]> git.ipfire.org Git - people/stevee/selinux-policy.git/blame - policy/modules/system/selinuxutil.if
projects / people / stevee / selinux-policy.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
trunk: merge UBAC.
[people/stevee/selinux-policy.git] / policy / modules / system / selinuxutil.if
CommitLineData
162a57e5 1## <summary>Policy for SELinux policy and userland applications.</summary>
e181fe05 2
85bd7f1f 3#######################################
f7ebea06 4## <summary>
414e4151 5## Execute checkpolicy in the checkpolicy domain.
f7ebea06 6## </summary>
414e4151 7## <param name="domain">
885b83ec 8## <summary>
ac9db9b5 9## Domain allowed access.
885b83ec 10## </summary>
414e4151 11## </param>
85bd7f1f 12#
1815bad1 13interface(`seutil_domtrans_checkpolicy',`
139520a2
CP		 14 gen_require(`
15 type checkpolicy_t, checkpolicy_exec_t;
139520a2 16 ')
0c73cd25 17
139520a2
CP		 18 files_search_usr($1)
19 corecmd_search_bin($1)
c0868a7a 20 domtrans_pattern($1,checkpolicy_exec_t,checkpolicy_t)
85bd7f1f
CP		 21')
22
daa0e0b0 23########################################
f7ebea06 24## <summary>
414e4151
CP		 25## Execute checkpolicy in the checkpolicy domain, and
26## allow the specified role the checkpolicy domain,
27## and use the caller's terminal.
f7ebea06 28## </summary>
414e4151 29## <param name="domain">
885b83ec 30## <summary>
ac9db9b5 31## Domain allowed access.
885b83ec 32## </summary>
414e4151
CP		 33## </param>
34## <param name="role">
885b83ec 35## <summary>
414e4151 36## The role to be allowed the checkpolicy domain.
885b83ec 37## </summary>
414e4151 38## </param>
bbcd3c97 39## <rolecap/>
daa0e0b0 40#
1815bad1 41interface(`seutil_run_checkpolicy',`
139520a2
CP		 42 gen_require(`
43 type checkpolicy_t;
139520a2 44 ')
0c73cd25 45
1815bad1 46 seutil_domtrans_checkpolicy($1)
0c73cd25 47 role $2 types checkpolicy_t;
daa0e0b0
CP		 48')
49
ac9db9b5
CP		 50########################################
51## <summary>
52## Execute checkpolicy in the caller domain.
53## </summary>
54## <param name="domain">
55## <summary>
56## Domain allowed access.
57## </summary>
58## </param>
bbcd3c97 59## <rolecap/>
85bd7f1f 60#
1815bad1 61interface(`seutil_exec_checkpolicy',`
139520a2
CP		 62 gen_require(`
63 type checkpolicy_exec_t;
64 ')
0c73cd25 65
139520a2
CP		 66 files_search_usr($1)
67 corecmd_search_bin($1)
cc41a97c 68 can_exec($1,checkpolicy_exec_t)
85bd7f1f
CP		 69')
70
85bd7f1f 71#######################################
f7ebea06 72## <summary>
414e4151 73## Execute load_policy in the load_policy domain.
f7ebea06 74## </summary>
414e4151 75## <param name="domain">
885b83ec 76## <summary>
ac9db9b5 77## Domain allowed access.
885b83ec 78## </summary>
414e4151 79## </param>
85bd7f1f 80#
1815bad1 81interface(`seutil_domtrans_loadpolicy',`
139520a2
CP		 82 gen_require(`
83 type load_policy_t, load_policy_exec_t;
139520a2 84 ')
0c73cd25 85
8021cb4f 86 corecmd_search_bin($1)
c0868a7a 87 domtrans_pattern($1,load_policy_exec_t,load_policy_t)
85bd7f1f
CP		 88')
89
daa0e0b0 90########################################
f7ebea06 91## <summary>
414e4151
CP		 92## Execute load_policy in the load_policy domain, and
93## allow the specified role the load_policy domain,
94## and use the caller's terminal.
f7ebea06 95## </summary>
414e4151 96## <param name="domain">
885b83ec 97## <summary>
ac9db9b5 98## Domain allowed access.
885b83ec 99## </summary>
414e4151
CP		 100## </param>
101## <param name="role">
885b83ec 102## <summary>
414e4151 103## The role to be allowed the load_policy domain.
885b83ec 104## </summary>
414e4151 105## </param>
bbcd3c97 106## <rolecap/>
daa0e0b0 107#
1815bad1 108interface(`seutil_run_loadpolicy',`
139520a2
CP		 109 gen_require(`
110 type load_policy_t;
139520a2 111 ')
0c73cd25 112
1815bad1 113 seutil_domtrans_loadpolicy($1)
0c73cd25 114 role $2 types load_policy_t;
daa0e0b0
CP		 115')
116
ac9db9b5
CP		 117########################################
118## <summary>
119## Execute load_policy in the caller domain.
