 ########################################
2156 ## Create, read, write, and delete directories with
2157 ## the default file type.
2159 ## <param name="domain">
2161 ## Domain allowed access.
2165 interface(`files_manage_default_dirs',`
2170 manage_dirs_pattern($1, default_t, default_t)
2173 ########################################
2175 ## Mount a filesystem on a directory with the default file type.
2177 ## <param name="domain">
2179 ## Domain allowed access.
2183 interface(`files_mounton_default',`
2188 allow $1 default_t:dir { search_dir_perms mounton };
2191 ########################################
2193 ## Do not audit attempts to get the attributes of
2194 ## files with the default file type.
2196 ## <param name="domain">
2198 ## Domain to not audit.
2202 interface(`files_dontaudit_getattr_default_files',`
2207 dontaudit $1 default_t:file getattr;
2210 ########################################
2212 ## Read files with the default file type.
2214 ## <param name="domain">
2216 ## Domain allowed access.
2220 interface(`files_read_default_files',`
2225 allow $1 default_t:file read_file_perms;
2228 ########################################
2230 ## Do not audit attempts to read files
2231 ## with the default file type.
2233 ## <param name="domain">
2235 ## Domain to not audit.
2239 interface(`files_dontaudit_read_default_files',`
2244 dontaudit $1 default_t:file read_file_perms;
2247 ########################################
2249 ## Create, read, write, and delete files with
2250 ## the default file type.
2252 ## <param name="domain">
2254 ## Domain allowed access.
2258 interface(`files_manage_default_files',`
2263 manage_files_pattern($1, default_t, default_t)
2266 ########################################
2268 ## Read symbolic links with the default file type.
2270 ## <param name="domain">
2272 ## Domain allowed access.
2276 interface(`files_read_default_symlinks',`
2281 allow $1 default_t:lnk_file read_lnk_file_perms;
2284 ########################################
2286 ## Read sockets with the default file type.
2288 ## <param name="domain">
2290 ## Domain allowed access.
2294 interface(`files_read_default_sockets',`
2299 allow $1 default_t:sock_file read_sock_file_perms;
2302 ########################################
2304 ## Read named pipes with the default file type.
2306 ## <param name="domain">
2308 ## Domain allowed access.
2312 interface(`files_read_default_pipes',`
2317 allow $1 default_t:fifo_file read_fifo_file_perms;
2320 ########################################
2322 ## Search the contents of /etc directories.
2324 ## <param name="domain">
2326 ## Domain allowed access.
2330 interface(`files_search_etc',`
2335 allow $1 etc_t:dir search_dir_perms;
2338 ########################################
2340 ## Set the attributes of the /etc directories.
2342 ## <param name="domain">
2344 ## Domain allowed access.
2348 interface(`files_setattr_etc_dirs',`
2353 allow $1 etc_t:dir setattr;
2356 ########################################
2358 ## List the contents of /etc directories.
2360 ## <param name="domain">
2362 ## Domain allowed access.
2366 interface(`files_list_etc',`
2371 allow $1 etc_t:dir list_dir_perms;
2374 ########################################
2376 ## Do not audit attempts to write to /etc dirs.
2378 ## <param name="domain">
2380 ## Domain to not audit.
2384 interface(`files_dontaudit_write_etc_dirs',`
2389 dontaudit $1 etc_t:dir write;
2392 ########################################
2394 ## Add and remove entries from /etc directories.
2396 ## <param name="domain">
2398 ## Domain allowed access.
2402 interface(`files_rw_etc_dirs',`
2407 allow $1 etc_t:dir rw_dir_perms;
2410 ##########################################
2412 ## Manage generic directories in /etc
2414 ## <param name="domain">
2416 ## Domain allowed access
2421 interface(`files_manage_etc_dirs',`
2426 manage_dirs_pattern($1, etc_t, etc_t)
2429 ########################################
2431 ## Read generic files in /etc.
2435 ## Allow the specified domain to read generic
2436 ## files in /etc. These files are typically
2437 ## general system configuration files that do
2438 ## not have more specific SELinux types. Some
2439 ## examples of these files are:
2442 ## <li>/etc/fstab</li>
2443 ## <li>/etc/passwd</li>
2444 ## <li>/etc/services</li>
2445 ## <li>/etc/shells</li>
2448 ## This interface does not include access to /etc/shadow.
2451 ## Generally, it is safe for many domains to have
2452 ## this access. However, since this interface provides
2453 ## access to the /etc/passwd file, caution must be
2454 ## exercised, as user account names can be leaked
2455 ## through this access.
2458 ## Related interfaces:
2461 ## <li>auth_read_shadow()</li>
2462 ## <li>files_read_etc_runtime_files()</li>
2463 ## <li>seutil_read_config()</li>
2466 ## <param name="domain">
2468 ## Domain allowed access.
2471 ## <infoflow type="read" weight="10"/>
2473 interface(`files_read_etc_files',`
2478 allow $1 etc_t:dir list_dir_perms;
2479 read_files_pattern($1, etc_t, etc_t)
2480 read_lnk_files_pattern($1, etc_t, etc_t)
2483 ########################################
2485 ## Do not audit attempts to write generic files in /etc.
2487 ## <param name="domain">
2489 ## Domain allowed access.
2493 interface(`files_dontaudit_write_etc_files',`
2498 dontaudit $1 etc_t:file write;
2501 ########################################
2503 ## Read and write generic files in /etc.
2505 ## <param name="domain">
2507 ## Domain allowed access.
2512 interface(`files_rw_etc_files',`
2517 allow $1 etc_t:dir list_dir_perms;
2518 rw_files_pattern($1, etc_t, etc_t)
2519 read_lnk_files_pattern($1, etc_t, etc_t)
2522 ########################################
2524 ## Create, read, write, and delete generic
2527 ## <param name="domain">
2529 ## Domain allowed access.
2534 interface(`files_manage_etc_files',`
2539 manage_files_pattern($1, etc_t, etc_t)
2540 read_lnk_files_pattern($1, etc_t, etc_t)
2543 ########################################
2545 ## Delete system configuration files in /etc.
2547 ## <param name="domain">
2549 ## Domain allowed access.
2553 interface(`files_delete_etc_files',`
2558 delete_files_pattern($1, etc_t, etc_t)
2561 ########################################
2563 ## Remove entries from the etc directory.
2565 ## <param name="domain">
2567 ## Domain allowed access.
2571 interface(`files_delete_etc_dir_entry',`
2576 allow $1 etc_t:dir del_entry_dir_perms;
2579 ########################################
2581 ## Execute generic files in /etc.
2583 ## <param name="domain">
2585 ## Domain allowed access.
2589 interface(`files_exec_etc_files',`
2594 allow $1 etc_t:dir list_dir_perms;
2595 read_lnk_files_pattern($1, etc_t, etc_t)
2596 exec_files_pattern($1, etc_t, etc_t)
2599 #######################################
2601 ## Relabel from and to generic files in /etc.
2603 ## <param name="domain">
2605 ## Domain allowed access.
2609 interface(`files_relabel_etc_files',`
2614 allow $1 etc_t:dir list_dir_perms;
2615 relabel_files_pattern($1, etc_t, etc_t)
2618 ########################################
2620 ## Read symbolic links in /etc.
2622 ## <param name="domain">
2624 ## Domain allowed access.
2628 interface(`files_read_etc_symlinks',`
2633 read_lnk_files_pattern($1, etc_t, etc_t)
2636 ########################################
2638 ## Create, read, write, and delete symbolic links in /etc.
2640 ## <param name="domain">
2642 ## Domain allowed access.
2646 interface(`files_manage_etc_symlinks',`
2651 manage_lnk_files_pattern($1, etc_t, etc_t)
2654 ########################################
2656 ## Create objects in /etc with a private
2657 ## type using a type_transition.
2659 ## <param name="domain">
2661 ## Domain allowed access.
2664 ## <param name="file_type">
2666 ## Private file type.
2669 ## <param name="class">
2671 ## Object classes to be created.
2675 interface(`files_etc_filetrans',`
2680 filetrans_pattern($1, etc_t, $2, $3)
2683 ########################################
2685 ## Create a boot flag.
2689 ## Create a boot flag, such as
2690 ## /.autorelabel and /.autofsck.
2693 ## <param name="domain">
2695 ## Domain allowed access.
2700 interface(`files_create_boot_flag',`
2702 type root_t, etc_runtime_t;
2705 allow $1 etc_runtime_t:file manage_file_perms;
2706 filetrans_pattern($1, root_t, etc_runtime_t, file)
2709 ########################################
2711 ## Delete a boot flag.
2715 ## Delete a boot flag, such as
2716 ## /.autorelabel and /.autofsck.
2719 ## <param name="domain">
2721 ## Domain allowed access.
2726 interface(`files_delete_boot_flag',`
2728 type root_t, etc_runtime_t;
2731 delete_files_pattern($1, root_t, etc_runtime_t)
2734 ########################################
2736 ## Read files in /etc that are dynamically
2737 ## created on boot, such as mtab.
2741 ## Allow the specified domain to read dynamically created
2742 ## configuration files in /etc. These files are typically
2743 ## general system configuration files that do
2744 ## not have more specific SELinux types. Some
2745 ## examples of these files are:
2748 ## <li>/etc/motd</li>
2749 ## <li>/etc/mtab</li>
2750 ## <li>/etc/nologin</li>
2753 ## This interface does not include access to /etc/shadow.
