2 ## Basic filesystem types and interfaces.
6 ## This module contains basic filesystem types and interfaces. This
9 ## <li>The concept of different file types including basic
10 ## files, mount points, tmp files, etc.</li>
11 ## <li>Access to groups of files and all files.</li>
12 ## <li>Types and interfaces for the basic filesystem layout
13 ## (/, /etc, /tmp, /usr, etc.).</li>
17 ## <required val="true">
18 ## Contains the concept of a file.
19 ## Comains the file initial SID.
22 ########################################
24 ## Make the specified type usable for files
29 ## Make the specified type usable for files
30 ## in a filesystem. Types used for files that
31 ## do not use this interface, or an interface that
32 ## calls this one, will have unexpected behaviors
33 ## while the system is running. If the type is used
34 ## for device nodes (character or block files), then
35 ## the dev_node() interface is more appropriate.
38 ## Related interfaces:
41 ## <li>application_domain()</li>
42 ## <li>application_executable_file()</li>
43 ## <li>corecmd_executable_file()</li>
44 ## <li>init_daemon_domain()</li>
45 ## <li>init_domaion()</li>
46 ## <li>init_ranged_daemon_domain()</li>
47 ## <li>init_ranged_domain()</li>
48 ## <li>init_ranged_system_domain()</li>
49 ## <li>init_script_file()</li>
50 ## <li>init_script_domain()</li>
51 ## <li>init_system_domain()</li>
52 ## <li>files_config_files()</li>
53 ## <li>files_lock_file()</li>
54 ## <li>files_mountpoint()</li>
55 ## <li>files_pid_file()</li>
56 ## <li>files_security_file()</li>
57 ## <li>files_security_mountpoint()</li>
58 ## <li>files_spool_file()</li>
59 ## <li>files_tmp_file()</li>
60 ## <li>files_tmpfs_file()</li>
61 ## <li>logging_log_file()</li>
62 ## <li>userdom_user_home_content()</li>
69 ## files_type(myfile_t)
70 ## allow mydomain_t myfile_t:file read_file_perms;
73 ## <param name="type">
75 ## Type to be used for files.
78 ## <infoflow type="none"/>
80 interface(`files_type',`
82 attribute file_type, non_security_file_type;
85 typeattribute $1 file_type, non_security_file_type;
88 ########################################
90 ## Make the specified type a file that
91 ## should not be dontaudited from
92 ## browsing from user domains.
94 ## <param name="file_type">
96 ## Type of the file to be used as a
101 interface(`files_security_file',`
103 attribute file_type, security_file_type;
106 typeattribute $1 file_type, security_file_type;
109 ########################################
111 ## Make the specified type usable for
114 ## <param name="type">
116 ## Type to be used for lock files.
120 interface(`files_lock_file',`
126 typeattribute $1 lockfile;
129 ########################################
131 ## Make the specified type usable for
132 ## filesystem mount points.
134 ## <param name="type">
136 ## Type to be used for mount points.
140 interface(`files_mountpoint',`
142 attribute mountpoint;
146 typeattribute $1 mountpoint;
149 ########################################
151 ## Make the specified type usable for
152 ## security file filesystem mount points.
154 ## <param name="type">
156 ## Type to be used for mount points.
160 interface(`files_security_mountpoint',`
162 attribute mountpoint;
165 files_security_file($1)
166 typeattribute $1 mountpoint;
169 ########################################
171 ## Make the specified type usable for
172 ## runtime process ID files.
176 ## Make the specified type usable for runtime process ID files,
177 ## typically found in /var/run.
178 ## This will also make the type usable for files, making
179 ## calls to files_type() redundant. Failure to use this interface
180 ## for a PID file type may result in problems with starting
181 ## or stopping services.
184 ## Related interfaces:
187 ## <li>files_pid_filetrans()</li>
190 ## Example usage with a domain that can create and
191 ## write its PID file with a private PID file type in the
192 ## /var/run directory:
196 ## files_pid_file(mypidfile_t)
197 ## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms };
198 ## files_pid_filetrans(mydomain_t, mypidfile_t, file)
201 ## <param name="type">
203 ## Type to be used for PID files.
206 ## <infoflow type="none"/>
208 interface(`files_pid_file',`
214 typeattribute $1 pidfile;
217 ########################################
219 ## Make the specified type a
220 ## configuration file.
224 ## Make the specified type usable for configuration files.
225 ## This will also make the type usable for files, making
226 ## calls to files_type() redundant. Failure to use this interface
227 ## for a temporary file may result in problems with
228 ## configuration management tools.
231 ## Example usage with a domain that can read
232 ## its configuration file /etc:
235 ## type myconffile_t;
236 ## files_config_file(myconffile_t)
237 ## allow mydomain_t myconffile_t:file read_file_perms;
238 ## files_search_etc(mydomain_t)
241 ## <param name="file_type">
243 ## Type to be used as a configuration file.
246 ## <infoflow type="none"/>
248 interface(`files_config_file',`
250 attribute configfile;
253 typeattribute $1 configfile;
256 ########################################
258 ## Make the specified type a
259 ## polyinstantiated directory.
261 ## <param name="file_type">
263 ## Type of the file to be used as a
264 ## polyinstantiated directory.
268 interface(`files_poly',`
274 typeattribute $1 polydir;
277 ########################################
279 ## Make the specified type a parent
280 ## of a polyinstantiated directory.
282 ## <param name="file_type">
284 ## Type of the file to be used as a
289 interface(`files_poly_parent',`
291 attribute polyparent;
295 typeattribute $1 polyparent;
298 ########################################
300 ## Make the specified type a
301 ## polyinstantiation member directory.
303 ## <param name="file_type">
305 ## Type of the file to be used as a
310 interface(`files_poly_member',`
312 attribute polymember;
316 typeattribute $1 polymember;
319 ########################################
321 ## Make the domain use the specified
322 ## type of polyinstantiated directory.
324 ## <param name="domain">
326 ## Domain using the polyinstantiated
330 ## <param name="file_type">
332 ## Type of the file to be used as a
337 interface(`files_poly_member_tmp',`
342 type_member $1 tmp_t:dir $2;
345 ########################################
347 ## Make the specified type a file
348 ## used for temporary files.
352 ## Make the specified type usable for temporary files.
353 ## This will also make the type usable for files, making
354 ## calls to files_type() redundant. Failure to use this interface
355 ## for a temporary file may result in problems with
356 ## purging temporary files.