120## </summary>
121## <param name="domain">
122## <summary>
123## Domain allowed access.
124## </summary>
125## </param>
85bd7f1f 126#
1815bad1 127interface(`seutil_exec_loadpolicy',`
139520a2
CP		 128 gen_require(`
129 type load_policy_exec_t;
130 ')
0c73cd25 131
8021cb4f 132 corecmd_search_bin($1)
cc41a97c 133 can_exec($1,load_policy_exec_t)
85bd7f1f
CP		 134')
135
ac9db9b5
CP		 136########################################
137## <summary>
138## Read the load_policy program file.
139## </summary>
140## <param name="domain">
141## <summary>
142## Domain allowed access.
143## </summary>
144## </param>
85bd7f1f 145#
1815bad1 146interface(`seutil_read_loadpolicy',`
139520a2
CP		 147 gen_require(`
148 type load_policy_exec_t;
139520a2 149 ')
0c73cd25 150
8021cb4f 151 corecmd_search_bin($1)
c0868a7a 152 allow $1 load_policy_exec_t:file read_file_perms;
85bd7f1f
CP		 153')
154
85bd7f1f 155#######################################
f7ebea06 156## <summary>
296273a7 157## Execute newrole in the newole domain.
f7ebea06 158## </summary>
414e4151 159## <param name="domain">
885b83ec 160## <summary>
ac9db9b5 161## Domain allowed access.
885b83ec 162## </summary>
414e4151 163## </param>
85bd7f1f 164#
199895e2 165interface(`seutil_domtrans_newrole',`
139520a2
CP		 166 gen_require(`
167 type newrole_t, newrole_exec_t;
139520a2 168 ')
0c73cd25 169
139520a2
CP		 170 files_search_usr($1)
171 corecmd_search_bin($1)
c0868a7a 172 domtrans_pattern($1,newrole_exec_t,newrole_t)
85bd7f1f
CP		 173')
174
daa0e0b0 175########################################
f7ebea06 176## <summary>
414e4151
CP		 177## Execute newrole in the newrole domain, and
178## allow the specified role the newrole domain,
179## and use the caller's terminal.
f7ebea06 180## </summary>
414e4151 181## <param name="domain">
885b83ec 182## <summary>
ac9db9b5 183## Domain allowed access.
885b83ec 184## </summary>
414e4151
CP		 185## </param>
186## <param name="role">
885b83ec 187## <summary>
414e4151 188## The role to be allowed the newrole domain.
885b83ec 189## </summary>
414e4151 190## </param>
bbcd3c97 191## <rolecap/>
daa0e0b0 192#
199895e2 193interface(`seutil_run_newrole',`
139520a2
CP		 194 gen_require(`
195 type newrole_t;
139520a2 196 ')
0c73cd25 197
5e0da6a0 198 seutil_domtrans_newrole($1)
0c73cd25 199 role $2 types newrole_t;
c2b87f2a 200
296273a7 201 auth_run_upd_passwd(newrole_t, $2)
daa0e0b0
CP		 202')
203
ac9db9b5
CP		 204########################################
205## <summary>
206## Execute newrole in the caller domain.
207## </summary>
208## <param name="domain">
209## <summary>
210## Domain allowed access.
211## </summary>
212## </param>
85bd7f1f 213#
199895e2 214interface(`seutil_exec_newrole',`
139520a2
CP		 215 gen_require(`
216 type newrole_t, newrole_exec_t;
217 ')
0c73cd25 218
139520a2
CP		 219 files_search_usr($1)
220 corecmd_search_bin($1)
cc41a97c 221 can_exec($1,newrole_exec_t)
85bd7f1f
CP		 222')
223
daa0e0b0 224########################################
f7ebea06 225## <summary>
414e4151
CP		 226## Do not audit the caller attempts to send
227## a signal to newrole.
f7ebea06 228## </summary>
414e4151 229## <param name="domain">
885b83ec 230## <summary>
ac9db9b5 231## Domain allowed access.
885b83ec 232## </summary>
414e4151 233## </param>
daa0e0b0 234#
8fd36732 235interface(`seutil_dontaudit_signal_newrole',`
139520a2
CP		 236 gen_require(`
237 type newrole_t;
139520a2 238 ')
0c73cd25
CP		 239
240 dontaudit $1 newrole_t:process signal;
daa0e0b0
CP		 241')
242
ac9db9b5
CP		 243########################################
244## <summary>
245## Send a SIGCHLD signal to newrole.
246## </summary>
247## <param name="domain">
248## <summary>
249## Domain allowed access.
250## </summary>
251## </param>
85bd7f1f 252#
8fd36732 253interface(`seutil_sigchld_newrole',`
139520a2
CP		 254 gen_require(`
255 type newrole_t;
139520a2 256 ')
0c73cd25
CP		 257
258 allow $1 newrole_t:process sigchld;
85bd7f1f
CP		 259')
260
ac9db9b5
CP		 261########################################
262## <summary>
263## Inherit and use newrole file descriptors.
