]>
Commit | Line | Data |
---|---|---|
162a57e5 | 1 | ## <summary>Policy for SELinux policy and userland applications.</summary> |
e181fe05 | 2 | |
85bd7f1f | 3 | ####################################### |
f7ebea06 | 4 | ## <summary> |
414e4151 | 5 | ## Execute checkpolicy in the checkpolicy domain. |
f7ebea06 | 6 | ## </summary> |
414e4151 | 7 | ## <param name="domain"> |
885b83ec | 8 | ## <summary> |
ac9db9b5 | 9 | ## Domain allowed access. |
885b83ec | 10 | ## </summary> |
414e4151 | 11 | ## </param> |
85bd7f1f | 12 | # |
1815bad1 | 13 | interface(`seutil_domtrans_checkpolicy',` |
139520a2 CP |
14 | gen_require(` |
15 | type checkpolicy_t, checkpolicy_exec_t; | |
139520a2 | 16 | ') |
0c73cd25 | 17 | |
139520a2 CP |
18 | files_search_usr($1) |
19 | corecmd_search_bin($1) | |
c0868a7a | 20 | domtrans_pattern($1,checkpolicy_exec_t,checkpolicy_t) |
85bd7f1f CP |
21 | ') |
22 | ||
daa0e0b0 | 23 | ######################################## |
f7ebea06 | 24 | ## <summary> |
414e4151 CP |
25 | ## Execute checkpolicy in the checkpolicy domain, and |
26 | ## allow the specified role the checkpolicy domain, | |
27 | ## and use the caller's terminal. | |
f7ebea06 | 28 | ## </summary> |
414e4151 | 29 | ## <param name="domain"> |
885b83ec | 30 | ## <summary> |
ac9db9b5 | 31 | ## Domain allowed access. |
885b83ec | 32 | ## </summary> |
414e4151 CP |
33 | ## </param> |
34 | ## <param name="role"> | |
885b83ec | 35 | ## <summary> |
414e4151 | 36 | ## The role to be allowed the checkpolicy domain. |
885b83ec | 37 | ## </summary> |
414e4151 | 38 | ## </param> |
bbcd3c97 | 39 | ## <rolecap/> |
daa0e0b0 | 40 | # |
1815bad1 | 41 | interface(`seutil_run_checkpolicy',` |
139520a2 CP |
42 | gen_require(` |
43 | type checkpolicy_t; | |
139520a2 | 44 | ') |
0c73cd25 | 45 | |
1815bad1 | 46 | seutil_domtrans_checkpolicy($1) |
0c73cd25 | 47 | role $2 types checkpolicy_t; |
daa0e0b0 CP |
48 | ') |
49 | ||
ac9db9b5 CP |
50 | ######################################## |
51 | ## <summary> | |
52 | ## Execute checkpolicy in the caller domain. | |
53 | ## </summary> | |
54 | ## <param name="domain"> | |
55 | ## <summary> | |
56 | ## Domain allowed access. | |
57 | ## </summary> | |
58 | ## </param> | |
bbcd3c97 | 59 | ## <rolecap/> |
85bd7f1f | 60 | # |
1815bad1 | 61 | interface(`seutil_exec_checkpolicy',` |
139520a2 CP |
62 | gen_require(` |
63 | type checkpolicy_exec_t; | |
64 | ') | |
0c73cd25 | 65 | |
139520a2 CP |
66 | files_search_usr($1) |
67 | corecmd_search_bin($1) | |
cc41a97c | 68 | can_exec($1,checkpolicy_exec_t) |
85bd7f1f CP |
69 | ') |
70 | ||
85bd7f1f | 71 | ####################################### |
f7ebea06 | 72 | ## <summary> |
414e4151 | 73 | ## Execute load_policy in the load_policy domain. |
f7ebea06 | 74 | ## </summary> |
414e4151 | 75 | ## <param name="domain"> |
885b83ec | 76 | ## <summary> |
ac9db9b5 | 77 | ## Domain allowed access. |
885b83ec | 78 | ## </summary> |
414e4151 | 79 | ## </param> |
85bd7f1f | 80 | # |
1815bad1 | 81 | interface(`seutil_domtrans_loadpolicy',` |
139520a2 CP |
82 | gen_require(` |
83 | type load_policy_t, load_policy_exec_t; | |
139520a2 | 84 | ') |
0c73cd25 | 85 | |
8021cb4f | 86 | corecmd_search_bin($1) |
c0868a7a | 87 | domtrans_pattern($1,load_policy_exec_t,load_policy_t) |
85bd7f1f CP |
88 | ') |
89 | ||
daa0e0b0 | 90 | ######################################## |
f7ebea06 | 91 | ## <summary> |
414e4151 CP |
92 | ## Execute load_policy in the load_policy domain, and |
93 | ## allow the specified role the load_policy domain, | |
94 | ## and use the caller's terminal. | |
f7ebea06 | 95 | ## </summary> |
414e4151 | 96 | ## <param name="domain"> |
885b83ec | 97 | ## <summary> |
ac9db9b5 | 98 | ## Domain allowed access. |
885b83ec | 99 | ## </summary> |
414e4151 CP |
100 | ## </param> |
101 | ## <param name="role"> | |
885b83ec | 102 | ## <summary> |
414e4151 | 103 | ## The role to be allowed the load_policy domain. |
885b83ec | 104 | ## </summary> |
414e4151 | 105 | ## </param> |
bbcd3c97 | 106 | ## <rolecap/> |
daa0e0b0 | 107 | # |
1815bad1 | 108 | interface(`seutil_run_loadpolicy',` |
139520a2 CP |
109 | gen_require(` |
110 | type load_policy_t; | |
139520a2 | 111 | ') |
0c73cd25 | 112 | |
1815bad1 | 113 | seutil_domtrans_loadpolicy($1) |
0c73cd25 | 114 | role $2 types load_policy_t; |
daa0e0b0 CP |
115 | ') |
116 | ||
ac9db9b5 CP |
117 | ######################################## |
118 | ## <summary> | |
119 | ## Execute load_policy in the caller domain. | |
120 | ## </summary> | |
121 | ## <param name="domain"> | |
122 | ## <summary> | |
123 | ## Domain allowed access. | |
124 | ## </summary> | |
125 | ## </param> | |
85bd7f1f | 126 | # |
1815bad1 | 127 | interface(`seutil_exec_loadpolicy',` |
139520a2 CP |
128 | gen_require(` |
129 | type load_policy_exec_t; | |
130 | ') | |
0c73cd25 | 131 | |
8021cb4f | 132 | corecmd_search_bin($1) |
cc41a97c | 133 | can_exec($1,load_policy_exec_t) |
85bd7f1f CP |
134 | ') |
135 | ||
ac9db9b5 CP |
136 | ######################################## |
137 | ## <summary> | |
138 | ## Read the load_policy program file. | |
139 | ## </summary> | |