2756 ## <param name="domain">
2758 ## Domain allowed access.
2761 ## <infoflow type="read" weight="10" />
2764 interface(`files_read_etc_runtime_files',`
2766 type etc_t, etc_runtime_t;
2769 allow $1 etc_t:dir list_dir_perms;
2770 read_files_pattern($1, etc_t, etc_runtime_t)
2771 read_lnk_files_pattern($1, etc_t, etc_runtime_t)
2774 ########################################
2776 ## Do not audit attempts to set the attributes of the etc_runtime files
2778 ## <param name="domain">
2780 ## Domain allowed access.
2784 interface(`files_dontaudit_setattr_etc_runtime_files',`
2789 dontaudit $1 etc_runtime_t:file setattr;
2792 ########################################
2794 ## Do not audit attempts to read files
2795 ## in /etc that are dynamically
2796 ## created on boot, such as mtab.
2798 ## <param name="domain">
2800 ## Domain to not audit.
2804 interface(`files_dontaudit_read_etc_runtime_files',`
2809 dontaudit $1 etc_runtime_t:file { getattr read };
2812 ########################################
2814 ## Read and write files in /etc that are dynamically
2815 ## created on boot, such as mtab.
2817 ## <param name="domain">
2819 ## Domain allowed access.
2824 interface(`files_rw_etc_runtime_files',`
2826 type etc_t, etc_runtime_t;
2829 allow $1 etc_t:dir list_dir_perms;
2830 rw_files_pattern($1, etc_t, etc_runtime_t)
2833 ########################################
2835 ## Create, read, write, and delete files in
2836 ## /etc that are dynamically created on boot,
2839 ## <param name="domain">
2841 ## Domain allowed access.
2846 interface(`files_manage_etc_runtime_files',`
2848 type etc_t, etc_runtime_t;
2851 manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
2854 ########################################
2856 ## Create, etc runtime objects with an automatic
2859 ## <param name="domain">
2861 ## Domain allowed access.
2864 ## <param name="object">
2866 ## The class of the object being created.
2870 interface(`files_etc_filetrans_etc_runtime',`
2872 type etc_t, etc_runtime_t;
2875 filetrans_pattern($1, etc_t, etc_runtime_t, $2)
2878 ########################################
2880 ## Getattr of directories on new filesystems
2881 ## that have not yet been labeled.
2883 ## <param name="domain">
2885 ## Domain allowed access.
2889 interface(`files_getattr_isid_type_dirs',`
2894 allow $1 file_t:dir getattr;
2897 ########################################
2899 ## Do not audit attempts to search directories on new filesystems
2900 ## that have not yet been labeled.
2902 ## <param name="domain">
2904 ## Domain to not audit.
2908 interface(`files_dontaudit_search_isid_type_dirs',`
2913 dontaudit $1 file_t:dir search_dir_perms;
2916 ########################################
2918 ## List the contents of directories on new filesystems
2919 ## that have not yet been labeled.
2921 ## <param name="domain">
2923 ## Domain allowed access.
2927 interface(`files_list_isid_type_dirs',`
2932 allow $1 file_t:dir list_dir_perms;
2935 ########################################
2937 ## Read and write directories on new filesystems
2938 ## that have not yet been labeled.
2940 ## <param name="domain">
2942 ## Domain allowed access.
2946 interface(`files_rw_isid_type_dirs',`
2951 allow $1 file_t:dir rw_dir_perms;
2954 ########################################
2956 ## Delete directories on new filesystems
2957 ## that have not yet been labeled.
2959 ## <param name="domain">
2961 ## Domain allowed access.
2965 interface(`files_delete_isid_type_dirs',`
2970 delete_dirs_pattern($1, file_t, file_t)
2973 ########################################
2975 ## Create, read, write, and delete directories
2976 ## on new filesystems that have not yet been labeled.
2978 ## <param name="domain">
2980 ## Domain allowed access.
2984 interface(`files_manage_isid_type_dirs',`
2989 allow $1 file_t:dir manage_dir_perms;
2992 ########################################
2994 ## Mount a filesystem on a directory on new filesystems
2995 ## that has not yet been labeled.
2997 ## <param name="domain">
2999 ## Domain allowed access.
3003 interface(`files_mounton_isid_type_dirs',`
3008 allow $1 file_t:dir { search_dir_perms mounton };
3011 ########################################
3013 ## Read files on new filesystems
3014 ## that have not yet been labeled.
3016 ## <param name="domain">
3018 ## Domain allowed access.
3022 interface(`files_read_isid_type_files',`
3027 allow $1 file_t:file read_file_perms;
3030 ########################################
3032 ## Delete files on new filesystems
3033 ## that have not yet been labeled.
3035 ## <param name="domain">
3037 ## Domain allowed access.
3041 interface(`files_delete_isid_type_files',`
3046 delete_files_pattern($1, file_t, file_t)
3049 ########################################
3051 ## Delete symbolic links on new filesystems
3052 ## that have not yet been labeled.
3054 ## <param name="domain">
3056 ## Domain allowed access.
3060 interface(`files_delete_isid_type_symlinks',`
3065 delete_lnk_files_pattern($1, file_t, file_t)
3068 ########################################
3070 ## Delete named pipes on new filesystems
3071 ## that have not yet been labeled.
3073 ## <param name="domain">
3075 ## Domain allowed access.
3079 interface(`files_delete_isid_type_fifo_files',`
3084 delete_fifo_files_pattern($1, file_t, file_t)
3087 ########################################
3089 ## Delete named sockets on new filesystems
3090 ## that have not yet been labeled.
3092 ## <param name="domain">
3094 ## Domain allowed access.
3098 interface(`files_delete_isid_type_sock_files',`
3103 delete_sock_files_pattern($1, file_t, file_t)
3106 ########################################
3108 ## Delete block files on new filesystems
3109 ## that have not yet been labeled.
3111 ## <param name="domain">
3113 ## Domain allowed access.
3117 interface(`files_delete_isid_type_blk_files',`
3122 delete_blk_files_pattern($1, file_t, file_t)
3125 ########################################
3127 ## Do not audit attempts to write to character
3128 ## files that have not yet been labeled.
3130 ## <param name="domain">
3132 ## Domain to not audit.
3136 interface(`files_dontaudit_write_isid_chr_files',`
3141 dontaudit $1 file_t:chr_file write;
3144 ########################################
3146 ## Delete chr files on new filesystems
3147 ## that have not yet been labeled.
3149 ## <param name="domain">
3151 ## Domain allowed access.
3155 interface(`files_delete_isid_type_chr_files',`
3160 delete_chr_files_pattern($1, file_t, file_t)
3163 ########################################
3165 ## Create, read, write, and delete files
3166 ## on new filesystems that have not yet been labeled.
3168 ## <param name="domain">
3170 ## Domain allowed access.
3174 interface(`files_manage_isid_type_files',`
3179 allow $1 file_t:file manage_file_perms;
3182 ########################################
3184 ## Create, read, write, and delete symbolic links
3185 ## on new filesystems that have not yet been labeled.
3187 ## <param name="domain">
3189 ## Domain allowed access.
3193 interface(`files_manage_isid_type_symlinks',`
3198 allow $1 file_t:lnk_file manage_lnk_file_perms;
3201 ########################################
3203 ## Read and write block device nodes on new filesystems
3204 ## that have not yet been labeled.
3206 ## <param name="domain">
3208 ## Domain allowed access.
3212 interface(`files_rw_isid_type_blk_files',`
3217 allow $1 file_t:blk_file rw_blk_file_perms;
3220 ########################################
3222 ## Create, read, write, and delete block device nodes
3223 ## on new filesystems that have not yet been labeled.
3225 ## <param name="domain">
3227 ## Domain allowed access.
3231 interface(`files_manage_isid_type_blk_files',`
3236 allow $1 file_t:blk_file manage_blk_file_perms;
3239 ########################################
3241 ## Create, read, write, and delete character device nodes
3242 ## on new filesystems that have not yet been labeled.
3244 ## <param name="domain">
3246 ## Domain allowed access.
3250 interface(`files_manage_isid_type_chr_files',`
3255 allow $1 file_t:chr_file manage_chr_file_perms;
3258 ########################################
3260 ## Get the attributes of the home directories root
3263 ## <param name="domain">
3265 ## Domain allowed access.
3269 interface(`files_getattr_home_dir',`
3274 allow $1 home_root_t:dir getattr;
3275 allow $1 home_root_t:lnk_file getattr;
3278 ########################################
3280 ## Do not audit attempts to get the
3281 ## attributes of the home directories root
3284 ## <param name="domain">
3286 ## Domain to not audit.
3290 interface(`files_dontaudit_getattr_home_dir',`
3295 dontaudit $1 home_root_t:dir getattr;
3296 dontaudit $1 home_root_t:lnk_file getattr;
3299 ########################################
3301 ## Search home directories root (/home).
3303 ## <param name="domain">
3305 ## Domain allowed access.
3309 interface(`files_search_home',`
3314 allow $1 home_root_t:dir search_dir_perms;
3315 allow $1 home_root_t:lnk_file read_lnk_file_perms;
3318 ########################################
3320 ## Do not audit attempts to search
3321 ## home directories root (/home).
3323 ## <param name="domain">
3325 ## Domain to not audit.