359 ## Related interfaces:
362 ## <li>files_tmp_filetrans()</li>
365 ## Example usage with a domain that can create and
366 ## write its temporary file in the system temporary file
367 ## directories (/tmp or /var/tmp):
371 ## files_tmp_file(mytmpfile_t)
372 ## allow mydomain_t mytmpfile_t:file { create_file_perms write_file_perms };
373 ## files_tmp_filetrans(mydomain_t, mytmpfile_t, file)
376 ## <param name="file_type">
378 ## Type of the file to be used as a
382 ## <infoflow type="none"/>
384 interface(`files_tmp_file',`
391 files_poly_member($1)
392 typeattribute $1 tmpfile;
395 ########################################
397 ## Transform the type into a file, for use on a
398 ## virtual memory filesystem (tmpfs).
400 ## <param name="type">
402 ## The type to be transformed.
406 interface(`files_tmpfs_file',`
412 typeattribute $1 tmpfsfile;
415 ########################################
417 ## Get the attributes of all directories.
419 ## <param name="domain">
421 ## Domain allowed access.
425 interface(`files_getattr_all_dirs',`
430 getattr_dirs_pattern($1, file_type, file_type)
433 ########################################
435 ## Do not audit attempts to get the attributes
436 ## of all directories.
438 ## <param name="domain">
440 ## Domain to not audit.
444 interface(`files_dontaudit_getattr_all_dirs',`
449 dontaudit $1 file_type:dir getattr;
452 ########################################
454 ## List all non-security directories.
456 ## <param name="domain">
458 ## Domain allowed access.
462 interface(`files_list_non_security',`
464 attribute non_security_file_type;
467 list_dirs_pattern($1, non_security_file_type, non_security_file_type)
470 ########################################
472 ## Do not audit attempts to list all
473 ## non-security directories.
475 ## <param name="domain">
477 ## Domain to not audit.
481 interface(`files_dontaudit_list_non_security',`
483 attribute non_security_file_type;
486 dontaudit $1 non_security_file_type:dir list_dir_perms;
489 ########################################
491 ## Mount a filesystem on all non-security
492 ## directories and files.
494 ## <param name="domain">
496 ## Domain allowed access.
500 interface(`files_mounton_non_security',`
502 attribute non_security_file_type;
505 allow $1 non_security_file_type:dir mounton;
506 allow $1 non_security_file_type:file mounton;
509 ########################################
511 ## Allow attempts to modify any directory
513 ## <param name="domain">
515 ## Domain allowed access.
519 interface(`files_write_non_security_dirs',`
521 attribute non_security_file_type;
524 allow $1 non_security_file_type:dir write;
527 ########################################
529 ## Allow attempts to manage non-security directories
531 ## <param name="domain">
533 ## Domain allowed access.
537 interface(`files_manage_non_security_dirs',`
539 attribute non_security_file_type;
542 allow $1 non_security_file_type:dir manage_dir_perms;
545 ########################################
547 ## Get the attributes of all files.
549 ## <param name="domain">
551 ## Domain allowed access.
555 interface(`files_getattr_all_files',`
560 getattr_files_pattern($1, file_type, file_type)
561 getattr_lnk_files_pattern($1, file_type, file_type)
564 ########################################
566 ## Do not audit attempts to get the attributes
569 ## <param name="domain">
571 ## Domain to not audit.
575 interface(`files_dontaudit_getattr_all_files',`
580 dontaudit $1 file_type:file getattr;
583 ########################################
585 ## Do not audit attempts to get the attributes
586 ## of non security files.
588 ## <param name="domain">
590 ## Domain to not audit.
594 interface(`files_dontaudit_getattr_non_security_files',`
596 attribute non_security_file_type;
599 dontaudit $1 non_security_file_type:file getattr;
602 ########################################
606 ## <param name="domain">
608 ## Domain allowed access.
612 interface(`files_read_all_files',`
617 allow $1 file_type:dir list_dir_perms;
618 read_files_pattern($1, file_type, file_type)
625 ########################################
627 ## Allow shared library text relocations in all files.
631 ## Allow shared library text relocations in all files.
634 ## This is added to support WINE policy.
637 ## <param name="domain">
639 ## Domain allowed access.
643 interface(`files_execmod_all_files',`
648 allow $1 file_type:file execmod;
651 ########################################
653 ## Read all non-security files.
655 ## <param name="domain">
657 ## Domain allowed access.
662 interface(`files_read_non_security_files',`
664 attribute non_security_file_type;
667 list_dirs_pattern($1, non_security_file_type, non_security_file_type)
668 read_files_pattern($1, non_security_file_type, non_security_file_type)
669 read_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
672 ########################################
674 ## Manage all non-security files.
676 ## <param name="domain">
678 ## Domain allowed access.
683 interface(`files_manage_non_security_files',`
685 attribute non_security_file_type;
688 manage_files_pattern($1, non_security_file_type, non_security_file_type)
689 manage_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
692 ########################################
694 ## Relabel all non-security files.
696 ## <param name="domain">
698 ## Domain allowed access.
703 interface(`files_relabel_non_security_files',`
705 attribute non_security_file_type;
708 relabel_files_pattern($1, non_security_file_type, non_security_file_type)
709 allow $1 { non_security_file_type }:dir list_dir_perms;
710 relabel_dirs_pattern($1, { non_security_file_type }, { non_security_file_type })
711 relabel_files_pattern($1, { non_security_file_type }, { non_security_file_type })
712 relabel_lnk_files_pattern($1, { non_security_file_type }, { non_security_file_type })
713 relabel_fifo_files_pattern($1, { non_security_file_type }, { non_security_file_type })
714 relabel_sock_files_pattern($1, { non_security_file_type }, { non_security_file_type })
715 relabel_blk_files_pattern($1, { non_security_file_type }, { non_security_file_type })
716 relabel_chr_files_pattern($1, { non_security_file_type }, { non_security_file_type })
718 # satisfy the assertions:
719 seutil_relabelto_bin_policy($1)
722 ########################################
724 ## Read all directories on the filesystem, except
725 ## the listed exceptions.
727 ## <param name="domain">
729 ## Domain allowed access.
732 ## <param name="exception_types" optional="true">
734 ## The types to be excluded. Each type or attribute
735 ## must be negated by the caller.
739 interface(`files_read_all_dirs_except',`
744 allow $1 { file_type $2 }:dir list_dir_perms;
747 ########################################
749 ## Read all files on the filesystem, except
750 ## the listed exceptions.
752 ## <param name="domain">
754 ## Domain allowed access.
757 ## <param name="exception_types" optional="true">
759 ## The types to be excluded. Each type or attribute
760 ## must be negated by the caller.
764 interface(`files_read_all_files_except',`
769 read_files_pattern($1, { file_type $2 }, { file_type $2 })
772 ########################################
774 ## Read all symbolic links on the filesystem, except
775 ## the listed exceptions.
777 ## <param name="domain">
779 ## Domain allowed access.
782 ## <param name="exception_types" optional="true">
784 ## The types to be excluded. Each type or attribute
785 ## must be negated by the caller.