140 | ## <param name="domain"> | |
141 | ## <summary> | |
142 | ## Domain allowed access. | |
143 | ## </summary> | |
144 | ## </param> | |
85bd7f1f | 145 | # |
1815bad1 | 146 | interface(`seutil_read_loadpolicy',` |
139520a2 CP |
147 | gen_require(` |
148 | type load_policy_exec_t; | |
139520a2 | 149 | ') |
0c73cd25 | 150 | |
8021cb4f | 151 | corecmd_search_bin($1) |
c0868a7a | 152 | allow $1 load_policy_exec_t:file read_file_perms; |
85bd7f1f CP |
153 | ') |
154 | ||
85bd7f1f | 155 | ####################################### |
f7ebea06 | 156 | ## <summary> |
296273a7 | 157 | ## Execute newrole in the newole domain. |
f7ebea06 | 158 | ## </summary> |
414e4151 | 159 | ## <param name="domain"> |
885b83ec | 160 | ## <summary> |
ac9db9b5 | 161 | ## Domain allowed access. |
885b83ec | 162 | ## </summary> |
414e4151 | 163 | ## </param> |
85bd7f1f | 164 | # |
199895e2 | 165 | interface(`seutil_domtrans_newrole',` |
139520a2 CP |
166 | gen_require(` |
167 | type newrole_t, newrole_exec_t; | |
139520a2 | 168 | ') |
0c73cd25 | 169 | |
139520a2 CP |
170 | files_search_usr($1) |
171 | corecmd_search_bin($1) | |
c0868a7a | 172 | domtrans_pattern($1,newrole_exec_t,newrole_t) |
85bd7f1f CP |
173 | ') |
174 | ||
daa0e0b0 | 175 | ######################################## |
f7ebea06 | 176 | ## <summary> |
414e4151 CP |
177 | ## Execute newrole in the newrole domain, and |
178 | ## allow the specified role the newrole domain, | |
179 | ## and use the caller's terminal. | |
f7ebea06 | 180 | ## </summary> |
414e4151 | 181 | ## <param name="domain"> |
885b83ec | 182 | ## <summary> |
ac9db9b5 | 183 | ## Domain allowed access. |
885b83ec | 184 | ## </summary> |
414e4151 CP |
185 | ## </param> |
186 | ## <param name="role"> | |
885b83ec | 187 | ## <summary> |
414e4151 | 188 | ## The role to be allowed the newrole domain. |
885b83ec | 189 | ## </summary> |
414e4151 | 190 | ## </param> |
bbcd3c97 | 191 | ## <rolecap/> |
daa0e0b0 | 192 | # |
199895e2 | 193 | interface(`seutil_run_newrole',` |
139520a2 CP |
194 | gen_require(` |
195 | type newrole_t; | |
139520a2 | 196 | ') |
0c73cd25 | 197 | |
5e0da6a0 | 198 | seutil_domtrans_newrole($1) |
0c73cd25 | 199 | role $2 types newrole_t; |
c2b87f2a | 200 | |
296273a7 | 201 | auth_run_upd_passwd(newrole_t, $2) |
daa0e0b0 CP |
202 | ') |
203 | ||
ac9db9b5 CP |
204 | ######################################## |
205 | ## <summary> | |
206 | ## Execute newrole in the caller domain. | |
207 | ## </summary> | |
208 | ## <param name="domain"> | |
209 | ## <summary> | |
210 | ## Domain allowed access. | |
211 | ## </summary> | |
212 | ## </param> | |
85bd7f1f | 213 | # |
199895e2 | 214 | interface(`seutil_exec_newrole',` |
139520a2 CP |
215 | gen_require(` |
216 | type newrole_t, newrole_exec_t; | |
217 | ') | |
0c73cd25 | 218 | |
139520a2 CP |
219 | files_search_usr($1) |
220 | corecmd_search_bin($1) | |
cc41a97c | 221 | can_exec($1,newrole_exec_t) |
85bd7f1f CP |
222 | ') |
223 | ||
daa0e0b0 | 224 | ######################################## |
f7ebea06 | 225 | ## <summary> |
414e4151 CP |
226 | ## Do not audit the caller attempts to send |
227 | ## a signal to newrole. | |
f7ebea06 | 228 | ## </summary> |
414e4151 | 229 | ## <param name="domain"> |
885b83ec | 230 | ## <summary> |
ac9db9b5 | 231 | ## Domain allowed access. |
885b83ec | 232 | ## </summary> |
414e4151 | 233 | ## </param> |
daa0e0b0 | 234 | # |
8fd36732 | 235 | interface(`seutil_dontaudit_signal_newrole',` |
139520a2 CP |
236 | gen_require(` |
237 | type newrole_t; | |
139520a2 | 238 | ') |
0c73cd25 CP |
239 | |
240 | dontaudit $1 newrole_t:process signal; | |
daa0e0b0 CP |
241 | ') |
242 | ||
ac9db9b5 CP |
243 | ######################################## |
244 | ## <summary> | |
245 | ## Send a SIGCHLD signal to newrole. | |
246 | ## </summary> | |
247 | ## <param name="domain"> | |
248 | ## <summary> | |
249 | ## Domain allowed access. | |
250 | ## </summary> | |
251 | ## </param> | |
85bd7f1f | 252 | # |
8fd36732 | 253 | interface(`seutil_sigchld_newrole',` |
139520a2 CP |
254 | gen_require(` |
255 | type newrole_t; | |
139520a2 | 256 | ') |
0c73cd25 CP |
257 | |
258 | allow $1 newrole_t:process sigchld; | |
85bd7f1f CP |
259 | ') |
260 | ||
ac9db9b5 CP |
261 | ######################################## |
262 | ## <summary> | |
263 | ## Inherit and use newrole file descriptors. | |
264 | ## </summary> | |
265 | ## <param name="domain"> | |
266 | ## <summary> | |
267 | ## Domain allowed access. | |
268 | ## </summary> | |
269 | ## </param> | |
ab64c30f | 270 | # |
15722ec9 | 271 | interface(`seutil_use_newrole_fds',` |
139520a2 CP |
272 | gen_require(` |
273 | type newrole_t; | |
139520a2 | 274 | ') |
0c73cd25 CP |
275 | |
276 | allow $1 newrole_t:fd use; | |
ab64c30f CP |
277 | ') |
278 | ||
296273a7 CP |
279 | ######################################## |
280 | ## <summary> | |
281 | ## Do not audit attempts to inherit and use | |
282 | ## newrole file descriptors. | |
283 | ## </summary> | |
284 | ## <param name="domain"> | |
285 | ## <summary> | |
286 | ## Domain to not audit. | |
287 | ## </summary> | |