3329 interface(`files_dontaudit_search_home',`
3334 dontaudit $1 home_root_t:dir search_dir_perms;
3335 dontaudit $1 home_root_t:lnk_file read_lnk_file_perms;
3338 ########################################
3340 ## Do not audit attempts to list
3341 ## home directories root (/home).
3343 ## <param name="domain">
3345 ## Domain to not audit.
3349 interface(`files_dontaudit_list_home',`
3354 dontaudit $1 home_root_t:dir list_dir_perms;
3355 dontaudit $1 home_root_t:lnk_file read_lnk_file_perms;
3358 ########################################
3360 ## Get listing of home directories.
3362 ## <param name="domain">
3364 ## Domain allowed access.
3368 interface(`files_list_home',`
3373 allow $1 home_root_t:dir list_dir_perms;
3374 allow $1 home_root_t:lnk_file read_lnk_file_perms;
3377 ########################################
3379 ## Relabel to user home root (/home).
3381 ## <param name="domain">
3383 ## Domain allowed access.
3387 interface(`files_relabelto_home',`
3392 allow $1 home_root_t:dir relabelto;
3395 ########################################
3397 ## Create objects in /home.
3399 ## <param name="domain">
3401 ## Domain allowed access.
3404 ## <param name="home_type">
3406 ## The private type.
3409 ## <param name="object">
3411 ## The class of the object being created.
3415 interface(`files_home_filetrans',`
3420 filetrans_pattern($1, home_root_t, $2, $3)
3423 ########################################
3425 ## Get the attributes of lost+found directories.
3427 ## <param name="domain">
3429 ## Domain allowed access.
3433 interface(`files_getattr_lost_found_dirs',`
3438 allow $1 lost_found_t:dir getattr;
3441 ########################################
3443 ## Do not audit attempts to get the attributes of
3444 ## lost+found directories.
3446 ## <param name="domain">
3448 ## Domain to not audit.
3452 interface(`files_dontaudit_getattr_lost_found_dirs',`
3457 dontaudit $1 lost_found_t:dir getattr;
3460 #######################################
3462 ## List the contents of /tmp/lost-found
3464 ## <param name="domain">
3466 ## Domain allowed access.
3470 interface(`files_list_lost_found_dirs',`
3475 allow $1 lost_found_t:dir list_dir_perms;
3478 ########################################
3480 ## Create, read, write, and delete objects in
3481 ## lost+found directories.
3483 ## <param name="domain">
3485 ## Domain allowed access.
3490 interface(`files_manage_lost_found',`
3495 manage_dirs_pattern($1, lost_found_t, lost_found_t)
3496 manage_files_pattern($1, lost_found_t, lost_found_t)
3497 manage_lnk_files_pattern($1, lost_found_t, lost_found_t)
3498 manage_fifo_files_pattern($1, lost_found_t, lost_found_t)
3499 manage_sock_files_pattern($1, lost_found_t, lost_found_t)
3502 ########################################
3504 ## Search the contents of /mnt.
3506 ## <param name="domain">
3508 ## Domain allowed access.
3512 interface(`files_search_mnt',`
3517 allow $1 mnt_t:dir search_dir_perms;
3520 ########################################
3522 ## Do not audit attempts to search /mnt.
3524 ## <param name="domain">
3526 ## Domain to not audit.
3530 interface(`files_dontaudit_search_mnt',`
3535 dontaudit $1 mnt_t:dir search_dir_perms;
3538 ########################################
3540 ## List the contents of /mnt.
3542 ## <param name="domain">
3544 ## Domain allowed access.
3548 interface(`files_list_mnt',`
3553 allow $1 mnt_t:dir list_dir_perms;
3556 ######################################
3558 ## dontaudit List the contents of /mnt.
3560 ## <param name="domain">
3562 ## Domain allowed access.
3566 interface(`files_dontaudit_list_mnt',`
3571 dontaudit $1 mnt_t:dir list_dir_perms;
3574 ########################################
3576 ## Do not audit attempts to check the
3577 ## write access on mnt files
3579 ## <param name="domain">
3581 ## Domain to not audit.
3585 interface(`files_dontaudit_access_check_mnt',`
3590 dontaudit $1 mnt_t:file_class_set audit_access;
3593 ########################################
3595 ## Mount a filesystem on /mnt.
3597 ## <param name="domain">
3599 ## Domain allowed access.
3603 interface(`files_mounton_mnt',`
3608 allow $1 mnt_t:dir { search_dir_perms mounton };
3611 ########################################
3613 ## Create, read, write, and delete directories in /mnt.
3615 ## <param name="domain">
3617 ## Domain allowed access.
3622 interface(`files_manage_mnt_dirs',`
3627 allow $1 mnt_t:dir manage_dir_perms;
3630 ########################################
3632 ## Create, read, write, and delete files in /mnt.
3634 ## <param name="domain">
3636 ## Domain allowed access.
3640 interface(`files_manage_mnt_files',`
3645 manage_files_pattern($1, mnt_t, mnt_t)
3648 ########################################
3650 ## read files in /mnt.
3652 ## <param name="domain">
3654 ## Domain allowed access.
3658 interface(`files_read_mnt_files',`
3663 read_files_pattern($1, mnt_t, mnt_t)
3666 ######################################
3668 ## Read symbolic links in /mnt.
3670 ## <param name="domain">
3672 ## Domain allowed access.
3676 interface(`files_read_mnt_symlinks',`
3681 read_lnk_files_pattern($1, mnt_t, mnt_t)
3684 ########################################
3686 ## Create, read, write, and delete symbolic links in /mnt.
3688 ## <param name="domain">
3690 ## Domain allowed access.
3694 interface(`files_manage_mnt_symlinks',`
3699 manage_lnk_files_pattern($1, mnt_t, mnt_t)
3702 ########################################
3704 ## Search the contents of the kernel module directories.
3706 ## <param name="domain">
3708 ## Domain allowed access.
3712 interface(`files_search_kernel_modules',`
3714 type modules_object_t;
3717 allow $1 modules_object_t:dir search_dir_perms;
3718 read_lnk_files_pattern($1, modules_object_t, modules_object_t)
3721 ########################################
3723 ## List the contents of the kernel module directories.
3725 ## <param name="domain">
3727 ## Domain allowed access.
3731 interface(`files_list_kernel_modules',`
3733 type modules_object_t;
3736 allow $1 modules_object_t:dir list_dir_perms;
3739 ########################################
3741 ## Get the attributes of kernel module files.
3743 ## <param name="domain">
3745 ## Domain allowed access.
3749 interface(`files_getattr_kernel_modules',`
3751 type modules_object_t;
3754 getattr_files_pattern($1, modules_object_t, modules_object_t)
3757 ########################################
3759 ## Read kernel module files.
3761 ## <param name="domain">
3763 ## Domain allowed access.
3767 interface(`files_read_kernel_modules',`
3769 type modules_object_t;
3772 allow $1 modules_object_t:dir list_dir_perms;
3773 read_files_pattern($1, modules_object_t, modules_object_t)
3774 read_lnk_files_pattern($1, modules_object_t, modules_object_t)
3777 ########################################
3779 ## Write kernel module files.
3781 ## <param name="domain">
3783 ## Domain allowed access.
3787 interface(`files_write_kernel_modules',`
3789 type modules_object_t;
3792 allow $1 modules_object_t:dir list_dir_perms;
3793 write_files_pattern($1, modules_object_t, modules_object_t)
3796 ########################################
3798 ## Delete kernel module files.
3800 ## <param name="domain">
3802 ## Domain allowed access.
3806 interface(`files_delete_kernel_modules',`
3808 type modules_object_t;
3811 delete_files_pattern($1, modules_object_t, modules_object_t)
3814 ########################################
3816 ## Create, read, write, and delete
3817 ## kernel module files.
3819 ## <param name="domain">
3821 ## Domain allowed access.
3826 interface(`files_manage_kernel_modules',`
3828 type modules_object_t;
3831 manage_files_pattern($1, modules_object_t, modules_object_t)
3834 ########################################
3836 ## Relabel from and to kernel module files.
3838 ## <param name="domain">
3840 ## Domain allowed access.
3844 interface(`files_relabel_kernel_modules',`
3846 type modules_object_t;
3849 relabel_files_pattern($1, modules_object_t, modules_object_t)
3850 allow $1 modules_object_t:dir list_dir_perms;
3853 ########################################
3855 ## Create objects in the kernel module directories
3856 ## with a private type via an automatic type transition.
3858 ## <param name="domain">
3860 ## Domain allowed access.
3863 ## <param name="private_type">
3865 ## The type of the object to be created.
3868 ## <param name="object_class">
3870 ## The object class of the object being created.
3874 interface(`files_kernel_modules_filetrans',`
3876 type modules_object_t;
3879 filetrans_pattern($1, modules_object_t, $2, $3)
3882 ########################################
3884 ## List world-readable directories.
3886 ## <param name="domain">
3888 ## Domain allowed access.
3893 interface(`files_list_world_readable',`
3898 allow $1 readable_t:dir list_dir_perms;
3901 ########################################
3903 ## Read world-readable files.
3905 ## <param name="domain">
3907 ## Domain allowed access.
3912 interface(`files_read_world_readable_files',`
3917 allow $1 readable_t:file read_file_perms;
3920 ########################################
3922 ## Read world-readable symbolic links.
3924 ## <param name="domain">
3926 ## Domain allowed access.