264## </summary>
265## <param name="domain">
266## <summary>
267## Domain allowed access.
268## </summary>
269## </param>
ab64c30f 270#
15722ec9 271interface(`seutil_use_newrole_fds',`
139520a2
CP		 272 gen_require(`
273 type newrole_t;
139520a2 274 ')
0c73cd25
CP		 275
276 allow $1 newrole_t:fd use;
ab64c30f
CP		 277')
278
296273a7
CP		 279########################################
280## <summary>
281## Do not audit attempts to inherit and use
282## newrole file descriptors.
283## </summary>
284## <param name="domain">
285## <summary>
286## Domain to not audit.
287## </summary>
288## </param>
289#
290interface(`seutil_dontaudit_use_newrole_fds',`
291 gen_require(`
292 type newrole_t;
293 ')
294
295 dontaudit $1 newrole_t:fd use;
296')
297
85bd7f1f 298#######################################
f7ebea06 299## <summary>
762d2cb9 300## Execute restorecon in the restorecon domain. (Deprecated)
f7ebea06 301## </summary>
414e4151 302## <param name="domain">
885b83ec 303## <summary>
ac9db9b5 304## Domain allowed access.
885b83ec 305## </summary>
414e4151 306## </param>
85bd7f1f 307#
199895e2 308interface(`seutil_domtrans_restorecon',`
762d2cb9
CP		 309 refpolicywarn(`$0($*) has been deprecated, please use seutil_domtrans_setfiles() instead.')
310 seutil_domtrans_setfiles($1)
85bd7f1f
CP		 311')
312
daa0e0b0 313########################################
f7ebea06 314## <summary>
414e4151
CP		 315## Execute restorecon in the restorecon domain, and
316## allow the specified role the restorecon domain,
762d2cb9 317## and use the caller's terminal. (Deprecated)
f7ebea06 318## </summary>
414e4151 319## <param name="domain">
885b83ec 320## <summary>
ac9db9b5 321## Domain allowed access.
885b83ec 322## </summary>
414e4151
CP		 323## </param>
324## <param name="role">
885b83ec 325## <summary>
414e4151 326## The role to be allowed the restorecon domain.
885b83ec 327## </summary>
414e4151 328## </param>
bbcd3c97 329## <rolecap/>
daa0e0b0 330#
199895e2 331interface(`seutil_run_restorecon',`
762d2cb9 332 refpolicywarn(`$0($*) has been deprecated, please use seutil_run_setfiles() instead.')
296273a7 333 seutil_run_setfiles($1,$2)
daa0e0b0
CP		 334')
335
ac9db9b5
CP		 336########################################
337## <summary>
762d2cb9 338## Execute restorecon in the caller domain. (Deprecated)
ac9db9b5
CP		 339## </summary>
340## <param name="domain">
341## <summary>
342## Domain allowed access.
343## </summary>
344## </param>
bbcd3c97 345## <rolecap/>
85bd7f1f 346#
199895e2 347interface(`seutil_exec_restorecon',`
762d2cb9
CP		 348 refpolicywarn(`$0($*) has been deprecated, please use seutil_exec_setfiles() instead.')
349 seutil_exec_setfiles($1)
85bd7f1f
CP		 350')
351
8623d5b8 352########################################
f7ebea06 353## <summary>
414e4151 354## Execute run_init in the run_init domain.
f7ebea06 355## </summary>
414e4151 356## <param name="domain">
885b83ec 357## <summary>
ac9db9b5 358## Domain allowed access.
885b83ec 359## </summary>
414e4151 360## </param>
8623d5b8 361#
199895e2 362interface(`seutil_domtrans_runinit',`
139520a2
CP		 363 gen_require(`
364 type run_init_t, run_init_exec_t;
139520a2 365 ')
0c73cd25 366
139520a2 367 files_search_usr($1)
8021cb4f 368 corecmd_search_bin($1)
c0868a7a 369 domtrans_pattern($1,run_init_exec_t,run_init_t)
8623d5b8
CP		 370')
371
2283dc74
CP		 372########################################
373## <summary>
374## Execute init scripts in the run_init domain.
375## </summary>
376## <desc>
377## <p>
378## Execute init scripts in the run_init domain.
379## This is used for the Gentoo integrated run_init.
380## </p>
381## </desc>
382## <param name="domain">
383## <summary>
384## Domain allowed access.
385## </summary>
386## </param>
387#
388interface(`seutil_init_script_domtrans_runinit',`
389 gen_require(`
390 type run_init_t;
391 ')
392
393 init_script_file_domtrans($1,run_init_t)
394
2283dc74
CP		 395 allow run_init_t $1:fd use;
396 allow run_init_t $1:fifo_file rw_file_perms;
397 allow run_init_t $1:process sigchld;
398')
399
daa0e0b0 400########################################
f7ebea06 401## <summary>
414e4151
CP		 402## Execute run_init in the run_init domain, and
403## allow the specified role the run_init domain,
404## and use the caller's terminal.
f7ebea06 405## </summary>
414e4151 406## <param name="domain">
885b83ec 407## <summary>
ac9db9b5 408## Domain allowed access.