288 | ## </param> | |
289 | # | |
290 | interface(`seutil_dontaudit_use_newrole_fds',` | |
291 | gen_require(` | |
292 | type newrole_t; | |
293 | ') | |
294 | ||
295 | dontaudit $1 newrole_t:fd use; | |
296 | ') | |
297 | ||
85bd7f1f | 298 | ####################################### |
f7ebea06 | 299 | ## <summary> |
762d2cb9 | 300 | ## Execute restorecon in the restorecon domain. (Deprecated) |
f7ebea06 | 301 | ## </summary> |
414e4151 | 302 | ## <param name="domain"> |
885b83ec | 303 | ## <summary> |
ac9db9b5 | 304 | ## Domain allowed access. |
885b83ec | 305 | ## </summary> |
414e4151 | 306 | ## </param> |
85bd7f1f | 307 | # |
199895e2 | 308 | interface(`seutil_domtrans_restorecon',` |
762d2cb9 CP |
309 | refpolicywarn(`$0($*) has been deprecated, please use seutil_domtrans_setfiles() instead.') |
310 | seutil_domtrans_setfiles($1) | |
85bd7f1f CP |
311 | ') |
312 | ||
daa0e0b0 | 313 | ######################################## |
f7ebea06 | 314 | ## <summary> |
414e4151 CP |
315 | ## Execute restorecon in the restorecon domain, and |
316 | ## allow the specified role the restorecon domain, | |
762d2cb9 | 317 | ## and use the caller's terminal. (Deprecated) |
f7ebea06 | 318 | ## </summary> |
414e4151 | 319 | ## <param name="domain"> |
885b83ec | 320 | ## <summary> |
ac9db9b5 | 321 | ## Domain allowed access. |
885b83ec | 322 | ## </summary> |
414e4151 CP |
323 | ## </param> |
324 | ## <param name="role"> | |
885b83ec | 325 | ## <summary> |
414e4151 | 326 | ## The role to be allowed the restorecon domain. |
885b83ec | 327 | ## </summary> |
414e4151 | 328 | ## </param> |
bbcd3c97 | 329 | ## <rolecap/> |
daa0e0b0 | 330 | # |
199895e2 | 331 | interface(`seutil_run_restorecon',` |
762d2cb9 | 332 | refpolicywarn(`$0($*) has been deprecated, please use seutil_run_setfiles() instead.') |
296273a7 | 333 | seutil_run_setfiles($1,$2) |
daa0e0b0 CP |
334 | ') |
335 | ||
ac9db9b5 CP |
336 | ######################################## |
337 | ## <summary> | |
762d2cb9 | 338 | ## Execute restorecon in the caller domain. (Deprecated) |
ac9db9b5 CP |
339 | ## </summary> |
340 | ## <param name="domain"> | |
341 | ## <summary> | |
342 | ## Domain allowed access. | |
343 | ## </summary> | |
344 | ## </param> | |
bbcd3c97 | 345 | ## <rolecap/> |
85bd7f1f | 346 | # |
199895e2 | 347 | interface(`seutil_exec_restorecon',` |
762d2cb9 CP |
348 | refpolicywarn(`$0($*) has been deprecated, please use seutil_exec_setfiles() instead.') |
349 | seutil_exec_setfiles($1) | |
85bd7f1f CP |
350 | ') |
351 | ||
8623d5b8 | 352 | ######################################## |
f7ebea06 | 353 | ## <summary> |
414e4151 | 354 | ## Execute run_init in the run_init domain. |
f7ebea06 | 355 | ## </summary> |
414e4151 | 356 | ## <param name="domain"> |
885b83ec | 357 | ## <summary> |
ac9db9b5 | 358 | ## Domain allowed access. |
885b83ec | 359 | ## </summary> |
414e4151 | 360 | ## </param> |
8623d5b8 | 361 | # |
199895e2 | 362 | interface(`seutil_domtrans_runinit',` |
139520a2 CP |
363 | gen_require(` |
364 | type run_init_t, run_init_exec_t; | |
139520a2 | 365 | ') |
0c73cd25 | 366 | |
139520a2 | 367 | files_search_usr($1) |
8021cb4f | 368 | corecmd_search_bin($1) |
c0868a7a | 369 | domtrans_pattern($1,run_init_exec_t,run_init_t) |
8623d5b8 CP |
370 | ') |
371 | ||
2283dc74 CP |
372 | ######################################## |
373 | ## <summary> | |
374 | ## Execute init scripts in the run_init domain. | |
375 | ## </summary> | |
376 | ## <desc> | |
377 | ## <p> | |
378 | ## Execute init scripts in the run_init domain. | |
379 | ## This is used for the Gentoo integrated run_init. | |
380 | ## </p> | |
381 | ## </desc> | |
382 | ## <param name="domain"> | |
383 | ## <summary> | |
384 | ## Domain allowed access. | |
385 | ## </summary> | |
386 | ## </param> | |
387 | # | |
388 | interface(`seutil_init_script_domtrans_runinit',` | |
389 | gen_require(` | |
390 | type run_init_t; | |
391 | ') | |
392 | ||
393 | init_script_file_domtrans($1,run_init_t) | |
394 | ||
2283dc74 CP |
395 | allow run_init_t $1:fd use; |
396 | allow run_init_t $1:fifo_file rw_file_perms; | |
397 | allow run_init_t $1:process sigchld; | |
398 | ') | |
399 | ||
daa0e0b0 | 400 | ######################################## |
f7ebea06 | 401 | ## <summary> |
414e4151 CP |
402 | ## Execute run_init in the run_init domain, and |
403 | ## allow the specified role the run_init domain, | |
404 | ## and use the caller's terminal. | |
f7ebea06 | 405 | ## </summary> |
414e4151 | 406 | ## <param name="domain"> |
885b83ec | 407 | ## <summary> |
ac9db9b5 | 408 | ## Domain allowed access. |
885b83ec | 409 | ## </summary> |
414e4151 CP |
410 | ## </param> |
411 | ## <param name="role"> | |
885b83ec | 412 | ## <summary> |
414e4151 | 413 | ## The role to be allowed the run_init domain. |
885b83ec | 414 | ## </summary> |
414e4151 | 415 | ## </param> |
bbcd3c97 | 416 | ## <rolecap/> |
daa0e0b0 | 417 | # |
199895e2 | 418 | interface(`seutil_run_runinit',` |
139520a2 CP |
419 | gen_require(` |
420 | type run_init_t; | |
a49e2bd3 | 421 | role system_r; |
139520a2 | 422 | ') |
0c73cd25 | 423 | |