3931 interface(`files_read_world_readable_symlinks',`
3936 allow $1 readable_t:lnk_file read_lnk_file_perms;
3939 ########################################
3941 ## Read world-readable named pipes.
3943 ## <param name="domain">
3945 ## Domain allowed access.
3949 interface(`files_read_world_readable_pipes',`
3954 allow $1 readable_t:fifo_file read_fifo_file_perms;
3957 ########################################
3959 ## Read world-readable sockets.
3961 ## <param name="domain">
3963 ## Domain allowed access.
3967 interface(`files_read_world_readable_sockets',`
3972 allow $1 readable_t:sock_file read_sock_file_perms;
3975 #######################################
3977 ## Read manageable system configuration files in /etc
3979 ## <param name="domain">
3981 ## Domain allowed access.
3985 interface(`files_read_system_conf_files',`
3987 type etc_t, system_conf_t;
3990 allow $1 etc_t:dir list_dir_perms;
3991 read_files_pattern($1, etc_t, system_conf_t)
3992 read_lnk_files_pattern($1, etc_t, system_conf_t)
3995 ######################################
3997 ## Manage manageable system configuration files in /etc.
3999 ## <param name="domain">
4001 ## Domain allowed access.
4005 interface(`files_manage_system_conf_files',`
4007 type etc_t, system_conf_t;
4010 manage_files_pattern($1, { etc_t system_conf_t }, system_conf_t)
4013 ######################################
4015 ## Relabel manageable system configuration files in /etc.
4017 ## <param name="domain">
4019 ## Domain allowed access.
4023 interface(`files_relabelto_system_conf_files',`
4028 relabelto_files_pattern($1, system_conf_t, system_conf_t)
4031 ######################################
4033 ## Relabel manageable system configuration files in /etc.
4035 ## <param name="domain">
4037 ## Domain allowed access.
4041 interface(`files_relabelfrom_system_conf_files',`
4046 relabelfrom_files_pattern($1, system_conf_t, system_conf_t)
4049 ###################################
4051 ## Create files in /etc with the type used for
4052 ## the manageable system config files.
4054 ## <param name="domain">
4056 ## The type of the process performing this action.
4060 interface(`files_etc_filetrans_system_conf',`
4062 type etc_t, system_conf_t;
4065 filetrans_pattern($1, etc_t, system_conf_t, file)
4068 ########################################
4070 ## Allow the specified type to associate
4071 ## to a filesystem with the type of the
4072 ## temporary directory (/tmp).
4074 ## <param name="file_type">
4076 ## Type of the file to associate.
4080 interface(`files_associate_tmp',`
4085 allow $1 tmp_t:filesystem associate;
4088 ########################################
4090 ## Get the attributes of the tmp directory (/tmp).
4092 ## <param name="domain">
4094 ## Domain allowed access.
4098 interface(`files_getattr_tmp_dirs',`
4103 allow $1 tmp_t:dir getattr;
4106 ########################################
4108 ## Do not audit attempts to get the
4109 ## attributes of the tmp directory (/tmp).
4111 ## <param name="domain">
4113 ## Domain allowed access.
4117 interface(`files_dontaudit_getattr_tmp_dirs',`
4122 dontaudit $1 tmp_t:dir getattr;
4125 ########################################
4127 ## Search the tmp directory (/tmp).
4129 ## <param name="domain">
4131 ## Domain allowed access.
4135 interface(`files_search_tmp',`
4140 allow $1 tmp_t:dir search_dir_perms;
4143 ########################################
4145 ## Do not audit attempts to search the tmp directory (/tmp).
4147 ## <param name="domain">
4149 ## Domain to not audit.
4153 interface(`files_dontaudit_search_tmp',`
4158 dontaudit $1 tmp_t:dir search_dir_perms;
4161 ########################################
4163 ## Read the tmp directory (/tmp).
4165 ## <param name="domain">
4167 ## Domain allowed access.
4171 interface(`files_list_tmp',`
4176 allow $1 tmp_t:dir list_dir_perms;
4179 ########################################
4181 ## Do not audit listing of the tmp directory (/tmp).
4183 ## <param name="domain">
4185 ## Domain not to audit.
4189 interface(`files_dontaudit_list_tmp',`
4194 dontaudit $1 tmp_t:dir list_dir_perms;
4197 ########################################
4199 ## Remove entries from the tmp directory.
4201 ## <param name="domain">
4203 ## Domain allowed access.
4207 interface(`files_delete_tmp_dir_entry',`
4212 allow $1 tmp_t:dir del_entry_dir_perms;
4215 ########################################
4217 ## Read files in the tmp directory (/tmp).
4219 ## <param name="domain">
4221 ## Domain allowed access.
4225 interface(`files_read_generic_tmp_files',`
4230 read_files_pattern($1, tmp_t, tmp_t)
4233 ########################################
4235 ## Manage temporary directories in /tmp.
4237 ## <param name="domain">
4239 ## Domain allowed access.
4243 interface(`files_manage_generic_tmp_dirs',`
4248 manage_dirs_pattern($1, tmp_t, tmp_t)
4251 ########################################
4253 ## Allow shared library text relocations in tmp files.
4257 ## Allow shared library text relocations in tmp files.
4260 ## This is added to support java policy.
4263 ## <param name="domain">
4265 ## Domain allowed access.
4269 interface(`files_execmod_tmp',`
4274 allow $1 tmpfile:file execmod;
4277 ########################################
4279 ## Manage temporary files and directories in /tmp.
4281 ## <param name="domain">
4283 ## Domain allowed access.
4287 interface(`files_manage_generic_tmp_files',`
4292 manage_files_pattern($1, tmp_t, tmp_t)
4295 ########################################
4297 ## Read symbolic links in the tmp directory (/tmp).
4299 ## <param name="domain">
4301 ## Domain allowed access.
4305 interface(`files_read_generic_tmp_symlinks',`
4310 read_lnk_files_pattern($1, tmp_t, tmp_t)
4313 ########################################
4315 ## Read and write generic named sockets in the tmp directory (/tmp).
4317 ## <param name="domain">
4319 ## Domain allowed access.
4323 interface(`files_rw_generic_tmp_sockets',`
4328 rw_sock_files_pattern($1, tmp_t, tmp_t)
4331 ########################################
4333 ## Relabel a dir from the type used in /tmp.
4335 ## <param name="domain">
4337 ## Domain allowed access.
4341 interface(`files_relabelfrom_tmp_dirs',`
4346 relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
4349 ########################################
4351 ## Relabel a file from the type used in /tmp.
4353 ## <param name="domain">
4355 ## Domain allowed access.
4359 interface(`files_relabelfrom_tmp_files',`
4364 relabelfrom_files_pattern($1, tmp_t, tmp_t)
4367 ########################################
4369 ## Relabel all tmp dirs.
4371 ## <param name="domain">
4373 ## Domain allowed access.
4378 interface(`files_relabel_all_tmp_dirs',`
4384 allow $1 var_t:dir search_dir_perms;
4385 relabel_dirs_pattern($1, tmpfile, tmpfile)
4388 ########################################
4390 ## Relabel all tmp files.
4392 ## <param name="domain">
4394 ## Domain allowed access.
4399 interface(`files_relabel_all_tmp_files',`
4405 allow $1 var_t:dir search_dir_perms;
4406 relabel_files_pattern($1, tmpfile, tmpfile)
4409 ########################################
4411 ## Set the attributes of all tmp directories.
4413 ## <param name="domain">
4415 ## Domain allowed access.
4419 interface(`files_setattr_all_tmp_dirs',`
4424 allow $1 tmpfile:dir { search_dir_perms setattr };
4427 ########################################
4429 ## List all tmp directories.
4431 ## <param name="domain">
4433 ## Domain allowed access.
4437 interface(`files_list_all_tmp',`
4442 allow $1 tmpfile:dir list_dir_perms;
4445 ########################################
4447 ## Do not audit attempts to get the attributes
4448 ## of all tmp files.
4450 ## <param name="domain">
4452 ## Domain not to audit.
4456 interface(`files_dontaudit_getattr_all_tmp_files',`
4461 dontaudit $1 tmpfile:file getattr;
4464 ########################################
4466 ## Allow attempts to get the attributes
4467 ## of all tmp files.
4469 ## <param name="domain">
4471 ## Domain allowed access.
4475 interface(`files_getattr_all_tmp_files',`
4480 allow $1 tmpfile:file getattr;
4483 ########################################
4485 ## Do not audit attempts to get the attributes
4486 ## of all tmp sock_file.
4488 ## <param name="domain">
4490 ## Domain not to audit.
4494 interface(`files_dontaudit_getattr_all_tmp_sockets',`
4499 dontaudit $1 tmpfile:sock_file getattr;
4502 ########################################
4504 ## Read all tmp files.
4506 ## <param name="domain">
4508 ## Domain allowed access.
4512 interface(`files_read_all_tmp_files',`
4517 read_files_pattern($1, tmpfile, tmpfile)
4520 ########################################
4522 ## Create an object in the tmp directories, with a private
4523 ## type using a type transition.
4525 ## <param name="domain">
4527 ## Domain allowed access.
4530 ## <param name="private type">
4532 ## The type of the object to be created.
4535 ## <param name="object">
4537 ## The object class of the object being created.
4541 interface(`files_tmp_filetrans',`
4546 filetrans_pattern($1, tmp_t, $2, $3)
4549 ########################################
4551 ## Delete the contents of /tmp.