885b83ec 409## </summary>
414e4151
CP		 410## </param>
411## <param name="role">
885b83ec 412## <summary>
414e4151 413## The role to be allowed the run_init domain.
885b83ec 414## </summary>
414e4151 415## </param>
bbcd3c97 416## <rolecap/>
daa0e0b0 417#
199895e2 418interface(`seutil_run_runinit',`
139520a2
CP		 419 gen_require(`
420 type run_init_t;
a49e2bd3 421 role system_r;
139520a2 422 ')
0c73cd25 423
296273a7 424 auth_run_chk_passwd(run_init_t, $2)
5e0da6a0 425 seutil_domtrans_runinit($1)
0c73cd25 426 role $2 types run_init_t;
296273a7 427
a49e2bd3 428 allow $2 system_r;
daa0e0b0
CP		 429')
430
2283dc74
CP		 431########################################
432## <summary>
433## Execute init scripts in the run_init domain, and
434## allow the specified role the run_init domain,
435## and use the caller's terminal.
436## </summary>
437## <desc>
438## <p>
439## Execute init scripts in the run_init domain, and
440## allow the specified role the run_init domain,
441## and use the caller's terminal.
442## </p>
443## <p>
444## This is used for the Gentoo integrated run_init.
445## </p>
446## </desc>
447## <param name="domain">
448## <summary>
ac9db9b5 449## Domain allowed access.
2283dc74
CP		 450## </summary>
451## </param>
452## <param name="role">
453## <summary>
454## The role to be allowed the run_init domain.
455## </summary>
456## </param>
2283dc74
CP		 457#
458interface(`seutil_init_script_run_runinit',`
459 gen_require(`
460 type run_init_t;
461 role system_r;
462 ')
463
296273a7 464 auth_run_chk_passwd(run_init_t, $2)
2283dc74
CP		 465 seutil_init_script_domtrans_runinit($1)
466 role $2 types run_init_t;
296273a7 467
2283dc74
CP		 468 allow $2 system_r;
469')
470
8623d5b8 471########################################
ac9db9b5
CP		 472## <summary>
473## Inherit and use run_init file descriptors.
474## </summary>
475## <param name="domain">
476## <summary>
477## Domain allowed access.
478## </summary>
479## </param>
8623d5b8 480#
15722ec9 481interface(`seutil_use_runinit_fds',`
139520a2
CP		 482 gen_require(`
483 type run_init_t;
139520a2 484 ')
0c73cd25
CP		 485
486 allow $1 run_init_t:fd use;
8623d5b8
CP		 487')
488
daa0e0b0 489########################################
f7ebea06 490## <summary>
414e4151 491## Execute setfiles in the setfiles domain.
f7ebea06 492## </summary>
414e4151 493## <param name="domain">
885b83ec 494## <summary>
ac9db9b5 495## Domain allowed access.
885b83ec 496## </summary>
414e4151 497## </param>
85bd7f1f 498#
199895e2 499interface(`seutil_domtrans_setfiles',`
139520a2
CP		 500 gen_require(`
501 type setfiles_t, setfiles_exec_t;
139520a2 502 ')
0c73cd25 503
139520a2 504 files_search_usr($1)
8021cb4f 505 corecmd_search_bin($1)
c0868a7a 506 domtrans_pattern($1,setfiles_exec_t,setfiles_t)
85bd7f1f
CP		 507')
508
daa0e0b0 509########################################
f7ebea06 510## <summary>
414e4151
CP		 511## Execute setfiles in the setfiles domain, and
512## allow the specified role the setfiles domain,
513## and use the caller's terminal.
f7ebea06 514## </summary>
414e4151 515## <param name="domain">
885b83ec 516## <summary>
ac9db9b5 517## Domain allowed access.
885b83ec 518## </summary>
414e4151
CP		 519## </param>
520## <param name="role">
885b83ec 521## <summary>
414e4151 522## The role to be allowed the setfiles domain.
885b83ec 523## </summary>
414e4151 524## </param>
bbcd3c97 525## <rolecap/>
daa0e0b0 526#
199895e2 527interface(`seutil_run_setfiles',`
139520a2
CP		 528 gen_require(`
529 type setfiles_t;
139520a2 530 ')
0c73cd25 531
5e0da6a0 532 seutil_domtrans_setfiles($1)
0c73cd25 533 role $2 types setfiles_t;
daa0e0b0
CP		 534')
535
ac9db9b5
CP		 536########################################
537## <summary>
538## Execute setfiles in the caller domain.
539## </summary>
540## <param name="domain">
541## <summary>
542## Domain allowed access.