296273a7 | 424 | auth_run_chk_passwd(run_init_t, $2) |
5e0da6a0 | 425 | seutil_domtrans_runinit($1) |
0c73cd25 | 426 | role $2 types run_init_t; |
296273a7 | 427 | |
a49e2bd3 | 428 | allow $2 system_r; |
daa0e0b0 CP |
429 | ') |
430 | ||
2283dc74 CP |
431 | ######################################## |
432 | ## <summary> | |
433 | ## Execute init scripts in the run_init domain, and | |
434 | ## allow the specified role the run_init domain, | |
435 | ## and use the caller's terminal. | |
436 | ## </summary> | |
437 | ## <desc> | |
438 | ## <p> | |
439 | ## Execute init scripts in the run_init domain, and | |
440 | ## allow the specified role the run_init domain, | |
441 | ## and use the caller's terminal. | |
442 | ## </p> | |
443 | ## <p> | |
444 | ## This is used for the Gentoo integrated run_init. | |
445 | ## </p> | |
446 | ## </desc> | |
447 | ## <param name="domain"> | |
448 | ## <summary> | |
ac9db9b5 | 449 | ## Domain allowed access. |
2283dc74 CP |
450 | ## </summary> |
451 | ## </param> | |
452 | ## <param name="role"> | |
453 | ## <summary> | |
454 | ## The role to be allowed the run_init domain. | |
455 | ## </summary> | |
456 | ## </param> | |
2283dc74 CP |
457 | # |
458 | interface(`seutil_init_script_run_runinit',` | |
459 | gen_require(` | |
460 | type run_init_t; | |
461 | role system_r; | |
462 | ') | |
463 | ||
296273a7 | 464 | auth_run_chk_passwd(run_init_t, $2) |
2283dc74 CP |
465 | seutil_init_script_domtrans_runinit($1) |
466 | role $2 types run_init_t; | |
296273a7 | 467 | |
2283dc74 CP |
468 | allow $2 system_r; |
469 | ') | |
470 | ||
8623d5b8 | 471 | ######################################## |
ac9db9b5 CP |
472 | ## <summary> |
473 | ## Inherit and use run_init file descriptors. | |
474 | ## </summary> | |
475 | ## <param name="domain"> | |
476 | ## <summary> | |
477 | ## Domain allowed access. | |
478 | ## </summary> | |
479 | ## </param> | |
8623d5b8 | 480 | # |
15722ec9 | 481 | interface(`seutil_use_runinit_fds',` |
139520a2 CP |
482 | gen_require(` |
483 | type run_init_t; | |
139520a2 | 484 | ') |
0c73cd25 CP |
485 | |
486 | allow $1 run_init_t:fd use; | |
8623d5b8 CP |
487 | ') |
488 | ||
daa0e0b0 | 489 | ######################################## |
f7ebea06 | 490 | ## <summary> |
414e4151 | 491 | ## Execute setfiles in the setfiles domain. |
f7ebea06 | 492 | ## </summary> |
414e4151 | 493 | ## <param name="domain"> |
885b83ec | 494 | ## <summary> |
ac9db9b5 | 495 | ## Domain allowed access. |
885b83ec | 496 | ## </summary> |
414e4151 | 497 | ## </param> |
85bd7f1f | 498 | # |
199895e2 | 499 | interface(`seutil_domtrans_setfiles',` |
139520a2 CP |
500 | gen_require(` |
501 | type setfiles_t, setfiles_exec_t; | |
139520a2 | 502 | ') |
0c73cd25 | 503 | |
139520a2 | 504 | files_search_usr($1) |
8021cb4f | 505 | corecmd_search_bin($1) |
c0868a7a | 506 | domtrans_pattern($1,setfiles_exec_t,setfiles_t) |
85bd7f1f CP |
507 | ') |
508 | ||
daa0e0b0 | 509 | ######################################## |
f7ebea06 | 510 | ## <summary> |
414e4151 CP |
511 | ## Execute setfiles in the setfiles domain, and |
512 | ## allow the specified role the setfiles domain, | |
513 | ## and use the caller's terminal. | |
f7ebea06 | 514 | ## </summary> |
414e4151 | 515 | ## <param name="domain"> |
885b83ec | 516 | ## <summary> |
ac9db9b5 | 517 | ## Domain allowed access. |
885b83ec | 518 | ## </summary> |
414e4151 CP |
519 | ## </param> |
520 | ## <param name="role"> | |
885b83ec | 521 | ## <summary> |
414e4151 | 522 | ## The role to be allowed the setfiles domain. |
885b83ec | 523 | ## </summary> |
414e4151 | 524 | ## </param> |
bbcd3c97 | 525 | ## <rolecap/> |
daa0e0b0 | 526 | # |
199895e2 | 527 | interface(`seutil_run_setfiles',` |
139520a2 CP |
528 | gen_require(` |
529 | type setfiles_t; | |
139520a2 | 530 | ') |
0c73cd25 | 531 | |
5e0da6a0 | 532 | seutil_domtrans_setfiles($1) |
0c73cd25 | 533 | role $2 types setfiles_t; |
daa0e0b0 CP |
534 | ') |
535 | ||
ac9db9b5 CP |
536 | ######################################## |
537 | ## <summary> | |
538 | ## Execute setfiles in the caller domain. | |
539 | ## </summary> | |
540 | ## <param name="domain"> | |
541 | ## <summary> | |
542 | ## Domain allowed access. | |
543 | ## </summary> | |
544 | ## </param> | |
85bd7f1f | 545 | # |
199895e2 | 546 | interface(`seutil_exec_setfiles',` |
139520a2 CP |
547 | gen_require(` |
548 | type setfiles_exec_t; | |
549 | ') | |
0c73cd25 | 550 | |
139520a2 | 551 | files_search_usr($1) |
8021cb4f | 552 | corecmd_search_bin($1) |
cc41a97c | 553 | can_exec($1,setfiles_exec_t) |
85bd7f1f CP |
554 | ') |
555 | ||
b4cd1533 | 556 | ######################################## |
ae9e2716 CP |
557 | ## <summary> |
558 | ## Do not audit attempts to search the SELinux | |
559 | ## configuration directory (/etc/selinux). | |
560 | ## </summary> | |
561 | ## <param name="domain"> | |
885b83ec | 562 | ## <summary> |
ae9e2716 | 563 | ## Domain to not audit. |
885b83ec | 564 | ## </summary> |
ae9e2716 CP |
565 | ## </param> |
566 | # | |
567 | interface(`seutil_dontaudit_search_config',` | |
568 | gen_require(` | |