4553 ## <param name="domain">
4555 ## Domain allowed access.
4559 interface(`files_purge_tmp',`
4564 allow $1 tmpfile:dir list_dir_perms;
4565 delete_dirs_pattern($1, tmpfile, tmpfile)
4566 delete_files_pattern($1, tmpfile, tmpfile)
4567 delete_lnk_files_pattern($1, tmpfile, tmpfile)
4568 delete_fifo_files_pattern($1, tmpfile, tmpfile)
4569 delete_sock_files_pattern($1, tmpfile, tmpfile)
4570 delete_chr_files_pattern($1, tmpfile, tmpfile)
4571 delete_blk_files_pattern($1, tmpfile, tmpfile)
4572 files_delete_isid_type_dirs($1)
4573 files_delete_isid_type_files($1)
4574 files_delete_isid_type_symlinks($1)
4575 files_delete_isid_type_fifo_files($1)
4576 files_delete_isid_type_sock_files($1)
4577 files_delete_isid_type_blk_files($1)
4578 files_delete_isid_type_chr_files($1)
4581 ########################################
4583 ## Set the attributes of the /usr directory.
4585 ## <param name="domain">
4587 ## Domain allowed access.
4591 interface(`files_setattr_usr_dirs',`
4596 allow $1 usr_t:dir setattr;
4599 ########################################
4601 ## Search the content of /usr.
4603 ## <param name="domain">
4605 ## Domain allowed access.
4609 interface(`files_search_usr',`
4614 allow $1 usr_t:dir search_dir_perms;
4617 ########################################
4619 ## List the contents of generic
4620 ## directories in /usr.
4622 ## <param name="domain">
4624 ## Domain allowed access.
4628 interface(`files_list_usr',`
4633 allow $1 usr_t:dir list_dir_perms;
4636 ########################################
4638 ## Do not audit write of /usr dirs
4640 ## <param name="domain">
4642 ## Domain to not audit.
4646 interface(`files_dontaudit_write_usr_dirs',`
4651 dontaudit $1 usr_t:dir write;
4654 ########################################
4656 ## Add and remove entries from /usr directories.
4658 ## <param name="domain">
4660 ## Domain allowed access.
4664 interface(`files_rw_usr_dirs',`
4669 allow $1 usr_t:dir rw_dir_perms;
4672 ########################################
4674 ## Do not audit attempts to add and remove
4675 ## entries from /usr directories.
4677 ## <param name="domain">
4679 ## Domain to not audit.
4683 interface(`files_dontaudit_rw_usr_dirs',`
4688 dontaudit $1 usr_t:dir rw_dir_perms;
4691 ########################################
4693 ## Delete generic directories in /usr in the caller domain.
4695 ## <param name="domain">
4697 ## Domain allowed access.
4701 interface(`files_delete_usr_dirs',`
4706 delete_dirs_pattern($1, usr_t, usr_t)
4709 ########################################
4711 ## Delete generic files in /usr in the caller domain.
4713 ## <param name="domain">
4715 ## Domain allowed access.
4719 interface(`files_delete_usr_files',`
4724 delete_files_pattern($1, usr_t, usr_t)
4727 ########################################
4729 ## Get the attributes of files in /usr.
4731 ## <param name="domain">
4733 ## Domain allowed access.
4737 interface(`files_getattr_usr_files',`
4742 getattr_files_pattern($1, usr_t, usr_t)
4745 ########################################
4747 ## Read generic files in /usr.
4751 ## Allow the specified domain to read generic
4752 ## files in /usr. These files are various program
4753 ## files that do not have more specific SELinux types.
4754 ## Some examples of these files are:
4757 ## <li>/usr/include/*</li>
4758 ## <li>/usr/share/doc/*</li>
4759 ## <li>/usr/share/info/*</li>
4762 ## Generally, it is safe for many domains to have
4766 ## <param name="domain">
4768 ## Domain allowed access.
4771 ## <infoflow type="read" weight="10"/>
4773 interface(`files_read_usr_files',`
4778 allow $1 usr_t:dir list_dir_perms;
4779 read_files_pattern($1, usr_t, usr_t)
4780 read_lnk_files_pattern($1, usr_t, usr_t)
4783 ########################################
4785 ## Execute generic programs in /usr in the caller domain.
4787 ## <param name="domain">
4789 ## Domain allowed access.
4793 interface(`files_exec_usr_files',`
4798 allow $1 usr_t:dir list_dir_perms;
4799 exec_files_pattern($1, usr_t, usr_t)
4800 read_lnk_files_pattern($1, usr_t, usr_t)
4803 ########################################
4805 ## dontaudit write of /usr files
4807 ## <param name="domain">
4809 ## Domain to not audit.
4813 interface(`files_dontaudit_write_usr_files',`
4818 dontaudit $1 usr_t:file write;
4821 ########################################
4823 ## Create, read, write, and delete files in the /usr directory.
4825 ## <param name="domain">
4827 ## Domain allowed access.
4831 interface(`files_manage_usr_files',`
4836 manage_files_pattern($1, usr_t, usr_t)
4839 ########################################
4841 ## Relabel a file to the type used in /usr.
4843 ## <param name="domain">
4845 ## Domain allowed access.
4849 interface(`files_relabelto_usr_files',`
4854 relabelto_files_pattern($1, usr_t, usr_t)
4857 ########################################
4859 ## Relabel a file from the type used in /usr.
4861 ## <param name="domain">
4863 ## Domain allowed access.
4867 interface(`files_relabelfrom_usr_files',`
4872 relabelfrom_files_pattern($1, usr_t, usr_t)
4875 ########################################
4877 ## Read symbolic links in /usr.
4879 ## <param name="domain">
4881 ## Domain allowed access.
4885 interface(`files_read_usr_symlinks',`
4890 read_lnk_files_pattern($1, usr_t, usr_t)
4893 ########################################
4895 ## Create objects in the /usr directory
4897 ## <param name="domain">
4899 ## Domain allowed access.
4902 ## <param name="file_type">
4904 ## The type of the object to be created
4907 ## <param name="object_class">
4909 ## The object class.
4913 interface(`files_usr_filetrans',`
4918 filetrans_pattern($1, usr_t, $2, $3)
4921 ########################################
4923 ## Do not audit attempts to search /usr/src.
4925 ## <param name="domain">
4927 ## Domain to not audit.
4931 interface(`files_dontaudit_search_src',`
4936 dontaudit $1 src_t:dir search_dir_perms;
4939 ########################################
4941 ## Get the attributes of files in /usr/src.
4943 ## <param name="domain">
4945 ## Domain allowed access.
4949 interface(`files_getattr_usr_src_files',`
4954 getattr_files_pattern($1, src_t, src_t)
4956 # /usr/src/linux symlink:
4957 read_lnk_files_pattern($1, usr_t, src_t)
4960 ########################################
4962 ## Read files in /usr/src.
4964 ## <param name="domain">
4966 ## Domain allowed access.
4970 interface(`files_read_usr_src_files',`
4975 allow $1 usr_t:dir search_dir_perms;
4976 read_files_pattern($1, { usr_t src_t }, src_t)
4977 read_lnk_files_pattern($1, { usr_t src_t }, src_t)
4978 allow $1 src_t:dir list_dir_perms;
4981 ########################################
4983 ## Execute programs in /usr/src in the caller domain.
4985 ## <param name="domain">
4987 ## Domain allowed access.
4991 interface(`files_exec_usr_src_files',`
4996 list_dirs_pattern($1, usr_t, src_t)
4997 exec_files_pattern($1, src_t, src_t)
4998 read_lnk_files_pattern($1, src_t, src_t)
5001 ########################################
5003 ## Install a system.map into the /boot directory.
5005 ## <param name="domain">
5007 ## Domain allowed access.
5011 interface(`files_create_kernel_symbol_table',`
5013 type boot_t, system_map_t;
5016 allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms };
5017 allow $1 system_map_t:file { create_file_perms rw_file_perms };
5020 ########################################
5022 ## Read system.map in the /boot directory.
5024 ## <param name="domain">
5026 ## Domain allowed access.
5030 interface(`files_read_kernel_symbol_table',`
5032 type boot_t, system_map_t;
5035 allow $1 boot_t:dir list_dir_perms;
5036 read_files_pattern($1, boot_t, system_map_t)
5039 ########################################
5041 ## Delete a system.map in the /boot directory.
5043 ## <param name="domain">
5045 ## Domain allowed access.
5049 interface(`files_delete_kernel_symbol_table',`
5051 type boot_t, system_map_t;
5054 allow $1 boot_t:dir list_dir_perms;
5055 delete_files_pattern($1, boot_t, system_map_t)
5058 ########################################
5060 ## Search the contents of /var.
5062 ## <param name="domain">
5064 ## Domain allowed access.
5068 interface(`files_search_var',`
5073 allow $1 var_t:dir search_dir_perms;
5076 ########################################
5078 ## Do not audit attempts to write to /var.
5080 ## <param name="domain">
5082 ## Domain to not audit.
5086 interface(`files_dontaudit_write_var_dirs',`
5091 dontaudit $1 var_t:dir write;
5094 ########################################
5096 ## Allow attempts to write to /var.dirs
5098 ## <param name="domain">
5100 ## Domain allowed access.