789 interface(`files_read_all_symlinks_except',`
794 read_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
797 ########################################
799 ## Get the attributes of all symbolic links.
801 ## <param name="domain">
803 ## Domain allowed access.
807 interface(`files_getattr_all_symlinks',`
812 getattr_lnk_files_pattern($1, file_type, file_type)
815 ########################################
817 ## Do not audit attempts to get the attributes
818 ## of all symbolic links.
820 ## <param name="domain">
822 ## Domain to not audit.
826 interface(`files_dontaudit_getattr_all_symlinks',`
831 dontaudit $1 file_type:lnk_file getattr;
834 ########################################
836 ## Do not audit attempts to read all symbolic links.
838 ## <param name="domain">
840 ## Domain to not audit.
844 interface(`files_dontaudit_read_all_symlinks',`
849 dontaudit $1 file_type:lnk_file read;
852 ########################################
854 ## Do not audit attempts to get the attributes
855 ## of non security symbolic links.
857 ## <param name="domain">
859 ## Domain to not audit.
863 interface(`files_dontaudit_getattr_non_security_symlinks',`
865 attribute non_security_file_type;
868 dontaudit $1 non_security_file_type:lnk_file getattr;
871 ########################################
873 ## Do not audit attempts to get the attributes
874 ## of non security block devices.
876 ## <param name="domain">
878 ## Domain to not audit.
882 interface(`files_dontaudit_getattr_non_security_blk_files',`
884 attribute non_security_file_type;
887 dontaudit $1 non_security_file_type:blk_file getattr;
890 ########################################
892 ## Do not audit attempts to get the attributes
893 ## of non security character devices.
895 ## <param name="domain">
897 ## Domain to not audit.
901 interface(`files_dontaudit_getattr_non_security_chr_files',`
903 attribute non_security_file_type;
906 dontaudit $1 non_security_file_type:chr_file getattr;
909 ########################################
911 ## Read all symbolic links.
913 ## <param name="domain">
915 ## Domain allowed access.
920 interface(`files_read_all_symlinks',`
925 allow $1 file_type:dir list_dir_perms;
926 read_lnk_files_pattern($1, file_type, file_type)
929 ########################################
931 ## Get the attributes of all named pipes.
933 ## <param name="domain">
935 ## Domain allowed access.
939 interface(`files_getattr_all_pipes',`
944 allow $1 file_type:dir list_dir_perms;
945 getattr_fifo_files_pattern($1, file_type, file_type)
948 ########################################
950 ## Do not audit attempts to get the attributes
951 ## of all named pipes.
953 ## <param name="domain">
955 ## Domain to not audit.
959 interface(`files_dontaudit_getattr_all_pipes',`
964 dontaudit $1 file_type:fifo_file getattr;
967 ########################################
969 ## Do not audit attempts to get the attributes
970 ## of non security named pipes.
972 ## <param name="domain">
974 ## Domain to not audit.
978 interface(`files_dontaudit_getattr_non_security_pipes',`
980 attribute non_security_file_type;
983 dontaudit $1 non_security_file_type:fifo_file getattr;
986 ########################################
988 ## Get the attributes of all named sockets.
990 ## <param name="domain">
992 ## Domain allowed access.
996 interface(`files_getattr_all_sockets',`
1001 allow $1 file_type:dir list_dir_perms;
1002 getattr_sock_files_pattern($1, file_type, file_type)
1005 ########################################
1007 ## Do not audit attempts to get the attributes
1008 ## of all named sockets.
1010 ## <param name="domain">
1012 ## Domain to not audit.
1016 interface(`files_dontaudit_getattr_all_sockets',`
1018 attribute file_type;
1021 dontaudit $1 file_type:sock_file getattr;
1024 ########################################
1026 ## Do not audit attempts to get the attributes
1027 ## of non security named sockets.
1029 ## <param name="domain">
1031 ## Domain to not audit.
1035 interface(`files_dontaudit_getattr_non_security_sockets',`
1037 attribute non_security_file_type;
1040 dontaudit $1 non_security_file_type:sock_file getattr;
1043 ########################################
1045 ## Read all block nodes with file types.
1047 ## <param name="domain">
1049 ## Domain allowed access.
1053 interface(`files_read_all_blk_files',`
1055 attribute file_type;
1058 read_blk_files_pattern($1, file_type, file_type)
1061 ########################################
1063 ## Read all character nodes with file types.
1065 ## <param name="domain">
1067 ## Domain allowed access.
1071 interface(`files_read_all_chr_files',`
1073 attribute file_type;
1076 read_chr_files_pattern($1, file_type, file_type)
1079 ########################################
1081 ## Relabel all files on the filesystem, except
1082 ## the listed exceptions.
1084 ## <param name="domain">
1086 ## Domain allowed access.
1089 ## <param name="exception_types" optional="true">
1091 ## The types to be excluded. Each type or attribute
1092 ## must be negated by the caller.
1097 interface(`files_relabel_all_files',`
1099 attribute file_type;
1102 allow $1 { file_type $2 }:dir list_dir_perms;
1103 relabel_dirs_pattern($1, { file_type $2 }, { file_type $2 })
1104 relabel_files_pattern($1, { file_type $2 }, { file_type $2 })
1105 relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
1106 relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
1107 relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
1108 relabel_blk_files_pattern($1, { file_type $2 }, { file_type $2 })
1109 relabel_chr_files_pattern($1, { file_type $2 }, { file_type $2 })
1111 # satisfy the assertions:
1112 seutil_relabelto_bin_policy($1)
1115 ########################################
1117 ## rw all files on the filesystem, except
1118 ## the listed exceptions.
1120 ## <param name="domain">
1122 ## Domain allowed access.
1125 ## <param name="exception_types" optional="true">
1127 ## The types to be excluded. Each type or attribute
1128 ## must be negated by the caller.
1133 interface(`files_rw_all_files',`
1135 attribute file_type;
1138 rw_files_pattern($1, { file_type $2 }, { file_type $2 })
1141 ########################################
1143 ## Manage all files on the filesystem, except
1144 ## the listed exceptions.
1146 ## <param name="domain">
1148 ## Domain allowed access.
1151 ## <param name="exception_types" optional="true">
1153 ## The types to be excluded. Each type or attribute
1154 ## must be negated by the caller.
1159 interface(`files_manage_all_files',`
1161 attribute file_type;
1164 manage_dirs_pattern($1, { file_type $2 }, { file_type $2 })
1165 manage_files_pattern($1, { file_type $2 }, { file_type $2 })
1166 manage_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
1167 manage_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
1168 manage_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
1170 # satisfy the assertions:
1171 seutil_create_bin_policy($1)
1172 files_manage_kernel_modules($1)
1175 ########################################
1177 ## Search the contents of all directories on
1178 ## extended attribute filesystems.