569 | type selinux_config_t; | |
ae9e2716 CP |
570 | ') |
571 | ||
932c3536 | 572 | dontaudit $1 selinux_config_t:dir search_dir_perms; |
ae9e2716 CP |
573 | ') |
574 | ||
575 | ######################################## | |
a0824843 CP |
576 | ## <summary> |
577 | ## Do not audit attempts to read the SELinux | |
578 | ## userland configuration (/etc/selinux). | |
579 | ## </summary> | |
580 | ## <param name="domain"> | |
885b83ec | 581 | ## <summary> |
a0824843 | 582 | ## Domain to not audit. |
885b83ec | 583 | ## </summary> |
a0824843 CP |
584 | ## </param> |
585 | # | |
586 | interface(`seutil_dontaudit_read_config',` | |
587 | gen_require(` | |
588 | type selinux_config_t; | |
a0824843 CP |
589 | ') |
590 | ||
932c3536 CP |
591 | dontaudit $1 selinux_config_t:dir search_dir_perms; |
592 | dontaudit $1 selinux_config_t:file read_file_perms; | |
a0824843 CP |
593 | ') |
594 | ||
595 | ######################################## | |
ac9db9b5 CP |
596 | ## <summary> |
597 | ## Read the general SELinux configuration files. | |
598 | ## </summary> | |
599 | ## <param name="domain"> | |
600 | ## <summary> | |
601 | ## Domain allowed access. | |
602 | ## </summary> | |
603 | ## </param> | |
bbcd3c97 | 604 | ## <rolecap/> |
b4cd1533 | 605 | # |
199895e2 | 606 | interface(`seutil_read_config',` |
139520a2 CP |
607 | gen_require(` |
608 | type selinux_config_t; | |
139520a2 | 609 | ') |
0c73cd25 | 610 | |
139520a2 | 611 | files_search_etc($1) |
c0868a7a CP |
612 | allow $1 selinux_config_t:dir list_dir_perms; |
613 | read_files_pattern($1,selinux_config_t,selinux_config_t) | |
614 | read_lnk_files_pattern($1,selinux_config_t,selinux_config_t) | |
b4cd1533 CP |
615 | ') |
616 | ||
d5ae683e CP |
617 | ######################################## |
618 | ## <summary> | |
619 | ## Read and write the general SELinux configuration files. | |
620 | ## </summary> | |
621 | ## <param name="domain"> | |
622 | ## <summary> | |
623 | ## Domain allowed access. | |
624 | ## </summary> | |
625 | ## </param> | |
626 | ## <rolecap/> | |
627 | # | |
628 | interface(`seutil_rw_config',` | |
629 | gen_require(` | |
630 | type selinux_config_t; | |
631 | ') | |
632 | ||
633 | files_search_etc($1) | |
634 | allow $1 selinux_config_t:dir list_dir_perms; | |
c0868a7a | 635 | rw_files_pattern($1,selinux_config_t,selinux_config_t) |
d5ae683e CP |
636 | ') |
637 | ||
a3cf80d8 CP |
638 | ####################################### |
639 | ## <summary> | |
640 | ## Create, read, write, and delete | |
53da70cd | 641 | ## the general selinux configuration files. (Deprecated) |
a3cf80d8 | 642 | ## </summary> |
53da70cd CP |
643 | ## <desc> |
644 | ## <p> | |
645 | ## Create, read, write, and delete | |
646 | ## the general selinux configuration files. | |
647 | ## </p> | |
648 | ## <p> | |
649 | ## This interface has been deprecated, please | |
650 | ## use the seutil_manage_config() interface instead. | |
651 | ## </p> | |
652 | ## </desc> | |
a3cf80d8 CP |
653 | ## <param name="domain"> |
654 | ## <summary> | |
ac9db9b5 | 655 | ## Domain allowed access. |
a3cf80d8 CP |
656 | ## </summary> |
657 | ## </param> | |
bbcd3c97 | 658 | ## <rolecap/> |
a3cf80d8 CP |
659 | # |
660 | interface(`seutil_manage_selinux_config',` | |
53da70cd CP |
661 | refpolicywarn(`$0($*) has been deprecated. Please use seutil_manage_config() instead.') |
662 | seutil_manage_config($1) | |
663 | ') | |
664 | ||
665 | ####################################### | |
666 | ## <summary> | |
667 | ## Create, read, write, and delete | |
668 | ## the general selinux configuration files. | |
669 | ## </summary> | |
670 | ## <param name="domain"> | |
671 | ## <summary> | |
672 | ## Domain allowed access. | |
673 | ## </summary> | |
674 | ## </param> | |
675 | ## <rolecap/> | |
676 | # | |
677 | interface(`seutil_manage_config',` | |
a3cf80d8 CP |
678 | gen_require(` |
679 | type selinux_config_t; | |
680 | ') | |
681 | ||
682 | files_search_etc($1) | |
c0868a7a CP |
683 | manage_files_pattern($1,selinux_config_t,selinux_config_t) |
684 | read_lnk_files_pattern($1,selinux_config_t,selinux_config_t) | |
a3cf80d8 CP |
685 | ') |
686 | ||
58243805 CP |
687 | ####################################### |
688 | ## <summary> | |
689 | ## Create, read, write, and delete | |
690 | ## the general selinux configuration files. | |
691 | ## </summary> | |
692 | ## <param name="domain"> | |
693 | ## <summary> | |
694 | ## Domain allowed access. | |
695 | ## </summary> | |
696 | ## </param> | |
697 | ## <rolecap/> | |
698 | # | |
699 | interface(`seutil_manage_config_dirs',` | |
700 | gen_require(` | |
701 | type selinux_config_t; | |
702 | ') | |
703 | ||
704 | files_search_etc($1) | |
705 | allow $1 selinux_config_t:dir manage_dir_perms; | |
706 | ') | |
707 | ||
ebdc3b79 CP |
708 | ######################################## |
709 | ## <summary> | |
710 | ## Search the policy directory with default_context files. | |
711 | ## </summary> | |
712 | ## <param name="domain"> | |
885b83ec | 713 | ## <summary> |
ac9db9b5 | 714 | ## Domain allowed access. |
885b83ec | 715 | ## </summary> |
ebdc3b79 CP |