543## </summary>
544## </param>
85bd7f1f 545#
199895e2 546interface(`seutil_exec_setfiles',`
139520a2
CP		 547 gen_require(`
548 type setfiles_exec_t;
549 ')
0c73cd25 550
139520a2 551 files_search_usr($1)
8021cb4f 552 corecmd_search_bin($1)
cc41a97c 553 can_exec($1,setfiles_exec_t)
85bd7f1f
CP		 554')
555
b4cd1533 556########################################
ae9e2716
CP		 557## <summary>
558## Do not audit attempts to search the SELinux
559## configuration directory (/etc/selinux).
560## </summary>
561## <param name="domain">
885b83ec 562## <summary>
ae9e2716 563## Domain to not audit.
885b83ec 564## </summary>
ae9e2716
CP		 565## </param>
566#
567interface(`seutil_dontaudit_search_config',`
568 gen_require(`
569 type selinux_config_t;
ae9e2716
CP		 570 ')
571
932c3536 572 dontaudit $1 selinux_config_t:dir search_dir_perms;
ae9e2716
CP		 573')
574
575########################################
a0824843
CP		 576## <summary>
577## Do not audit attempts to read the SELinux
578## userland configuration (/etc/selinux).
579## </summary>
580## <param name="domain">
885b83ec 581## <summary>
a0824843 582## Domain to not audit.
885b83ec 583## </summary>
a0824843
CP		 584## </param>
585#
586interface(`seutil_dontaudit_read_config',`
587 gen_require(`
588 type selinux_config_t;
a0824843
CP		 589 ')
590
932c3536
CP		 591 dontaudit $1 selinux_config_t:dir search_dir_perms;
592 dontaudit $1 selinux_config_t:file read_file_perms;
a0824843
CP		 593')
594
595########################################
ac9db9b5
CP		 596## <summary>
597## Read the general SELinux configuration files.
598## </summary>
599## <param name="domain">
600## <summary>
601## Domain allowed access.
602## </summary>
603## </param>
bbcd3c97 604## <rolecap/>
b4cd1533 605#
199895e2 606interface(`seutil_read_config',`
139520a2
CP		 607 gen_require(`
608 type selinux_config_t;
139520a2 609 ')
0c73cd25 610
139520a2 611 files_search_etc($1)
c0868a7a
CP		 612 allow $1 selinux_config_t:dir list_dir_perms;
613 read_files_pattern($1,selinux_config_t,selinux_config_t)
614 read_lnk_files_pattern($1,selinux_config_t,selinux_config_t)
b4cd1533
CP		 615')
616
d5ae683e
CP		 617########################################
618## <summary>
619## Read and write the general SELinux configuration files.
620## </summary>
621## <param name="domain">
622## <summary>
623## Domain allowed access.
624## </summary>
625## </param>
626## <rolecap/>
627#
628interface(`seutil_rw_config',`
629 gen_require(`
630 type selinux_config_t;
631 ')
632
633 files_search_etc($1)
634 allow $1 selinux_config_t:dir list_dir_perms;
c0868a7a 635 rw_files_pattern($1,selinux_config_t,selinux_config_t)
d5ae683e
CP		 636')
637
a3cf80d8
CP		 638#######################################
639## <summary>
640## Create, read, write, and delete
53da70cd 641## the general selinux configuration files. (Deprecated)
a3cf80d8 642## </summary>
53da70cd
CP		 643## <desc>
644## <p>
645## Create, read, write, and delete
646## the general selinux configuration files.
647## </p>
648## <p>
649## This interface has been deprecated, please
650## use the seutil_manage_config() interface instead.
651## </p>
652## </desc>
a3cf80d8
CP		 653## <param name="domain">
654## <summary>
ac9db9b5 655## Domain allowed access.
a3cf80d8
CP		 656## </summary>
657## </param>
bbcd3c97 658## <rolecap/>
a3cf80d8
CP		 659#
660interface(`seutil_manage_selinux_config',`
53da70cd
CP		 661 refpolicywarn(`$0($*) has been deprecated. Please use seutil_manage_config() instead.')
662 seutil_manage_config($1)
663')
664
665#######################################
666## <summary>
667## Create, read, write, and delete
668## the general selinux configuration files.
669## </summary>
670## <param name="domain">
671## <summary>
672## Domain allowed access.
673## </summary>
674## </param>
675## <rolecap/>
676#
677interface(`seutil_manage_config',`
a3cf80d8
CP		 678 gen_require(`
679 type selinux_config_t;
680 ')
681
682 files_search_etc($1)
c0868a7a
CP		 683 manage_files_pattern($1,selinux_config_t,selinux_config_t)
684 read_lnk_files_pattern($1,selinux_config_t,selinux_config_t)
a3cf80d8
CP		 685')
686
58243805
CP		 687#######################################
688## <summary>
689## Create, read, write, and delete
690## the general selinux configuration files.
691## </summary>
692## <param name="domain">
693## <summary>
694## Domain allowed access.