5104 interface(`files_write_var_dirs',`
5109 allow $1 var_t:dir write;
5112 ########################################
5114 ## Do not audit attempts to search
5115 ## the contents of /var.
5117 ## <param name="domain">
5119 ## Domain to not audit.
5123 interface(`files_dontaudit_search_var',`
5128 dontaudit $1 var_t:dir search_dir_perms;
5131 ########################################
5133 ## List the contents of /var.
5135 ## <param name="domain">
5137 ## Domain allowed access.
5141 interface(`files_list_var',`
5146 allow $1 var_t:dir list_dir_perms;
5149 ########################################
5151 ## Create, read, write, and delete directories
5152 ## in the /var directory.
5154 ## <param name="domain">
5156 ## Domain allowed access.
5160 interface(`files_manage_var_dirs',`
5165 allow $1 var_t:dir manage_dir_perms;
5168 ########################################
5170 ## Read files in the /var directory.
5172 ## <param name="domain">
5174 ## Domain allowed access.
5178 interface(`files_read_var_files',`
5183 read_files_pattern($1, var_t, var_t)
5186 ########################################
5188 ## Append files in the /var directory.
5190 ## <param name="domain">
5192 ## Domain allowed access.
5196 interface(`files_append_var_files',`
5201 append_files_pattern($1, var_t, var_t)
5204 ########################################
5206 ## Read and write files in the /var directory.
5208 ## <param name="domain">
5210 ## Domain allowed access.
5214 interface(`files_rw_var_files',`
5219 rw_files_pattern($1, var_t, var_t)
5222 ########################################
5224 ## Do not audit attempts to read and write
5225 ## files in the /var directory.
5227 ## <param name="domain">
5229 ## Domain to not audit.
5233 interface(`files_dontaudit_rw_var_files',`
5238 dontaudit $1 var_t:file rw_file_perms;
5241 ########################################
5243 ## Create, read, write, and delete files in the /var directory.
5245 ## <param name="domain">
5247 ## Domain allowed access.
5251 interface(`files_manage_var_files',`
5256 manage_files_pattern($1, var_t, var_t)
5259 ########################################
5261 ## Read symbolic links in the /var directory.
5263 ## <param name="domain">
5265 ## Domain allowed access.
5269 interface(`files_read_var_symlinks',`
5274 read_lnk_files_pattern($1, var_t, var_t)
5277 ########################################
5279 ## Create, read, write, and delete symbolic
5280 ## links in the /var directory.
5282 ## <param name="domain">
5284 ## Domain allowed access.
5288 interface(`files_manage_var_symlinks',`
5293 manage_lnk_files_pattern($1, var_t, var_t)
5296 ########################################
5298 ## Create objects in the /var directory
5300 ## <param name="domain">
5302 ## Domain allowed access.
5305 ## <param name="file_type">
5307 ## The type of the object to be created
5310 ## <param name="object_class">
5312 ## The object class.
5316 interface(`files_var_filetrans',`
5321 filetrans_pattern($1, var_t, $2, $3)
5324 ########################################
5326 ## Get the attributes of the /var/lib directory.
5328 ## <param name="domain">
5330 ## Domain allowed access.
5334 interface(`files_getattr_var_lib_dirs',`
5336 type var_t, var_lib_t;
5339 getattr_dirs_pattern($1, var_t, var_lib_t)
5342 ########################################
5344 ## Search the /var/lib directory.
5348 ## Search the /var/lib directory. This is
5349 ## necessary to access files or directories under
5350 ## /var/lib that have a private type. For example, a
5351 ## domain accessing a private library file in the
5352 ## /var/lib directory:
5355 ## allow mydomain_t mylibfile_t:file read_file_perms;
5356 ## files_search_var_lib(mydomain_t)
5359 ## <param name="domain">
5361 ## Domain allowed access.
5364 ## <infoflow type="read" weight="5"/>
5366 interface(`files_search_var_lib',`
5368 type var_t, var_lib_t;
5371 search_dirs_pattern($1, var_t, var_lib_t)
5374 ########################################
5376 ## Do not audit attempts to search the
5377 ## contents of /var/lib.
5379 ## <param name="domain">
5381 ## Domain to not audit.
5384 ## <infoflow type="read" weight="5"/>
5386 interface(`files_dontaudit_search_var_lib',`
5391 dontaudit $1 var_lib_t:dir search_dir_perms;
5394 ########################################
5396 ## List the contents of the /var/lib directory.
5398 ## <param name="domain">
5400 ## Domain allowed access.
5404 interface(`files_list_var_lib',`
5406 type var_t, var_lib_t;
5409 list_dirs_pattern($1, var_t, var_lib_t)
5412 ###########################################
5414 ## Read-write /var/lib directories
5416 ## <param name="domain">
5418 ## Domain allowed access.
5422 interface(`files_rw_var_lib_dirs',`
5427 rw_dirs_pattern($1, var_lib_t, var_lib_t)
5430 ########################################
5432 ## Create objects in the /var/lib directory
5434 ## <param name="domain">
5436 ## Domain allowed access.
5439 ## <param name="file_type">
5441 ## The type of the object to be created
5444 ## <param name="object_class">
5446 ## The object class.
5450 interface(`files_var_lib_filetrans',`
5452 type var_t, var_lib_t;
5455 allow $1 var_t:dir search_dir_perms;
5456 filetrans_pattern($1, var_lib_t, $2, $3)
5459 ########################################
5461 ## Read generic files in /var/lib.
5463 ## <param name="domain">
5465 ## Domain allowed access.
5469 interface(`files_read_var_lib_files',`
5471 type var_t, var_lib_t;
5474 allow $1 var_lib_t:dir list_dir_perms;
5475 read_files_pattern($1, { var_t var_lib_t }, var_lib_t)
5478 ########################################
5480 ## Read generic symbolic links in /var/lib
5482 ## <param name="domain">
5484 ## Domain allowed access.
5488 interface(`files_read_var_lib_symlinks',`
5490 type var_t, var_lib_t;
5493 read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
5496 # cjp: the next two interfaces really need to be fixed
5497 # in some way. They really neeed their own types.
5499 ########################################
5501 ## Create, read, write, and delete the
5502 ## pseudorandom number generator seed.
5504 ## <param name="domain">
5506 ## Domain allowed access.
5510 interface(`files_manage_urandom_seed',`
5512 type var_t, var_lib_t;
5515 allow $1 var_t:dir search_dir_perms;
5516 manage_files_pattern($1, var_lib_t, var_lib_t)
5519 ########################################
5521 ## Allow domain to manage mount tables
5522 ## necessary for rpcd, nfsd, etc.
5524 ## <param name="domain">
5526 ## Domain allowed access.
5530 interface(`files_manage_mounttab',`
5532 type var_t, var_lib_t;
5535 allow $1 var_t:dir search_dir_perms;
5536 manage_files_pattern($1, var_lib_t, var_lib_t)
5539 ########################################
5541 ## List generic lock directories.
5543 ## <param name="domain">
5545 ## Domain allowed access.
5549 interface(`files_list_locks',`
5551 type var_t, var_lock_t;
5554 files_search_locks($1)
5555 list_dirs_pattern($1, var_t, var_lock_t)
5558 ########################################
5560 ## Search the locks directory (/var/lock).
5562 ## <param name="domain">
5564 ## Domain allowed access.
5568 interface(`files_search_locks',`
5570 type var_t, var_lock_t;
5573 files_search_pids($1)
5574 allow $1 var_lock_t:lnk_file read_lnk_file_perms;
5575 search_dirs_pattern($1, var_t, var_lock_t)
5578 ########################################
5580 ## Do not audit attempts to search the
5581 ## locks directory (/var/lock).
5583 ## <param name="domain">
5585 ## Domain to not audit.
5589 interface(`files_dontaudit_search_locks',`
5594 dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms;
5595 dontaudit $1 var_lock_t:dir search_dir_perms;
5598 ########################################
5600 ## create a directory in the /var/lock
5603 ## <param name="domain">
5605 ## Domain allowed access.
5609 interface(`files_create_lock_dirs',`
5611 type var_t, var_lock_t;
5614 files_search_locks($1)
5615 allow $1 var_lock_t:dir create_dir_perms;
5618 ########################################
5620 ## Add and remove entries in the /var/lock
5623 ## <param name="domain">
5625 ## Domain allowed access.
5629 interface(`files_rw_lock_dirs',`
5631 type var_t, var_lock_t;
5634 files_search_locks($1)
5635 rw_dirs_pattern($1, var_t, var_lock_t)
5638 ########################################
5640 ## Get the attributes of generic lock files.
5642 ## <param name="domain">
5644 ## Domain allowed access.
5648 interface(`files_getattr_generic_locks',`
5650 type var_t, var_lock_t;
5653 files_search_locks($1)
5654 allow $1 var_lock_t:dir list_dir_perms;
5655 getattr_files_pattern($1, var_lock_t, var_lock_t)
5658 ########################################
5660 ## Delete generic lock files.
5662 ## <param name="domain">
5664 ## Domain allowed access.
5668 interface(`files_delete_generic_locks',`
5670 type var_t, var_lock_t;
5673 files_search_locks($1)
5674 delete_files_pattern($1, var_lock_t, var_lock_t)
5677 ########################################
5679 ## Create, read, write, and delete generic
5682 ## <param name="domain">
5684 ## Domain allowed access.