716 | ## </param> |
717 | # | |
718 | interface(`seutil_search_default_contexts',` | |
719 | gen_require(` | |
720 | type selinux_config_t, default_context_t; | |
ebdc3b79 CP |
721 | ') |
722 | ||
723 | files_search_etc($1) | |
c0868a7a | 724 | search_dirs_pattern($1,selinux_config_t,default_context_t) |
ebdc3b79 CP |
725 | ') |
726 | ||
b4cd1533 | 727 | ######################################## |
ac9db9b5 CP |
728 | ## <summary> |
729 | ## Read the default_contexts files. | |
730 | ## </summary> | |
731 | ## <param name="domain"> | |
732 | ## <summary> | |
733 | ## Domain allowed access. | |
734 | ## </summary> | |
735 | ## </param> | |
bbcd3c97 | 736 | ## <rolecap/> |
b4cd1533 | 737 | # |
199895e2 | 738 | interface(`seutil_read_default_contexts',` |
139520a2 CP |
739 | gen_require(` |
740 | type selinux_config_t, default_context_t; | |
139520a2 | 741 | ') |
0c73cd25 | 742 | |
139520a2 | 743 | files_search_etc($1) |
4bc6e32e CP |
744 | allow $1 selinux_config_t:dir search_dir_perms; |
745 | allow $1 default_context_t:dir list_dir_perms; | |
c0868a7a | 746 | read_files_pattern($1,default_context_t,default_context_t) |
4bc6e32e CP |
747 | ') |
748 | ||
749 | ######################################## | |
750 | ## <summary> | |
751 | ## Create, read, write, and delete the default_contexts files. | |
752 | ## </summary> | |
753 | ## <param name="domain"> | |
754 | ## <summary> | |
755 | ## Domain allowed access. | |
756 | ## </summary> | |
757 | ## </param> | |
758 | # | |
759 | interface(`seutil_manage_default_contexts',` | |
760 | gen_require(` | |
761 | type selinux_config_t, default_context_t; | |
762 | ') | |
763 | ||
764 | files_search_etc($1) | |
765 | allow $1 selinux_config_t:dir search_dir_perms; | |
c0868a7a | 766 | manage_files_pattern($1,default_context_t,default_context_t) |
b4cd1533 CP |
767 | ') |
768 | ||
ee5772e4 | 769 | ######################################## |
ac9db9b5 CP |
770 | ## <summary> |
771 | ## Read the file_contexts files. | |
772 | ## </summary> | |
773 | ## <param name="domain"> | |
774 | ## <summary> | |
775 | ## Domain allowed access. | |
776 | ## </summary> | |
777 | ## </param> | |
bbcd3c97 | 778 | ## <rolecap/> |
ee5772e4 | 779 | # |
199895e2 | 780 | interface(`seutil_read_file_contexts',` |
139520a2 | 781 | gen_require(` |
c0868a7a | 782 | type selinux_config_t, default_context_t, file_context_t; |
139520a2 | 783 | ') |
0c73cd25 | 784 | |
139520a2 | 785 | files_search_etc($1) |
c0868a7a CP |
786 | allow $1 { selinux_config_t default_context_t }:dir search_dir_perms; |
787 | read_files_pattern($1,file_context_t,file_context_t) | |
ee5772e4 CP |
788 | ') |
789 | ||
04d28610 CP |
790 | ######################################## |
791 | ## <summary> | |
792 | ## Do not audit attempts to read the file_contexts files. | |
793 | ## </summary> | |
794 | ## <param name="domain"> | |
795 | ## <summary> | |
796 | ## Domain allowed access. | |
797 | ## </summary> | |
798 | ## </param> | |
799 | ## <rolecap/> | |
800 | # | |
801 | interface(`seutil_dontaudit_read_file_contexts',` | |
802 | gen_require(` | |
803 | type selinux_config_t, default_context_t, file_context_t; | |
804 | ') | |
805 | ||
806 | dontaudit $1 { selinux_config_t default_context_t file_context_t }:dir search_dir_perms; | |
807 | dontaudit $1 file_context_t:file read_file_perms; | |
808 | ') | |
809 | ||
8cf67141 CP |
810 | ######################################## |
811 | ## <summary> | |
812 | ## Read and write the file_contexts files. | |
813 | ## </summary> | |
814 | ## <param name="domain"> | |
815 | ## <summary> | |
816 | ## Domain allowed access. | |
817 | ## </summary> | |
818 | ## </param> | |
819 | # | |
820 | interface(`seutil_rw_file_contexts',` | |
821 | gen_require(` | |
8f3a0a95 | 822 | type selinux_config_t, file_context_t, default_context_t; |
8cf67141 CP |
823 | ') |
824 | ||
825 | files_search_etc($1) | |
c0868a7a CP |
826 | allow $1 { selinux_config_t default_context_t }:dir search_dir_perms; |
827 | rw_files_pattern($1,file_context_t,file_context_t) | |
8cf67141 CP |
828 | ') |
829 | ||
55b19055 CP |
830 | ######################################## |
831 | ## <summary> | |
832 | ## Create, read, write, and delete the file_contexts files. | |
833 | ## </summary> | |
834 | ## <param name="domain"> | |
835 | ## <summary> | |
836 | ## Domain allowed access. | |
837 | ## </summary> | |
838 | ## </param> | |
bbcd3c97 | 839 | ## <rolecap/> |
55b19055 CP |
840 | # |
841 | interface(`seutil_manage_file_contexts',` | |
842 | gen_require(` | |
8f3a0a95 | 843 | type selinux_config_t, file_context_t, default_context_t; |
55b19055 CP |
844 | ') |
845 | ||
846 | files_search_etc($1) | |
4bc6e32e | 847 | allow $1 { selinux_config_t default_context_t }:dir search_dir_perms; |
c0868a7a | 848 | manage_files_pattern($1,file_context_t,file_context_t) |
55b19055 CP |
849 | ') |
850 | ||
b4cd1533 | 851 | ######################################## |
ac9db9b5 CP |
852 | ## <summary> |
853 | ## Read the SELinux binary policy. | |
854 | ## </summary> | |
855 | ## <param name="domain"> | |
856 | ## <summary> | |