695## </summary>
696## </param>
697## <rolecap/>
698#
699interface(`seutil_manage_config_dirs',`
700 gen_require(`
701 type selinux_config_t;
702 ')
703
704 files_search_etc($1)
705 allow $1 selinux_config_t:dir manage_dir_perms;
706')
707
ebdc3b79
CP		 708########################################
709## <summary>
710## Search the policy directory with default_context files.
711## </summary>
712## <param name="domain">
885b83ec 713## <summary>
ac9db9b5 714## Domain allowed access.
885b83ec 715## </summary>
ebdc3b79
CP		 716## </param>
717#
718interface(`seutil_search_default_contexts',`
719 gen_require(`
720 type selinux_config_t, default_context_t;
ebdc3b79
CP		 721 ')
722
723 files_search_etc($1)
c0868a7a 724 search_dirs_pattern($1,selinux_config_t,default_context_t)
ebdc3b79
CP		 725')
726
b4cd1533 727########################################
ac9db9b5
CP		 728## <summary>
729## Read the default_contexts files.
730## </summary>
731## <param name="domain">
732## <summary>
733## Domain allowed access.
734## </summary>
735## </param>
bbcd3c97 736## <rolecap/>
b4cd1533 737#
199895e2 738interface(`seutil_read_default_contexts',`
139520a2
CP		 739 gen_require(`
740 type selinux_config_t, default_context_t;
139520a2 741 ')
0c73cd25 742
139520a2 743 files_search_etc($1)
4bc6e32e
CP		 744 allow $1 selinux_config_t:dir search_dir_perms;
745 allow $1 default_context_t:dir list_dir_perms;
c0868a7a 746 read_files_pattern($1,default_context_t,default_context_t)
4bc6e32e
CP		 747')
748
749########################################
750## <summary>
751## Create, read, write, and delete the default_contexts files.
752## </summary>
753## <param name="domain">
754## <summary>
755## Domain allowed access.
756## </summary>
757## </param>
758#
759interface(`seutil_manage_default_contexts',`
760 gen_require(`
761 type selinux_config_t, default_context_t;
762 ')
763
764 files_search_etc($1)
765 allow $1 selinux_config_t:dir search_dir_perms;
c0868a7a 766 manage_files_pattern($1,default_context_t,default_context_t)
b4cd1533
CP		 767')
768
ee5772e4 769########################################
ac9db9b5
CP		 770## <summary>
771## Read the file_contexts files.
772## </summary>
773## <param name="domain">
774## <summary>
775## Domain allowed access.
776## </summary>
777## </param>
bbcd3c97 778## <rolecap/>
ee5772e4 779#
199895e2 780interface(`seutil_read_file_contexts',`
139520a2 781 gen_require(`
c0868a7a 782 type selinux_config_t, default_context_t, file_context_t;
139520a2 783 ')
0c73cd25 784
139520a2 785 files_search_etc($1)
c0868a7a
CP		 786 allow $1 { selinux_config_t default_context_t }:dir search_dir_perms;
787 read_files_pattern($1,file_context_t,file_context_t)
ee5772e4
CP		 788')
789
04d28610
CP		 790########################################
791## <summary>
792## Do not audit attempts to read the file_contexts files.
793## </summary>
794## <param name="domain">
795## <summary>
796## Domain allowed access.
797## </summary>
798## </param>
799## <rolecap/>
800#
801interface(`seutil_dontaudit_read_file_contexts',`
802 gen_require(`
803 type selinux_config_t, default_context_t, file_context_t;
804 ')
805
806 dontaudit $1 { selinux_config_t default_context_t file_context_t }:dir search_dir_perms;
807 dontaudit $1 file_context_t:file read_file_perms;
808')
809
8cf67141
CP		 810########################################
811## <summary>
812## Read and write the file_contexts files.
813## </summary>
814## <param name="domain">
815## <summary>
816## Domain allowed access.
817## </summary>
818## </param>
819#
820interface(`seutil_rw_file_contexts',`
821 gen_require(`
8f3a0a95 822 type selinux_config_t, file_context_t, default_context_t;
8cf67141
CP		 823 ')
824
825 files_search_etc($1)
c0868a7a
CP		 826 allow $1 { selinux_config_t default_context_t }:dir search_dir_perms;
827 rw_files_pattern($1,file_context_t,file_context_t)
8cf67141
CP		 828')
829
55b19055
CP		 830########################################
831## <summary>
832## Create, read, write, and delete the file_contexts files.
833## </summary>
834## <param name="domain">
835## <summary>
836## Domain allowed access.
837## </summary>
838## </param>
bbcd3c97 839## <rolecap/>
55b19055
CP		 840#
841interface(`seutil_manage_file_contexts',`
842 gen_require(`
8f3a0a95 843 type selinux_config_t, file_context_t, default_context_t;
55b19055
CP		 844 ')
845
846 files_search_etc($1)
4bc6e32e 847 allow $1 { selinux_config_t default_context_t }:dir search_dir_perms;
c0868a7a 848 manage_files_pattern($1,file_context_t,file_context_t)
55b19055
CP		 849')
850
b4cd1533 851########################################
ac9db9b5
CP		 852## <summary>
853## Read the SELinux binary policy.