1180 ## <param name="domain">
1182 ## Domain allowed access.
1186 interface(`files_search_all',`
1188 attribute file_type;
1191 allow $1 file_type:dir search_dir_perms;
1194 ########################################
1196 ## List the contents of all directories on
1197 ## extended attribute filesystems.
1199 ## <param name="domain">
1201 ## Domain allowed access.
1205 interface(`files_list_all',`
1207 attribute file_type;
1210 allow $1 file_type:dir list_dir_perms;
1213 ########################################
1215 ## Do not audit attempts to search the
1216 ## contents of any directories on extended
1217 ## attribute filesystems.
1219 ## <param name="domain">
1221 ## Domain to not audit.
1225 interface(`files_dontaudit_search_all_dirs',`
1227 attribute file_type;
1230 dontaudit $1 file_type:dir search_dir_perms;
1233 ########################################
1235 ## Get the attributes of all filesystems
1236 ## with the type of a file.
1238 ## <param name="domain">
1240 ## Domain allowed access.
1244 # dwalsh: This interface is to allow quotacheck to work on a
1245 # a filesystem mounted with the --context switch
1246 # https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=212957
1248 interface(`files_getattr_all_file_type_fs',`
1250 attribute file_type;
1253 allow $1 file_type:filesystem getattr;
1256 ########################################
1258 ## Relabel a filesystem to the type of a file.
1260 ## <param name="domain">
1262 ## Domain allowed access.
1266 interface(`files_relabelto_all_file_type_fs',`
1268 attribute file_type;
1271 allow $1 file_type:filesystem relabelto;
1274 ########################################
1276 ## Relabel a filesystem to the type of a file.
1278 ## <param name="domain">
1280 ## Domain allowed access.
1284 interface(`files_relabel_all_file_type_fs',`
1286 attribute file_type;
1289 allow $1 file_type:filesystem { relabelfrom relabelto };
1292 ########################################
1294 ## Mount all filesystems with the type of a file.
1296 ## <param name="domain">
1298 ## Domain allowed access.
1302 interface(`files_mount_all_file_type_fs',`
1304 attribute file_type;
1307 allow $1 file_type:filesystem mount;
1310 ########################################
1312 ## Unmount all filesystems with the type of a file.
1314 ## <param name="domain">
1316 ## Domain allowed access.
1320 interface(`files_unmount_all_file_type_fs',`
1322 attribute file_type;
1325 allow $1 file_type:filesystem unmount;
1328 #############################################
1330 ## Manage all configuration directories on filesystem
1332 ## <param name="domain">
1334 ## Domain allowed access.
1339 interface(`files_manage_config_dirs',`
1341 attribute configfile;
1344 manage_dirs_pattern($1, configfile, configfile)
1347 #########################################
1349 ## Relabel configuration directories
1351 ## <param name="domain">
1353 ## Domain allowed access.
1358 interface(`files_relabel_config_dirs',`
1360 attribute configfile;
1363 relabel_dirs_pattern($1, configfile, configfile)
1366 ########################################
1368 ## Read config files in /etc.
1370 ## <param name="domain">
1372 ## Domain allowed access.
1376 interface(`files_read_config_files',`
1378 attribute configfile;
1381 allow $1 configfile:dir list_dir_perms;
1382 read_files_pattern($1, configfile, configfile)
1383 read_lnk_files_pattern($1, configfile, configfile)
1386 ###########################################
1388 ## Manage all configuration files on filesystem
1390 ## <param name="domain">
1392 ## Domain allowed access.
1397 interface(`files_manage_config_files',`
1399 attribute configfile;
1402 manage_files_pattern($1, configfile, configfile)
1405 #######################################
1407 ## Relabel configuration files
1409 ## <param name="domain">
1411 ## Domain allowed access.
1416 interface(`files_relabel_config_files',`
1418 attribute configfile;
1421 relabel_files_pattern($1, configfile, configfile)
1424 ########################################
1426 ## Mount a filesystem on all mount points.
1428 ## <param name="domain">
1430 ## Domain allowed access.
1434 interface(`files_mounton_all_mountpoints',`
1436 attribute mountpoint;
1439 allow $1 mountpoint:dir { search_dir_perms mounton };
1440 allow $1 mountpoint:file { getattr mounton };
1443 ########################################
1445 ## Get the attributes of all mount points.
1447 ## <param name="domain">
1449 ## Domain allowed access.
1453 interface(`files_getattr_all_mountpoints',`
1455 attribute mountpoint;
1458 allow $1 mountpoint:dir getattr;
1461 ########################################
1463 ## Set the attributes of all mount points.
1465 ## <param name="domain">
1467 ## Domain allowed access.
1471 interface(`files_setattr_all_mountpoints',`
1473 attribute mountpoint;
1476 allow $1 mountpoint:dir setattr;
1479 ########################################
1481 ## Search all mount points.
1483 ## <param name="domain">
1485 ## Domain allowed access.
1489 interface(`files_search_all_mountpoints',`
1491 attribute mountpoint;
1494 allow $1 mountpoint:dir search_dir_perms;
1497 ########################################
1499 ## Do not audit searching of all mount points.
1501 ## <param name="domain">
1503 ## Domain to not audit.
1507 interface(`files_dontaudit_search_all_mountpoints',`
1509 attribute mountpoint;
1512 dontaudit $1 mountpoint:dir search_dir_perms;
1515 ########################################
1517 ## Do not audit listing of all mount points.
1519 ## <param name="domain">
1521 ## Domain to not audit.
1525 interface(`files_dontaudit_list_all_mountpoints',`
1527 attribute mountpoint;
1530 dontaudit $1 mountpoint:dir list_dir_perms;
1533 ########################################
1535 ## Write all mount points.
1537 ## <param name="domain">
1539 ## Domain allowed access.
1543 interface(`files_write_all_mountpoints',`
1545 attribute mountpoint;
1548 allow $1 mountpoint:dir write;
1551 ########################################
1553 ## Write all file type directories.
1555 ## <param name="domain">
1557 ## Domain allowed access.
1561 interface(`files_write_all_dirs',`
1563 attribute file_type;
1566 allow $1 file_type:dir write;
1569 ########################################
1571 ## List the contents of the root directory.
1573 ## <param name="domain">
1575 ## Domain allowed access.
1579 interface(`files_list_root',`
1584 allow $1 root_t:dir list_dir_perms;
1585 allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock };
1588 ########################################
1590 ## Do not audit attempts to write to / dirs.
1592 ## <param name="domain">
1594 ## Domain to not audit.
1598 interface(`files_dontaudit_write_root_dirs',`
1603 dontaudit $1 root_t:dir write;
1608 ## Do not audit attempts to write
1609 ## files in the root directory.
1611 ## <param name="domain">
1613 ## Domain to not audit.