857 | ## Domain allowed access. | |
858 | ## </summary> | |
859 | ## </param> | |
b4cd1533 | 860 | # |
1815bad1 | 861 | interface(`seutil_read_bin_policy',` |
139520a2 CP |
862 | gen_require(` |
863 | type selinux_config_t, policy_config_t; | |
139520a2 | 864 | ') |
0c73cd25 | 865 | |
139520a2 | 866 | files_search_etc($1) |
c0868a7a CP |
867 | allow $1 selinux_config_t:dir search_dir_perms; |
868 | read_files_pattern($1,policy_config_t,policy_config_t) | |
b4cd1533 CP |
869 | ') |
870 | ||
b4cd1533 | 871 | ######################################## |
ac9db9b5 CP |
872 | ## <summary> |
873 | ## Create the SELinux binary policy. | |
874 | ## </summary> | |
875 | ## <param name="domain"> | |
876 | ## <summary> | |
877 | ## Domain allowed access. | |
878 | ## </summary> | |
879 | ## </param> | |
b4cd1533 | 880 | # |
1815bad1 | 881 | interface(`seutil_create_bin_policy',` |
139520a2 | 882 | gen_require(` |
15fefa49 | 883 | # attribute can_write_binary_policy; |
139520a2 | 884 | type selinux_config_t, policy_config_t; |
139520a2 | 885 | ') |
0c73cd25 | 886 | |
139520a2 | 887 | files_search_etc($1) |
c0868a7a CP |
888 | allow $1 selinux_config_t:dir search_dir_perms; |
889 | create_files_pattern($1,policy_config_t,policy_config_t) | |
890 | write_files_pattern($1,policy_config_t,policy_config_t) | |
15fefa49 | 891 | # typeattribute $1 can_write_binary_policy; |
b4cd1533 CP |
892 | ') |
893 | ||
efd8ede3 | 894 | ######################################## |
f7ebea06 | 895 | ## <summary> |
414e4151 | 896 | ## Allow the caller to relabel a file to the binary policy type. |
f7ebea06 | 897 | ## </summary> |
414e4151 | 898 | ## <param name="domain"> |
885b83ec | 899 | ## <summary> |
ac9db9b5 | 900 | ## Domain allowed access. |
885b83ec | 901 | ## </summary> |
414e4151 | 902 | ## </param> |
efd8ede3 | 903 | # |
1815bad1 | 904 | interface(`seutil_relabelto_bin_policy',` |
139520a2 CP |
905 | gen_require(` |
906 | attribute can_relabelto_binary_policy; | |
907 | type policy_config_t; | |
139520a2 | 908 | ') |
0c73cd25 CP |
909 | |
910 | allow $1 policy_config_t:file relabelto; | |
911 | typeattribute $1 can_relabelto_binary_policy; | |
efd8ede3 CP |
912 | ') |
913 | ||
ef373408 | 914 | ######################################## |
ac9db9b5 CP |
915 | ## <summary> |
916 | ## Create, read, write, and delete the SELinux | |
917 | ## binary policy. | |
918 | ## </summary> | |
919 | ## <param name="domain"> | |
920 | ## <summary> | |
921 | ## Domain allowed access. | |
922 | ## </summary> | |
923 | ## </param> | |
ef373408 | 924 | # |
1815bad1 | 925 | interface(`seutil_manage_bin_policy',` |
139520a2 CP |
926 | gen_require(` |
927 | attribute can_write_binary_policy; | |
928 | type selinux_config_t, policy_config_t; | |
139520a2 CP |
929 | ') |
930 | ||
931 | files_search_etc($1) | |
c0868a7a CP |
932 | allow $1 selinux_config_t:dir search_dir_perms; |
933 | manage_files_pattern($1,policy_config_t,policy_config_t) | |
0c73cd25 | 934 | typeattribute $1 can_write_binary_policy; |
ef373408 CP |
935 | ') |
936 | ||
ef373408 | 937 | ######################################## |
ac9db9b5 CP |
938 | ## <summary> |
939 | ## Read SELinux policy source files. | |
940 | ## </summary> | |
941 | ## <param name="domain"> | |
942 | ## <summary> | |
943 | ## Domain allowed access. | |
944 | ## </summary> | |
945 | ## </param> | |
ef373408 | 946 | # |
1815bad1 | 947 | interface(`seutil_read_src_policy',` |
139520a2 CP |
948 | gen_require(` |
949 | type selinux_config_t, policy_src_t; | |
139520a2 | 950 | ') |
0c73cd25 | 951 | |
139520a2 | 952 | files_search_etc($1) |
c0868a7a CP |
953 | list_dirs_pattern($1,selinux_config_t,policy_src_t) |
954 | read_files_pattern($1,policy_src_t,policy_src_t) | |
ef373408 CP |
955 | ') |
956 | ||
ef373408 | 957 | ######################################## |
ac9db9b5 CP |
958 | ## <summary> |
959 | ## Create, read, write, and delete SELinux | |
960 | ## policy source files. | |
961 | ## </summary> | |
962 | ## <param name="domain"> | |
963 | ## <summary> | |
964 | ## Domain allowed access. | |
965 | ## </summary> | |
966 | ## </param> | |
bbcd3c97 | 967 | ## <rolecap/> |
ef373408 | 968 | # |
1815bad1 | 969 | interface(`seutil_manage_src_policy',` |
139520a2 CP |
970 | gen_require(` |
971 | type selinux_config_t, policy_src_t; | |
139520a2 | 972 | ') |
0c73cd25 | 973 | |
139520a2 | 974 | files_search_etc($1) |
c0868a7a CP |
975 | allow $1 selinux_config_t:dir search_dir_perms; |
976 | manage_dirs_pattern($1,policy_src_t,policy_src_t) | |
977 | manage_files_pattern($1,policy_src_t,policy_src_t) | |
ef373408 | 978 | ') |
02bcb8b3 CP |
979 | |
980 | ######################################## | |
981 | ## <summary> | |
982 | ## Execute a domain transition to run semanage. | |
983 | ## </summary> | |
984 | ## <param name="domain"> | |
985 | ## <summary> | |
986 | ## Domain allowed to transition. | |
987 | ## </summary> | |
988 | ## </param> | |
989 | # | |
990 | interface(`seutil_domtrans_semanage',` | |
991 | gen_require(` | |
992 | type semanage_t, semanage_exec_t; | |
993 | ') | |
994 | ||