854## </summary>
855## <param name="domain">
856## <summary>
857## Domain allowed access.
858## </summary>
859## </param>
b4cd1533 860#
1815bad1 861interface(`seutil_read_bin_policy',`
139520a2
CP		 862 gen_require(`
863 type selinux_config_t, policy_config_t;
139520a2 864 ')
0c73cd25 865
139520a2 866 files_search_etc($1)
c0868a7a
CP		 867 allow $1 selinux_config_t:dir search_dir_perms;
868 read_files_pattern($1,policy_config_t,policy_config_t)
b4cd1533
CP		 869')
870
b4cd1533 871########################################
ac9db9b5
CP		 872## <summary>
873## Create the SELinux binary policy.
874## </summary>
875## <param name="domain">
876## <summary>
877## Domain allowed access.
878## </summary>
879## </param>
b4cd1533 880#
1815bad1 881interface(`seutil_create_bin_policy',`
139520a2 882 gen_require(`
15fefa49 883# attribute can_write_binary_policy;
139520a2 884 type selinux_config_t, policy_config_t;
139520a2 885 ')
0c73cd25 886
139520a2 887 files_search_etc($1)
c0868a7a
CP		 888 allow $1 selinux_config_t:dir search_dir_perms;
889 create_files_pattern($1,policy_config_t,policy_config_t)
890 write_files_pattern($1,policy_config_t,policy_config_t)
15fefa49 891# typeattribute $1 can_write_binary_policy;
b4cd1533
CP		 892')
893
efd8ede3 894########################################
f7ebea06 895## <summary>
414e4151 896## Allow the caller to relabel a file to the binary policy type.
f7ebea06 897## </summary>
414e4151 898## <param name="domain">
885b83ec 899## <summary>
ac9db9b5 900## Domain allowed access.
885b83ec 901## </summary>
414e4151 902## </param>
efd8ede3 903#
1815bad1 904interface(`seutil_relabelto_bin_policy',`
139520a2
CP		 905 gen_require(`
906 attribute can_relabelto_binary_policy;
907 type policy_config_t;
139520a2 908 ')
0c73cd25
CP		 909
910 allow $1 policy_config_t:file relabelto;
911 typeattribute $1 can_relabelto_binary_policy;
efd8ede3
CP		 912')
913
ef373408 914########################################
ac9db9b5
CP		 915## <summary>
916## Create, read, write, and delete the SELinux
917## binary policy.
918## </summary>
919## <param name="domain">
920## <summary>
921## Domain allowed access.
922## </summary>
923## </param>
ef373408 924#
1815bad1 925interface(`seutil_manage_bin_policy',`
139520a2
CP		 926 gen_require(`
927 attribute can_write_binary_policy;
928 type selinux_config_t, policy_config_t;
139520a2
CP		 929 ')
930
931 files_search_etc($1)
c0868a7a
CP		 932 allow $1 selinux_config_t:dir search_dir_perms;
933 manage_files_pattern($1,policy_config_t,policy_config_t)
0c73cd25 934 typeattribute $1 can_write_binary_policy;
ef373408
CP		 935')
936
ef373408 937########################################
ac9db9b5
CP		 938## <summary>
939## Read SELinux policy source files.
940## </summary>
941## <param name="domain">
942## <summary>
943## Domain allowed access.
944## </summary>
945## </param>
ef373408 946#
1815bad1 947interface(`seutil_read_src_policy',`
139520a2
CP		 948 gen_require(`
949 type selinux_config_t, policy_src_t;
139520a2 950 ')
0c73cd25 951
139520a2 952 files_search_etc($1)
c0868a7a
CP		 953 list_dirs_pattern($1,selinux_config_t,policy_src_t)
954 read_files_pattern($1,policy_src_t,policy_src_t)
ef373408
CP		 955')
956
ef373408 957########################################
ac9db9b5
CP		 958## <summary>
959## Create, read, write, and delete SELinux
960## policy source files.
961## </summary>
962## <param name="domain">
963## <summary>
964## Domain allowed access.
965## </summary>
966## </param>
bbcd3c97 967## <rolecap/>
ef373408 968#
1815bad1 969interface(`seutil_manage_src_policy',`
139520a2
CP		 970 gen_require(`
971 type selinux_config_t, policy_src_t;
139520a2 972 ')
0c73cd25 973
139520a2 974 files_search_etc($1)
c0868a7a
CP		 975 allow $1 selinux_config_t:dir search_dir_perms;
976 manage_dirs_pattern($1,policy_src_t,policy_src_t)
977 manage_files_pattern($1,policy_src_t,policy_src_t)
ef373408 978')
02bcb8b3
CP		 979
980########################################
981## <summary>
982## Execute a domain transition to run semanage.