1617 interface(`files_dontaudit_rw_root_dir',`
1622 dontaudit $1 root_t:dir rw_dir_perms;
1625 ########################################
1627 ## Create an object in the root directory, with a private
1628 ## type using a type transition.
1630 ## <param name="domain">
1632 ## Domain allowed access.
1635 ## <param name="private type">
1637 ## The type of the object to be created.
1640 ## <param name="object">
1642 ## The object class of the object being created.
1646 interface(`files_root_filetrans',`
1651 filetrans_pattern($1, root_t, $2, $3, $4)
1654 ########################################
1656 ## Do not audit attempts to read files in
1657 ## the root directory.
1659 ## <param name="domain">
1661 ## Domain to not audit.
1665 interface(`files_dontaudit_read_root_files',`
1670 dontaudit $1 root_t:file { getattr read };
1673 ########################################
1675 ## Do not audit attempts to read or write
1676 ## files in the root directory.
1678 ## <param name="domain">
1680 ## Domain to not audit.
1684 interface(`files_dontaudit_rw_root_files',`
1689 dontaudit $1 root_t:file { read write };
1692 ########################################
1694 ## Do not audit attempts to read or write
1695 ## character device nodes in the root directory.
1697 ## <param name="domain">
1699 ## Domain to not audit.
1703 interface(`files_dontaudit_rw_root_chr_files',`
1708 dontaudit $1 root_t:chr_file { read write };
1711 ########################################
1713 ## Delete files in the root directory.
1715 ## <param name="domain">
1717 ## Domain allowed access.
1721 interface(`files_delete_root_files',`
1726 allow $1 root_t:file unlink;
1729 ########################################
1731 ## Remove entries from the root directory.
1733 ## <param name="domain">
1735 ## Domain allowed access.
1739 interface(`files_delete_root_dir_entry',`
1744 allow $1 root_t:dir rw_dir_perms;
1747 ########################################
1749 ## Set attributes of the root directory.
1751 ## <param name="domain">
1753 ## Domain allowed access.
1757 interface(`files_setattr_root_dirs',`
1762 allow $1 root_t:dir setattr_dir_perms;
1765 ########################################
1767 ## Unmount a rootfs filesystem.
1769 ## <param name="domain">
1771 ## Domain allowed access.
1775 interface(`files_unmount_rootfs',`
1780 allow $1 root_t:filesystem unmount;
1783 ########################################
1785 ## Get attributes of the /boot directory.
1787 ## <param name="domain">
1789 ## Domain allowed access.
1793 interface(`files_getattr_boot_dirs',`
1798 allow $1 boot_t:dir getattr;
1801 ########################################
1803 ## Do not audit attempts to get attributes
1804 ## of the /boot directory.
1806 ## <param name="domain">
1808 ## Domain to not audit.
1812 interface(`files_dontaudit_getattr_boot_dirs',`
1817 dontaudit $1 boot_t:dir getattr;
1820 ########################################
1822 ## Search the /boot directory.
1824 ## <param name="domain">
1826 ## Domain allowed access.
1830 interface(`files_search_boot',`
1835 allow $1 boot_t:dir search_dir_perms;
1838 ########################################
1840 ## Do not audit attempts to search the /boot directory.
1842 ## <param name="domain">
1844 ## Domain to not audit.
1848 interface(`files_dontaudit_search_boot',`
1853 dontaudit $1 boot_t:dir search_dir_perms;
1856 ########################################
1858 ## List the /boot directory.
1860 ## <param name="domain">
1862 ## Domain allowed access.
1866 interface(`files_list_boot',`
1871 allow $1 boot_t:dir list_dir_perms;
1874 #######################################
1876 ## Do not audit attempts to list the /boot directory.
1878 ## <param name="domain">
1880 ## Domain allowed access.
1884 interface(`files_dontaudit_list_boot',`
1889 dontaudit $1 boot_t:dir list_dir_perms;
1892 ########################################
1894 ## Create directories in /boot
1896 ## <param name="domain">
1898 ## Domain allowed access.
1902 interface(`files_create_boot_dirs',`
1907 allow $1 boot_t:dir { create rw_dir_perms };
1910 ########################################
1912 ## Create, read, write, and delete
1913 ## directories in /boot.
1915 ## <param name="domain">
1917 ## Domain allowed access.
1921 interface(`files_manage_boot_dirs',`
1926 allow $1 boot_t:dir manage_dir_perms;
1929 ########################################
1931 ## Create a private type object in boot
1932 ## with an automatic type transition
1934 ## <param name="domain">
1936 ## Domain allowed access.
1939 ## <param name="private_type">
1941 ## The type of the object to be created.
1944 ## <param name="object_class">
1946 ## The object class of the object being created.
1950 interface(`files_boot_filetrans',`
1955 filetrans_pattern($1, boot_t, $2, $3, $4)
1958 ########################################
1960 ## read files in the /boot directory.
1962 ## <param name="domain">
1964 ## Domain allowed access.
1969 interface(`files_read_boot_files',`
1974 read_files_pattern($1, boot_t, boot_t)
1977 ########################################
1979 ## Create, read, write, and delete files
1980 ## in the /boot directory.
1982 ## <param name="domain">
1984 ## Domain allowed access.
1989 interface(`files_manage_boot_files',`
1994 manage_files_pattern($1, boot_t, boot_t)
1997 ########################################
1999 ## Relabel from files in the /boot directory.
2001 ## <param name="domain">
2003 ## Domain allowed access.
2007 interface(`files_relabelfrom_boot_files',`
2012 relabelfrom_files_pattern($1, boot_t, boot_t)
2015 ######################################
2017 ## Read symbolic links in the /boot directory.
2019 ## <param name="domain">
2021 ## Domain allowed access.
2025 interface(`files_read_boot_symlinks',`
2030 read_lnk_files_pattern($1, boot_t, boot_t)
2033 ########################################
2035 ## Read and write symbolic links
2036 ## in the /boot directory.
2038 ## <param name="domain">
2040 ## Domain allowed access.
2044 interface(`files_rw_boot_symlinks',`
2049 allow $1 boot_t:dir list_dir_perms;
2050 rw_lnk_files_pattern($1, boot_t, boot_t)
2053 ########################################
2055 ## Create, read, write, and delete symbolic links
2056 ## in the /boot directory.
2058 ## <param name="domain">
2060 ## Domain allowed access.
2064 interface(`files_manage_boot_symlinks',`
2069 manage_lnk_files_pattern($1, boot_t, boot_t)
2072 ########################################
2074 ## Read kernel files in the /boot directory.
2076 ## <param name="domain">
2078 ## Domain allowed access.
2082 interface(`files_read_kernel_img',`
2087 allow $1 boot_t:dir list_dir_perms;
2088 read_files_pattern($1, boot_t, boot_t)
2089 read_lnk_files_pattern($1, boot_t, boot_t)
2092 ########################################
2094 ## Install a kernel into the /boot directory.