5688 interface(`files_manage_generic_locks',`
5690 type var_t, var_lock_t;
5693 files_search_locks($1)
5694 manage_files_pattern($1, var_lock_t, var_lock_t)
5697 ########################################
5699 ## Delete all lock files.
5701 ## <param name="domain">
5703 ## Domain allowed access.
5708 interface(`files_delete_all_locks',`
5714 allow $1 var_t:dir search_dir_perms;
5715 delete_files_pattern($1, lockfile, lockfile)
5718 ########################################
5720 ## Relabel all lock files.
5722 ## <param name="domain">
5724 ## Domain allowed access.
5729 interface(`files_relabel_all_lock_dirs',`
5735 allow $1 var_t:dir search_dir_perms;
5736 relabel_dirs_pattern($1, lockfile, lockfile)
5739 ########################################
5741 ## Read all lock files.
5743 ## <param name="domain">
5745 ## Domain allowed access.
5749 interface(`files_read_all_locks',`
5752 type var_t, var_lock_t;
5755 files_search_locks($1)
5756 allow $1 lockfile:dir list_dir_perms;
5757 read_files_pattern($1, lockfile, lockfile)
5758 read_lnk_files_pattern($1, lockfile, lockfile)
5761 ########################################
5763 ## manage all lock files.
5765 ## <param name="domain">
5767 ## Domain allowed access.
5771 interface(`files_manage_all_locks',`
5774 type var_t, var_lock_t;
5777 files_search_locks($1)
5778 manage_dirs_pattern($1, lockfile, lockfile)
5779 manage_files_pattern($1, lockfile, lockfile)
5780 manage_lnk_files_pattern($1, lockfile, lockfile)
5783 ########################################
5785 ## Create an object in the locks directory, with a private
5786 ## type using a type transition.
5788 ## <param name="domain">
5790 ## Domain allowed access.
5793 ## <param name="private type">
5795 ## The type of the object to be created.
5798 ## <param name="object">
5800 ## The object class of the object being created.
5804 interface(`files_lock_filetrans',`
5806 type var_t, var_lock_t;
5809 files_search_locks($1)
5810 filetrans_pattern($1, var_lock_t, $2, $3)
5813 ########################################
5815 ## Do not audit attempts to get the attributes
5816 ## of the /var/run directory.
5818 ## <param name="domain">
5820 ## Domain to not audit.
5824 interface(`files_dontaudit_getattr_pid_dirs',`
5829 dontaudit $1 var_run_t:dir getattr;
5832 ########################################
5834 ## Set the attributes of the /var/run directory.
5836 ## <param name="domain">
5838 ## Domain allowed access.
5842 interface(`files_setattr_pid_dirs',`
5847 allow $1 var_run_t:dir setattr;
5850 ########################################
5852 ## Search the contents of runtime process
5853 ## ID directories (/var/run).
5855 ## <param name="domain">
5857 ## Domain allowed access.
5861 interface(`files_search_pids',`
5863 type var_t, var_run_t;
5866 allow $1 var_run_t:lnk_file read_lnk_file_perms;
5867 search_dirs_pattern($1, var_t, var_run_t)
5870 ######################################
5872 ## Add and remove entries from pid directories.
5874 ## <param name="domain">
5876 ## Domain allowed access.
5880 interface(`files_rw_pid_dirs',`
5885 allow $1 var_run_t:dir rw_dir_perms;
5888 #######################################
5890 ## Create generic pid directory.
5892 ## <param name="domain">
5894 ## Domain allowed access.
5898 interface(`files_create_var_run_dirs',`
5900 type var_t, var_run_t;
5903 allow $1 var_t:dir search_dir_perms;
5904 allow $1 var_run_t:dir create_dir_perms;
5907 ########################################
5909 ## Do not audit attempts to search
5910 ## the /var/run directory.
5912 ## <param name="domain">
5914 ## Domain to not audit.
5918 interface(`files_dontaudit_search_pids',`
5923 dontaudit $1 var_run_t:dir search_dir_perms;
5926 ########################################
5928 ## List the contents of the runtime process
5929 ## ID directories (/var/run).
5931 ## <param name="domain">
5933 ## Domain allowed access.
5937 interface(`files_list_pids',`
5939 type var_t, var_run_t;
5942 list_dirs_pattern($1, var_t, var_run_t)
5945 ########################################
5947 ## Read generic process ID files.
5949 ## <param name="domain">
5951 ## Domain allowed access.
5955 interface(`files_read_generic_pids',`
5957 type var_t, var_run_t;
5960 list_dirs_pattern($1, var_t, var_run_t)
5961 read_files_pattern($1, var_run_t, var_run_t)
5964 ########################################
5966 ## Write named generic process ID pipes
5968 ## <param name="domain">
5970 ## Domain allowed access.
5974 interface(`files_write_generic_pid_pipes',`
5979 allow $1 var_run_t:fifo_file write;
5982 ########################################
5984 ## Create an object in the process ID directory, with a private type.
5988 ## Create an object in the process ID directory (e.g., /var/run)
5989 ## with a private type. Typically this is used for creating
5990 ## private PID files in /var/run with the private type instead
5991 ## of the general PID file type. To accomplish this goal,
5992 ## either the program must be SELinux-aware, or use this interface.
5995 ## Related interfaces:
5998 ## <li>files_pid_file()</li>
6001 ## Example usage with a domain that can create and
6002 ## write its PID file with a private PID file type in the
6003 ## /var/run directory:
6006 ## type mypidfile_t;
6007 ## files_pid_file(mypidfile_t)
6008 ## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms };
6009 ## files_pid_filetrans(mydomain_t, mypidfile_t, file)
6012 ## <param name="domain">
6014 ## Domain allowed access.
6017 ## <param name="private type">
6019 ## The type of the object to be created.
6022 ## <param name="object">
6024 ## The object class of the object being created.
6027 ## <infoflow type="write" weight="10"/>
6029 interface(`files_pid_filetrans',`
6031 type var_t, var_run_t;
6034 allow $1 var_t:dir search_dir_perms;
6035 filetrans_pattern($1, var_run_t, $2, $3)
6038 ########################################
6040 ## Read and write generic process ID files.
6042 ## <param name="domain">
6044 ## Domain allowed access.
6048 interface(`files_rw_generic_pids',`
6050 type var_t, var_run_t;
6053 list_dirs_pattern($1, var_t, var_run_t)
6054 rw_files_pattern($1, var_run_t, var_run_t)
6057 ########################################
6059 ## Do not audit attempts to get the attributes of
6060 ## daemon runtime data files.
6062 ## <param name="domain">
6064 ## Domain to not audit.
6068 interface(`files_dontaudit_getattr_all_pids',`
6073 dontaudit $1 pidfile:file getattr;
6076 ########################################
6078 ## Do not audit attempts to write to daemon runtime data files.
6080 ## <param name="domain">
6082 ## Domain to not audit.
6086 interface(`files_dontaudit_write_all_pids',`
6091 dontaudit $1 pidfile:file write;
6094 ########################################
6096 ## Do not audit attempts to ioctl daemon runtime data files.
6098 ## <param name="domain">
6100 ## Domain to not audit.
6104 interface(`files_dontaudit_ioctl_all_pids',`
6109 dontaudit $1 pidfile:file ioctl;
6112 ########################################
6114 ## Relable all pid directories
6116 ## <param name="domain">
6118 ## Domain allowed access.
6122 interface(`files_relabel_all_pid_dirs',`
6127 relabel_dirs_pattern($1, pidfile, pidfile)
6130 ########################################
6132 ## Delete all pid sockets
6134 ## <param name="domain">
6136 ## Domain allowed access.
6140 interface(`files_unlink_all_pid_sockets',`
6145 allow $1 pidfile:sock_file delete_sock_file_perms;
6148 ########################################
6150 ## manage all pidfile directories
6151 ## in the /var/run directory.
6153 ## <param name="domain">
6155 ## Domain allowed access.
6159 interface(`files_manage_all_pid_dirs',`
6164 manage_dirs_pattern($1,pidfile,pidfile)
6168 ########################################
6170 ## Read all process ID files.
6172 ## <param name="domain">
6174 ## Domain allowed access.
6179 interface(`files_read_all_pids',`
6185 list_dirs_pattern($1, var_t, pidfile)
6186 read_files_pattern($1, pidfile, pidfile)
6187 read_lnk_files_pattern($1, pidfile, pidfile)
6190 ########################################
6192 ## Relable all pid files
6194 ## <param name="domain">
6196 ## Domain allowed access.
6200 interface(`files_relabel_all_pid_files',`
6205 relabel_files_pattern($1, pidfile, pidfile)
6208 ########################################
6210 ## manage all pidfiles
6211 ## in the /var/run directory.
6213 ## <param name="domain">
6215 ## Domain allowed access.
6219 interface(`files_manage_all_pids',`
6224 manage_files_pattern($1,pidfile,pidfile)
6227 ########################################
6229 ## Mount filesystems on all polyinstantiation
6230 ## member directories.
6232 ## <param name="domain">
6234 ## Domain allowed access.
6238 interface(`files_mounton_all_poly_members',`
6240 attribute polymember;
6243 allow $1 polymember:dir mounton;
6246 ########################################
6248 ## Delete all process IDs.
6250 ## <param name="domain">
6252 ## Domain allowed access.