983## </summary>
984## <param name="domain">
985## <summary>
986## Domain allowed to transition.
987## </summary>
988## </param>
989#
990interface(`seutil_domtrans_semanage',`
991 gen_require(`
992 type semanage_t, semanage_exec_t;
993 ')
994
995 files_search_usr($1)
996 corecmd_search_bin($1)
c0868a7a 997 domtrans_pattern($1,semanage_exec_t,semanage_t)
02bcb8b3
CP		 998')
999
1000########################################
1001## <summary>
1002## Execute semanage in the semanage domain, and
1003## allow the specified role the semanage domain,
1004## and use the caller's terminal.
1005## </summary>
1006## <param name="domain">
1007## <summary>
ac9db9b5 1008## Domain allowed access.
02bcb8b3
CP		 1009## </summary>
1010## </param>
1011## <param name="role">
1012## <summary>
1013## The role to be allowed the checkpolicy domain.
1014## </summary>
1015## </param>
bbcd3c97 1016## <rolecap/>
02bcb8b3
CP		 1017#
1018interface(`seutil_run_semanage',`
1019 gen_require(`
1020 type semanage_t;
1021 ')
1022
1023 seutil_domtrans_semanage($1)
296273a7
CP		 1024 seutil_run_setfiles(semanage_t, $2)
1025 seutil_run_loadpolicy(semanage_t, $2)
02bcb8b3 1026 role $2 types semanage_t;
02bcb8b3
CP		 1027')
1028
1029########################################
1030## <summary>
1031## Full management of the semanage
1032## module store.
1033## </summary>
1034## <param name="domain">
1035## <summary>
1036## Domain allowed access.
1037## </summary>
1038## </param>
1039#
1040interface(`seutil_manage_module_store',`
1041 gen_require(`
1042 type selinux_config_t, semanage_store_t;
1043 ')
1044
1045 files_search_etc($1)
c0868a7a
CP		 1046 manage_dirs_pattern($1,selinux_config_t,semanage_store_t)
1047 manage_files_pattern($1,semanage_store_t,semanage_store_t)
1048 filetrans_pattern($1,selinux_config_t,semanage_store_t,dir)
02bcb8b3
CP		 1049')
1050
1051#######################################
1052## <summary>
1053## Get read lock on module store
1054## </summary>
1055## <param name="domain">
1056## <summary>
ac9db9b5 1057## Domain allowed access.
02bcb8b3
CP		 1058## </summary>
1059## </param>
1060#
1061interface(`seutil_get_semanage_read_lock',`
1062 gen_require(`
1063 type selinux_config_t, semanage_read_lock_t;
1064 ')
1065
1066 files_search_etc($1)
c0868a7a 1067 rw_files_pattern($1,selinux_config_t,semanage_read_lock_t)
02bcb8b3
CP		 1068')
1069
1070#######################################
1071## <summary>
1072## Get trans lock on module store
1073## </summary>
1074## <param name="domain">
1075## <summary>
ac9db9b5 1076## Domain allowed access.
02bcb8b3
CP		 1077## </summary>
1078## </param>
1079#
1080interface(`seutil_get_semanage_trans_lock',`
1081 gen_require(`
1082 type selinux_config_t, semanage_trans_lock_t;
1083 ')
1084
1085 files_search_etc($1)
c0868a7a 1086 rw_files_pattern($1,selinux_config_t,semanage_trans_lock_t)
02bcb8b3 1087')
eeef8dc4
CP		 1088
1089########################################
1090## <summary>
1091## SELinux-enabled program access for
1092## libselinux-linked programs.
1093## </summary>
1094## <desc>
1095## <p>
1096## SELinux-enabled programs are typically
1097## linked to the libselinux library. This
1098## interface will allow access required for
1099## the libselinux constructor to function.
1100## </p>
1101## </desc>
1102## <param name="domain">
1103## <summary>
1104## Domain allowed access.
1105## </summary>
1106## </param>
1107#
1108interface(`seutil_libselinux_linked',`
1109 selinux_get_fs_mount($1)
1110 seutil_read_config($1)
1111')
1112
1113########################################
1114## <summary>
1115## Do not audit SELinux-enabled program access for
1116## libselinux-linked programs.
1117## </summary>
1118## <desc>
1119## <p>
1120## SELinux-enabled programs are typically
1121## linked to the libselinux library. This
1122## interface will dontaudit access required for
1123## the libselinux constructor to function.
1124## </p>
1125## <p>
1126## Generally this should not be used on anything
1127## but simple SELinux-enabled programs that do not
1128## rely on data initialized by the libselinux
1129## constructor.
1130## </p>
1131## </desc>
1132## <param name="domain">
1133## <summary>
1134## Domain allowed access.
1135## </summary>
1136## </param>
1137#
1138interface(`seutil_dontaudit_libselinux_linked',`
1139 selinux_dontaudit_get_fs_mount($1)
1140 seutil_dontaudit_read_config($1)
1141')
The IPFire selinux policy.