2096 ## <param name="domain">
2098 ## Domain allowed access.
2103 interface(`files_create_kernel_img',`
2108 allow $1 boot_t:file { create_file_perms rw_file_perms };
2109 manage_lnk_files_pattern($1, boot_t, boot_t)
2112 ########################################
2114 ## Delete a kernel from /boot.
2116 ## <param name="domain">
2118 ## Domain allowed access.
2123 interface(`files_delete_kernel',`
2128 delete_files_pattern($1, boot_t, boot_t)
2131 ########################################
2133 ## Getattr of directories with the default file type.
2135 ## <param name="domain">
2137 ## Domain allowed access.
2141 interface(`files_getattr_default_dirs',`
2146 allow $1 default_t:dir getattr;
2149 ########################################
2151 ## Do not audit attempts to get the attributes of
2152 ## directories with the default file type.
2154 ## <param name="domain">
2156 ## Domain to not audit.
2160 interface(`files_dontaudit_getattr_default_dirs',`
2165 dontaudit $1 default_t:dir getattr;
2168 ########################################
2170 ## Search the contents of directories with the default file type.
2172 ## <param name="domain">
2174 ## Domain allowed access.
2178 interface(`files_search_default',`
2183 allow $1 default_t:dir search_dir_perms;
2186 ########################################
2188 ## List contents of directories with the default file type.
2190 ## <param name="domain">
2192 ## Domain allowed access.
2196 interface(`files_list_default',`
2201 allow $1 default_t:dir list_dir_perms;
2204 ########################################
2206 ## Do not audit attempts to list contents of
2207 ## directories with the default file type.
2209 ## <param name="domain">
2211 ## Domain to not audit.
2215 interface(`files_dontaudit_list_default',`
2220 dontaudit $1 default_t:dir list_dir_perms;
2223 ########################################
2225 ## Create, read, write, and delete directories with
2226 ## the default file type.
2228 ## <param name="domain">
2230 ## Domain allowed access.
2234 interface(`files_manage_default_dirs',`
2239 manage_dirs_pattern($1, default_t, default_t)
2242 ########################################
2244 ## Mount a filesystem on a directory with the default file type.
2246 ## <param name="domain">
2248 ## Domain allowed access.
2252 interface(`files_mounton_default',`
2257 allow $1 default_t:dir { search_dir_perms mounton };
2260 ########################################
2262 ## Do not audit attempts to get the attributes of
2263 ## files with the default file type.
2265 ## <param name="domain">
2267 ## Domain to not audit.
2271 interface(`files_dontaudit_getattr_default_files',`
2276 dontaudit $1 default_t:file getattr;
2279 ########################################
2281 ## Read files with the default file type.
2283 ## <param name="domain">
2285 ## Domain allowed access.
2289 interface(`files_read_default_files',`
2294 allow $1 default_t:file read_file_perms;
2297 ########################################
2299 ## Do not audit attempts to read files
2300 ## with the default file type.
2302 ## <param name="domain">
2304 ## Domain to not audit.
2308 interface(`files_dontaudit_read_default_files',`
2313 dontaudit $1 default_t:file read_file_perms;
2316 ########################################
2318 ## Create, read, write, and delete files with
2319 ## the default file type.
2321 ## <param name="domain">
2323 ## Domain allowed access.
2327 interface(`files_manage_default_files',`
2332 manage_files_pattern($1, default_t, default_t)
2335 ########################################
2337 ## Read symbolic links with the default file type.
2339 ## <param name="domain">
2341 ## Domain allowed access.
2345 interface(`files_read_default_symlinks',`
2350 allow $1 default_t:lnk_file read_lnk_file_perms;
2353 ########################################
2355 ## Read sockets with the default file type.
2357 ## <param name="domain">
2359 ## Domain allowed access.
2363 interface(`files_read_default_sockets',`
2368 allow $1 default_t:sock_file read_sock_file_perms;
2371 ########################################
2373 ## Read named pipes with the default file type.
2375 ## <param name="domain">
2377 ## Domain allowed access.
2381 interface(`files_read_default_pipes',`
2386 allow $1 default_t:fifo_file read_fifo_file_perms;
2389 ########################################
2391 ## Search the contents of /etc directories.
2393 ## <param name="domain">
2395 ## Domain allowed access.
2399 interface(`files_search_etc',`
2404 allow $1 etc_t:dir search_dir_perms;
2407 ########################################
2409 ## Set the attributes of the /etc directories.
2411 ## <param name="domain">
2413 ## Domain allowed access.
2417 interface(`files_setattr_etc_dirs',`
2422 allow $1 etc_t:dir setattr;
2425 ########################################
2427 ## List the contents of /etc directories.
2429 ## <param name="domain">
2431 ## Domain allowed access.
2435 interface(`files_list_etc',`
2440 allow $1 etc_t:dir list_dir_perms;
2443 ########################################
2445 ## Do not audit attempts to write to /etc dirs.
2447 ## <param name="domain">
2449 ## Domain to not audit.
2453 interface(`files_dontaudit_write_etc_dirs',`
2458 dontaudit $1 etc_t:dir write;
2461 ########################################
2463 ## Add and remove entries from /etc directories.
2465 ## <param name="domain">
2467 ## Domain allowed access.
2471 interface(`files_rw_etc_dirs',`
2476 allow $1 etc_t:dir rw_dir_perms;
2479 #######################################
2481 ## Dontaudit remove dir /etc directories.
2483 ## <param name="domain">
2485 ## Domain to not audit.
2489 interface(`files_dontaudit_remove_etc_dir',`
2494 dontaudit $1 etc_t:dir rmdir;
2497 ##########################################
2499 ## Manage generic directories in /etc
2501 ## <param name="domain">
2503 ## Domain allowed access
2508 interface(`files_manage_etc_dirs',`
2513 manage_dirs_pattern($1, etc_t, etc_t)
2516 ########################################
2518 ## Read generic files in /etc.
2522 ## Allow the specified domain to read generic
2523 ## files in /etc. These files are typically
2524 ## general system configuration files that do
2525 ## not have more specific SELinux types. Some
2526 ## examples of these files are:
2529 ## <li>/etc/fstab</li>
2530 ## <li>/etc/passwd</li>
2531 ## <li>/etc/services</li>
2532 ## <li>/etc/shells</li>
2535 ## This interface does not include access to /etc/shadow.
2538 ## Generally, it is safe for many domains to have
2539 ## this access. However, since this interface provides
2540 ## access to the /etc/passwd file, caution must be
2541 ## exercised, as user account names can be leaked
2542 ## through this access.
