1 ## <summary>Policy for user executable applications.</summary>
3 ########################################
5 ## Make the specified type usable as an application domain.
9 ## Type to be used as a domain type.
13 interface(`application_type',`
15 attribute application_domain_type;
18 typeattribute $1 application_domain_type;
20 # start with basic domain
24 ########################################
26 ## Make the specified type usable for files
27 ## that are exectuables, such as binary programs.
28 ## This does not include shared libraries.
30 ## <param name="type">
32 ## Type to be used for files.
36 interface(`application_executable_file',`
38 attribute application_exec_type;
41 typeattribute $1 application_exec_type;
43 corecmd_executable_file($1)
46 ########################################
48 ## Execute application executables in the caller domain.
50 ## <param name="type">
52 ## Domain allowed access.
56 interface(`application_exec',`
58 attribute application_exec_type;
61 can_exec($1, application_exec_type)
64 ########################################
66 ## Execute all executable files.
68 ## <param name="domain">
70 ## Domain allowed access.
75 interface(`application_exec_all',`
76 corecmd_dontaudit_exec_all_executables($1)
78 corecmd_exec_shell($1)
79 corecmd_exec_chroot($1)
84 ########################################
86 ## Create a domain for applications.
90 ## Create a domain for applications. Typically these are
91 ## programs that are run interactively.
94 ## The types will be made usable as a domain and file, making
95 ## calls to domain_type() and files_type() redundant.
98 ## <param name="domain">
100 ## Type to be used as an application domain.
103 ## <param name="entry_point">
105 ## Type of the program to be used as an entry point to this domain.
108 ## <infoflow type="none"/>
110 interface(`application_domain',`
112 application_executable_file($2)
113 domain_entry_file($1, $2)
116 ########################################
118 ## Send null signals to all application domains.
120 ## <param name="domain">
122 ## Domain allowed access.
126 interface(`application_signull',`
128 attribute application_domain_type;
131 allow $1 application_domain_type:process signull;
134 ########################################
136 ## Do not audit attempts to send null signals
137 ## to all application domains.
139 ## <param name="domain">
141 ## Domain to not audit.
145 interface(`application_dontaudit_signull',`
147 attribute application_domain_type;
150 dontaudit $1 application_domain_type:process signull;
153 ########################################
155 ## Send general signals to all application domains.
157 ## <param name="domain">
159 ## Domain allowed access.
163 interface(`application_signal',`
165 attribute application_domain_type;
168 allow $1 application_domain_type:process signal;
171 ########################################
173 ## Do not audit attempts to send general signals
174 ## to all application domains.
176 ## <param name="domain">
178 ## Domain to not audit.
182 interface(`application_dontaudit_signal',`
184 attribute application_domain_type;
187 dontaudit $1 application_domain_type:process signal;
190 ########################################
192 ## Do not audit attempts to send kill signals
193 ## to all application domains.
195 ## <param name="domain">
197 ## Domain to not audit.
201 interface(`application_dontaudit_sigkill',`
203 attribute application_domain_type;
206 dontaudit $1 application_domain_type:process sigkill;
209 #######################################
211 ## Getattr all application sockets.
213 ## <param name="domain">
215 ## Domain allowed access.
219 interface(`application_getattr_socket',`
221 attribute application_domain_type;
224 allow $1 application_domain_type:socket_class_set getattr;