995 | files_search_usr($1) | |
996 | corecmd_search_bin($1) | |
c0868a7a | 997 | domtrans_pattern($1,semanage_exec_t,semanage_t) |
02bcb8b3 CP |
998 | ') |
999 | ||
1000 | ######################################## | |
1001 | ## <summary> | |
1002 | ## Execute semanage in the semanage domain, and | |
1003 | ## allow the specified role the semanage domain, | |
1004 | ## and use the caller's terminal. | |
1005 | ## </summary> | |
1006 | ## <param name="domain"> | |
1007 | ## <summary> | |
ac9db9b5 | 1008 | ## Domain allowed access. |
02bcb8b3 CP |
1009 | ## </summary> |
1010 | ## </param> | |
1011 | ## <param name="role"> | |
1012 | ## <summary> | |
1013 | ## The role to be allowed the checkpolicy domain. | |
1014 | ## </summary> | |
1015 | ## </param> | |
bbcd3c97 | 1016 | ## <rolecap/> |
02bcb8b3 CP |
1017 | # |
1018 | interface(`seutil_run_semanage',` | |
1019 | gen_require(` | |
1020 | type semanage_t; | |
1021 | ') | |
1022 | ||
1023 | seutil_domtrans_semanage($1) | |
296273a7 CP |
1024 | seutil_run_setfiles(semanage_t, $2) |
1025 | seutil_run_loadpolicy(semanage_t, $2) | |
02bcb8b3 | 1026 | role $2 types semanage_t; |
02bcb8b3 CP |
1027 | ') |
1028 | ||
1029 | ######################################## | |
1030 | ## <summary> | |
1031 | ## Full management of the semanage | |
1032 | ## module store. | |
1033 | ## </summary> | |
1034 | ## <param name="domain"> | |
1035 | ## <summary> | |
1036 | ## Domain allowed access. | |
1037 | ## </summary> | |
1038 | ## </param> | |
1039 | # | |
1040 | interface(`seutil_manage_module_store',` | |
1041 | gen_require(` | |
1042 | type selinux_config_t, semanage_store_t; | |
1043 | ') | |
1044 | ||
1045 | files_search_etc($1) | |
c0868a7a CP |
1046 | manage_dirs_pattern($1,selinux_config_t,semanage_store_t) |
1047 | manage_files_pattern($1,semanage_store_t,semanage_store_t) | |
1048 | filetrans_pattern($1,selinux_config_t,semanage_store_t,dir) | |
02bcb8b3 CP |
1049 | ') |
1050 | ||
1051 | ####################################### | |
1052 | ## <summary> | |
1053 | ## Get read lock on module store | |
1054 | ## </summary> | |
1055 | ## <param name="domain"> | |
1056 | ## <summary> | |
ac9db9b5 | 1057 | ## Domain allowed access. |
02bcb8b3 CP |
1058 | ## </summary> |
1059 | ## </param> | |
1060 | # | |
1061 | interface(`seutil_get_semanage_read_lock',` | |
1062 | gen_require(` | |
1063 | type selinux_config_t, semanage_read_lock_t; | |
1064 | ') | |
1065 | ||
1066 | files_search_etc($1) | |
c0868a7a | 1067 | rw_files_pattern($1,selinux_config_t,semanage_read_lock_t) |
02bcb8b3 CP |
1068 | ') |
1069 | ||
1070 | ####################################### | |
1071 | ## <summary> | |
1072 | ## Get trans lock on module store | |
1073 | ## </summary> | |
1074 | ## <param name="domain"> | |
1075 | ## <summary> | |
ac9db9b5 | 1076 | ## Domain allowed access. |
02bcb8b3 CP |
1077 | ## </summary> |
1078 | ## </param> | |
1079 | # | |
1080 | interface(`seutil_get_semanage_trans_lock',` | |
1081 | gen_require(` | |
1082 | type selinux_config_t, semanage_trans_lock_t; | |
1083 | ') | |
1084 | ||
1085 | files_search_etc($1) | |
c0868a7a | 1086 | rw_files_pattern($1,selinux_config_t,semanage_trans_lock_t) |
02bcb8b3 | 1087 | ') |
eeef8dc4 CP |
1088 | |
1089 | ######################################## | |
1090 | ## <summary> | |
1091 | ## SELinux-enabled program access for | |
1092 | ## libselinux-linked programs. | |
1093 | ## </summary> | |
1094 | ## <desc> | |
1095 | ## <p> | |
1096 | ## SELinux-enabled programs are typically | |
1097 | ## linked to the libselinux library. This | |
1098 | ## interface will allow access required for | |
1099 | ## the libselinux constructor to function. | |
1100 | ## </p> | |
1101 | ## </desc> | |
1102 | ## <param name="domain"> | |
1103 | ## <summary> | |
1104 | ## Domain allowed access. | |
1105 | ## </summary> | |
1106 | ## </param> | |
1107 | # | |
1108 | interface(`seutil_libselinux_linked',` | |
1109 | selinux_get_fs_mount($1) | |
1110 | seutil_read_config($1) | |
1111 | ') | |
1112 | ||
1113 | ######################################## | |
1114 | ## <summary> | |
1115 | ## Do not audit SELinux-enabled program access for | |
1116 | ## libselinux-linked programs. | |
1117 | ## </summary> | |
1118 | ## <desc> | |
1119 | ## <p> | |
1120 | ## SELinux-enabled programs are typically | |
1121 | ## linked to the libselinux library. This | |
1122 | ## interface will dontaudit access required for | |
1123 | ## the libselinux constructor to function. | |
1124 | ## </p> | |
1125 | ## <p> | |
1126 | ## Generally this should not be used on anything | |
1127 | ## but simple SELinux-enabled programs that do not | |
1128 | ## rely on data initialized by the libselinux | |
1129 | ## constructor. | |
1130 | ## </p> | |
1131 | ## </desc> | |
1132 | ## <param name="domain"> | |
1133 | ## <summary> | |
1134 | ## Domain allowed access. | |
1135 | ## </summary> | |
1136 | ## </param> | |
1137 | # | |
1138 | interface(`seutil_dontaudit_libselinux_linked',` | |
1139 | selinux_dontaudit_get_fs_mount($1) | |
1140 | seutil_dontaudit_read_config($1) | |
1141 | ') |