2545 ## Related interfaces:
2548 ## <li>auth_read_shadow()</li>
2549 ## <li>files_read_etc_runtime_files()</li>
2550 ## <li>seutil_read_config()</li>
2553 ## <param name="domain">
2555 ## Domain allowed access.
2558 ## <infoflow type="read" weight="10"/>
2560 interface(`files_read_etc_files',`
2565 allow $1 etc_t:dir list_dir_perms;
2566 read_files_pattern($1, etc_t, etc_t)
2567 read_lnk_files_pattern($1, etc_t, etc_t)
2570 ########################################
2572 ## Do not audit attempts to write generic files in /etc.
2574 ## <param name="domain">
2576 ## Domain to not audit.
2580 interface(`files_dontaudit_write_etc_files',`
2585 dontaudit $1 etc_t:file write;
2588 ########################################
2590 ## Read and write generic files in /etc.
2592 ## <param name="domain">
2594 ## Domain allowed access.
2599 interface(`files_rw_etc_files',`
2604 allow $1 etc_t:dir list_dir_perms;
2605 rw_files_pattern($1, etc_t, etc_t)
2606 read_lnk_files_pattern($1, etc_t, etc_t)
2609 ########################################
2611 ## Create, read, write, and delete generic
2614 ## <param name="domain">
2616 ## Domain allowed access.
2621 interface(`files_manage_etc_files',`
2626 manage_files_pattern($1, etc_t, etc_t)
2627 read_lnk_files_pattern($1, etc_t, etc_t)
2630 ########################################
2632 ## Do not audit attempts to check the
2633 ## access on etc files
2635 ## <param name="domain">
2637 ## Domain to not audit.
2641 interface(`files_dontaudit_access_check_etc',`
2646 dontaudit $1 etc_t:file_class_set audit_access;
2649 ########################################
2651 ## Delete system configuration files in /etc.
2653 ## <param name="domain">
2655 ## Domain allowed access.
2659 interface(`files_delete_etc_files',`
2664 delete_files_pattern($1, etc_t, etc_t)
2667 ########################################
2669 ## Remove entries from the etc directory.
2671 ## <param name="domain">
2673 ## Domain allowed access.
2677 interface(`files_delete_etc_dir_entry',`
2682 allow $1 etc_t:dir del_entry_dir_perms;
2685 ########################################
2687 ## Execute generic files in /etc.
2689 ## <param name="domain">
2691 ## Domain allowed access.
2695 interface(`files_exec_etc_files',`
2700 allow $1 etc_t:dir list_dir_perms;
2701 read_lnk_files_pattern($1, etc_t, etc_t)
2702 exec_files_pattern($1, etc_t, etc_t)
2705 #######################################
2707 ## Relabel from and to generic files in /etc.
2709 ## <param name="domain">
2711 ## Domain allowed access.
2715 interface(`files_relabel_etc_files',`
2720 allow $1 etc_t:dir list_dir_perms;
2721 relabel_files_pattern($1, etc_t, etc_t)
2724 ########################################
2726 ## Read symbolic links in /etc.
2728 ## <param name="domain">
2730 ## Domain allowed access.
2734 interface(`files_read_etc_symlinks',`
2739 read_lnk_files_pattern($1, etc_t, etc_t)
2742 ########################################
2744 ## Create, read, write, and delete symbolic links in /etc.
2746 ## <param name="domain">
2748 ## Domain allowed access.
2752 interface(`files_manage_etc_symlinks',`
2757 manage_lnk_files_pattern($1, etc_t, etc_t)
2760 ########################################
2762 ## Create objects in /etc with a private
2763 ## type using a type_transition.
2765 ## <param name="domain">
2767 ## Domain allowed access.
2770 ## <param name="file_type">
2772 ## Private file type.
2775 ## <param name="class">
2777 ## Object classes to be created.
2781 interface(`files_etc_filetrans',`
2786 filetrans_pattern($1, etc_t, $2, $3, $4)
2789 ########################################
2791 ## Create a boot flag.
2795 ## Create a boot flag, such as
2796 ## /.autorelabel and /.autofsck.
2799 ## <param name="domain">
2801 ## Domain allowed access.
2806 interface(`files_create_boot_flag',`
2808 type root_t, etc_runtime_t;
2811 allow $1 etc_runtime_t:file manage_file_perms;
2812 filetrans_pattern($1, root_t, etc_runtime_t, file)
2815 ########################################
2817 ## Delete a boot flag.
2821 ## Delete a boot flag, such as
2822 ## /.autorelabel and /.autofsck.
2825 ## <param name="domain">
2827 ## Domain allowed access.
2832 interface(`files_delete_boot_flag',`
2834 type root_t, etc_runtime_t;
2837 delete_files_pattern($1, root_t, etc_runtime_t)
2840 ########################################
2842 ## Read files in /etc that are dynamically
2843 ## created on boot, such as mtab.
2847 ## Allow the specified domain to read dynamically created
2848 ## configuration files in /etc. These files are typically
2849 ## general system configuration files that do
2850 ## not have more specific SELinux types. Some
2851 ## examples of these files are:
2854 ## <li>/etc/motd</li>
2855 ## <li>/etc/mtab</li>
2856 ## <li>/etc/nologin</li>
2859 ## This interface does not include access to /etc/shadow.
2862 ## <param name="domain">
2864 ## Domain allowed access.
2867 ## <infoflow type="read" weight="10" />
2870 interface(`files_read_etc_runtime_files',`
2872 type etc_t, etc_runtime_t;
2875 allow $1 etc_t:dir list_dir_perms;
2876 read_files_pattern($1, etc_t, etc_runtime_t)
2877 read_lnk_files_pattern($1, etc_t, etc_runtime_t)
2880 ########################################
2882 ## Do not audit attempts to set the attributes of the etc_runtime files
2884 ## <param name="domain">
2886 ## Domain to not audit.
2890 interface(`files_dontaudit_setattr_etc_runtime_files',`
2895 dontaudit $1 etc_runtime_t:file setattr;
2898 ########################################
2900 ## Do not audit attempts to read files
2901 ## in /etc that are dynamically
2902 ## created on boot, such as mtab.
2904 ## <param name="domain">
2906 ## Domain to not audit.
2910 interface(`files_dontaudit_read_etc_runtime_files',`
2915 dontaudit $1 etc_runtime_t:file { getattr read };
2918 ########################################
2920 ## Read and write files in /etc that are dynamically
2921 ## created on boot, such as mtab.
2923 ## <param name="domain">
2925 ## Domain allowed access.
2930 interface(`files_rw_etc_runtime_files',`
2932 type etc_t, etc_runtime_t;
2935 allow $1 etc_t:dir list_dir_perms;
2936 rw_files_pattern($1, etc_t, etc_runtime_t)
2937 read_lnk_files_pattern($1, etc_t, etc_t)
2940 ########################################
2942 ## Create, read, write, and delete files in
2943 ## /etc that are dynamically created on boot,
2946 ## <param name="domain">
2948 ## Domain allowed access.