6257 interface(`files_delete_all_pids',`
6260 type var_t, var_run_t;
6263 allow $1 var_t:dir search_dir_perms;
6264 allow $1 var_run_t:dir rmdir;
6265 allow $1 var_run_t:lnk_file delete_lnk_file_perms;
6266 delete_files_pattern($1, pidfile, pidfile)
6267 delete_fifo_files_pattern($1, pidfile, pidfile)
6268 delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
6271 ########################################
6273 ## Delete all process ID directories.
6275 ## <param name="domain">
6277 ## Domain allowed access.
6281 interface(`files_delete_all_pid_dirs',`
6287 allow $1 var_t:dir search_dir_perms;
6288 delete_dirs_pattern($1, pidfile, pidfile)
6291 ########################################
6293 ## Search the contents of generic spool
6294 ## directories (/var/spool).
6296 ## <param name="domain">
6298 ## Domain allowed access.
6302 interface(`files_search_spool',`
6304 type var_t, var_spool_t;
6307 search_dirs_pattern($1, var_t, var_spool_t)
6310 ########################################
6312 ## Do not audit attempts to search generic
6313 ## spool directories.
6315 ## <param name="domain">
6317 ## Domain to not audit.
6321 interface(`files_dontaudit_search_spool',`
6326 dontaudit $1 var_spool_t:dir search_dir_perms;
6329 ########################################
6331 ## List the contents of generic spool
6332 ## (/var/spool) directories.
6334 ## <param name="domain">
6336 ## Domain allowed access.
6340 interface(`files_list_spool',`
6342 type var_t, var_spool_t;
6345 list_dirs_pattern($1, var_t, var_spool_t)
6348 ########################################
6350 ## Create, read, write, and delete generic
6351 ## spool directories (/var/spool).
6353 ## <param name="domain">
6355 ## Domain allowed access.
6359 interface(`files_manage_generic_spool_dirs',`
6361 type var_t, var_spool_t;
6364 allow $1 var_t:dir search_dir_perms;
6365 manage_dirs_pattern($1, var_spool_t, var_spool_t)
6368 ########################################
6370 ## Read generic spool files.
6372 ## <param name="domain">
6374 ## Domain allowed access.
6378 interface(`files_read_generic_spool',`
6380 type var_t, var_spool_t;
6383 list_dirs_pattern($1, var_t, var_spool_t)
6384 read_files_pattern($1, var_spool_t, var_spool_t)
6387 ########################################
6389 ## Create, read, write, and delete generic
6392 ## <param name="domain">
6394 ## Domain allowed access.
6398 interface(`files_manage_generic_spool',`
6400 type var_t, var_spool_t;
6403 allow $1 var_t:dir search_dir_perms;
6404 manage_files_pattern($1, var_spool_t, var_spool_t)
6407 ########################################
6409 ## Create objects in the spool directory
6410 ## with a private type with a type transition.
6412 ## <param name="domain">
6414 ## Domain allowed access.
6417 ## <param name="file">
6419 ## Type to which the created node will be transitioned.
6422 ## <param name="class">
6424 ## Object class(es) (single or set including {}) for which this
6425 ## the transition will occur.
6429 interface(`files_spool_filetrans',`
6431 type var_t, var_spool_t;
6434 allow $1 var_t:dir search_dir_perms;
6435 filetrans_pattern($1, var_spool_t, $2, $3)
6438 ########################################
6440 ## Allow access to manage all polyinstantiated
6441 ## directories on the system.
6443 ## <param name="domain">
6445 ## Domain allowed access.
6449 interface(`files_polyinstantiate_all',`
6451 attribute polydir, polymember, polyparent;
6455 # Need to give access to /selinux/member
6456 selinux_compute_member($1)
6458 # Need sys_admin capability for mounting
6459 allow $1 self:capability { chown fsetid sys_admin fowner };
6461 # Need to give access to the directories to be polyinstantiated
6462 allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
6464 # Need to give access to the polyinstantiated subdirectories
6465 allow $1 polymember:dir search_dir_perms;
6467 # Need to give access to parent directories where original
6468 # is remounted for polyinstantiation aware programs (like gdm)
6469 allow $1 polyparent:dir { getattr mounton };
6471 # Need to give permission to create directories where applicable
6472 allow $1 self:process setfscreate;
6473 allow $1 polymember: dir { create setattr relabelto };
6474 allow $1 polydir: dir { write add_name open };
6475 allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
6477 # Default type for mountpoints
6478 allow $1 poly_t:dir { create mounton };
6479 fs_unmount_xattr_fs($1)
6482 fs_unmount_tmpfs($1)
6484 ifdef(`distro_redhat',`
6486 files_search_tmp($1)
6487 files_search_home($1)
6488 corecmd_exec_bin($1)
6489 seutil_domtrans_setfiles($1)
6493 ########################################
6495 ## Unconfined access to files.
6497 ## <param name="domain">
6499 ## Domain allowed access.
6503 interface(`files_unconfined',`
6505 attribute files_unconfined_type;
6508 typeattribute $1 files_unconfined_type;
6511 ########################################
6513 ## Create a core files in /
6517 ## Create a core file in /,
6520 ## <param name="domain">
6522 ## Domain allowed access.
6527 interface(`files_manage_root_files',`
6532 manage_files_pattern($1, root_t, root_t)
6535 ########################################
6537 ## Create a default directory
6541 ## Create a default_t direcrory
6544 ## <param name="domain">
6546 ## Domain allowed access.
6551 interface(`files_create_default_dir',`
6556 allow $1 default_t:dir create;
6559 ########################################
6561 ## Create, default_t objects with an automatic
6564 ## <param name="domain">
6566 ## Domain allowed access.
6569 ## <param name="object">
6571 ## The class of the object being created.
6575 interface(`files_root_filetrans_default',`
6577 type root_t, default_t;
6580 filetrans_pattern($1, root_t, default_t, $2)
6583 ########################################
6585 ## manage generic symbolic links
6586 ## in the /var/run directory.
6588 ## <param name="domain">
6590 ## Domain allowed access.
6594 interface(`files_manage_generic_pids_symlinks',`
6599 manage_lnk_files_pattern($1,var_run_t,var_run_t)
6602 ########################################
6604 ## Do not audit attempts to getattr
6607 ## <param name="domain">
6609 ## Domain to not audit.
6613 interface(`files_dontaudit_getattr_tmpfs_files',`
6615 attribute tmpfsfile;
6618 allow $1 tmpfsfile:file getattr;
6621 ########################################
6623 ## Allow read write all tmpfs files
6625 ## <param name="domain">
6627 ## Domain to not audit.
6631 interface(`files_rw_tmpfs_files',`
6633 attribute tmpfsfile;
6636 allow $1 tmpfsfile:file { read write };
6639 ########################################
6641 ## Do not audit attempts to read security files
6643 ## <param name="domain">
6645 ## Domain to not audit.
6649 interface(`files_dontaudit_read_security_files',`
6651 attribute security_file_type;
6654 dontaudit $1 security_file_type:file read_file_perms;
6657 ########################################
6659 ## rw any files inherited from another process
6661 ## <param name="domain">
6663 ## Domain allowed access.
6668 interface(`files_rw_all_inherited_files',`
6670 attribute file_type;
6673 allow $1 { file_type $2 }:file rw_inherited_file_perms;
6674 allow $1 { file_type $2 }:fifo_file rw_inherited_fifo_file_perms;
6675 allow $1 { file_type $2 }:sock_file rw_inherited_sock_file_perms;
6676 allow $1 { file_type $2 }:chr_file rw_inherited_chr_file_perms;
6679 ########################################
6681 ## Allow any file point to be the entrypoint of this domain
6683 ## <param name="domain">
6685 ## Domain allowed access.
6690 interface(`files_entrypoint_all_files',`
6692 attribute file_type;
6694 allow $1 file_type:file entrypoint;
6697 ########################################
6699 ## Do not audit attempts to rw inherited file perms
6700 ## of non security files.
6702 ## <param name="domain">
6704 ## Domain to not audit.
6708 interface(`files_dontaudit_all_non_security_leaks',`
6710 attribute non_security_file_type;
6713 dontaudit $1 non_security_file_type:file_class_set rw_inherited_file_perms;
6716 ########################################
6718 ## Do not audit attempts to read or write
6719 ## all leaked files.
6721 ## <param name="domain">
6723 ## Domain allowed access.
6727 interface(`files_dontaudit_leaks',`
6729 attribute file_type;
6732 dontaudit $1 file_type:file rw_inherited_file_perms;
6733 dontaudit $1 file_type:lnk_file { read };
6736 ########################################
6738 ## Allow domain to create_file_ass all types
6740 ## <param name="domain">
6742 ## Domain allowed access.
6746 interface(`files_create_as_is_all_files',`
6748 attribute file_type;
6749 class kernel_service create_files_as;
6752 allow $1 file_type:kernel_service create_files_as;
6755 ########################################
6757 ## Do not audit attempts to check the
6758 ## write access on all files
6760 ## <param name="domain">
6762 ## Domain to not audit.
6766 interface(`files_dontaudit_all_access_check',`
6768 attribute file_type;
6771 dontaudit $1 file_type:file_class_set audit_access;
6774 ########################################
6776 ## Do not audit attempts to write to all files
6778 ## <param name="domain">
6780 ## Domain to not audit.
6784 interface(`files_dontaudit_write_all_files',`
6786 attribute file_type;
6789 dontaudit $1 file_type:dir_file_class_set write;