2953 interface(`files_manage_etc_runtime_files',`
2955 type etc_t, etc_runtime_t;
2958 manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
2959 read_lnk_files_pattern($1, etc_t, etc_runtime_t)
2962 ########################################
2964 ## Create, etc runtime objects with an automatic
2967 ## <param name="domain">
2969 ## Domain allowed access.
2972 ## <param name="object">
2974 ## The class of the object being created.
2978 interface(`files_etc_filetrans_etc_runtime',`
2980 type etc_t, etc_runtime_t;
2983 filetrans_pattern($1, etc_t, etc_runtime_t, $2)
2986 ########################################
2988 ## Getattr of directories on new filesystems
2989 ## that have not yet been labeled.
2991 ## <param name="domain">
2993 ## Domain allowed access.
2997 interface(`files_getattr_isid_type_dirs',`
3002 allow $1 file_t:dir getattr;
3005 ########################################
3007 ## Do not audit attempts to search directories on new filesystems
3008 ## that have not yet been labeled.
3010 ## <param name="domain">
3012 ## Domain to not audit.
3016 interface(`files_dontaudit_search_isid_type_dirs',`
3021 dontaudit $1 file_t:dir search_dir_perms;
3024 ########################################
3026 ## List the contents of directories on new filesystems
3027 ## that have not yet been labeled.
3029 ## <param name="domain">
3031 ## Domain allowed access.
3035 interface(`files_list_isid_type_dirs',`
3040 allow $1 file_t:dir list_dir_perms;
3043 ########################################
3045 ## Read and write directories on new filesystems
3046 ## that have not yet been labeled.
3048 ## <param name="domain">
3050 ## Domain allowed access.
3054 interface(`files_rw_isid_type_dirs',`
3059 allow $1 file_t:dir rw_dir_perms;
3062 ########################################
3064 ## Delete directories on new filesystems
3065 ## that have not yet been labeled.
3067 ## <param name="domain">
3069 ## Domain allowed access.
3073 interface(`files_delete_isid_type_dirs',`
3078 delete_dirs_pattern($1, file_t, file_t)
3081 ########################################
3083 ## Create, read, write, and delete directories
3084 ## on new filesystems that have not yet been labeled.
3086 ## <param name="domain">
3088 ## Domain allowed access.
3092 interface(`files_manage_isid_type_dirs',`
3097 allow $1 file_t:dir manage_dir_perms;
3100 ########################################
3102 ## Mount a filesystem on a directory on new filesystems
3103 ## that has not yet been labeled.
3105 ## <param name="domain">
3107 ## Domain allowed access.
3111 interface(`files_mounton_isid_type_dirs',`
3116 allow $1 file_t:dir { search_dir_perms mounton };
3119 ########################################
3121 ## Read files on new filesystems
3122 ## that have not yet been labeled.
3124 ## <param name="domain">
3126 ## Domain allowed access.
3130 interface(`files_read_isid_type_files',`
3135 allow $1 file_t:file read_file_perms;
3138 ########################################
3140 ## Delete files on new filesystems
3141 ## that have not yet been labeled.
3143 ## <param name="domain">
3145 ## Domain allowed access.
3149 interface(`files_delete_isid_type_files',`
3154 delete_files_pattern($1, file_t, file_t)
3157 ########################################
3159 ## Delete symbolic links on new filesystems
3160 ## that have not yet been labeled.
3162 ## <param name="domain">
3164 ## Domain allowed access.
3168 interface(`files_delete_isid_type_symlinks',`
3173 delete_lnk_files_pattern($1, file_t, file_t)
3176 ########################################
3178 ## Delete named pipes on new filesystems
3179 ## that have not yet been labeled.
3181 ## <param name="domain">
3183 ## Domain allowed access.
3187 interface(`files_delete_isid_type_fifo_files',`
3192 delete_fifo_files_pattern($1, file_t, file_t)
3195 ########################################
3197 ## Delete named sockets on new filesystems
3198 ## that have not yet been labeled.
3200 ## <param name="domain">
3202 ## Domain allowed access.
3206 interface(`files_delete_isid_type_sock_files',`
3211 delete_sock_files_pattern($1, file_t, file_t)
3214 ########################################
3216 ## Delete block files on new filesystems
3217 ## that have not yet been labeled.
3219 ## <param name="domain">
3221 ## Domain allowed access.
3225 interface(`files_delete_isid_type_blk_files',`
3230 delete_blk_files_pattern($1, file_t, file_t)
3233 ########################################
3235 ## Do not audit attempts to write to character
3236 ## files that have not yet been labeled.
3238 ## <param name="domain">
3240 ## Domain to not audit.
3244 interface(`files_dontaudit_write_isid_chr_files',`
3249 dontaudit $1 file_t:chr_file write;
3252 ########################################
3254 ## Delete chr files on new filesystems
3255 ## that have not yet been labeled.
3257 ## <param name="domain">
3259 ## Domain allowed access.
3263 interface(`files_delete_isid_type_chr_files',`
3268 delete_chr_files_pattern($1, file_t, file_t)
3271 ########################################
3273 ## Create, read, write, and delete files
3274 ## on new filesystems that have not yet been labeled.
3276 ## <param name="domain">
3278 ## Domain allowed access.
3282 interface(`files_manage_isid_type_files',`
3287 allow $1 file_t:file manage_file_perms;
3290 ########################################
3292 ## Create, read, write, and delete symbolic links
3293 ## on new filesystems that have not yet been labeled.
3295 ## <param name="domain">
3297 ## Domain allowed access.
3301 interface(`files_manage_isid_type_symlinks',`
3306 allow $1 file_t:lnk_file manage_lnk_file_perms;
3309 ########################################
3311 ## Read and write block device nodes on new filesystems
3312 ## that have not yet been labeled.
3314 ## <param name="domain">
3316 ## Domain allowed access.
3320 interface(`files_rw_isid_type_blk_files',`
3325 allow $1 file_t:blk_file rw_blk_file_perms;
3328 ########################################
3330 ## Create, read, write, and delete block device nodes
3331 ## on new filesystems that have not yet been labeled.
3333 ## <param name="domain">
3335 ## Domain allowed access.
3339 interface(`files_manage_isid_type_blk_files',`
3344 allow $1 file_t:blk_file manage_blk_file_perms;
3347 ########################################
3349 ## Create, read, write, and delete character device nodes
3350 ## on new filesystems that have not yet been labeled.
3352 ## <param name="domain">
3354 ## Domain allowed access.
3358 interface(`files_manage_isid_type_chr_files',`
3363 allow $1 file_t:chr_file manage_chr_file_perms;
3366 ########################################
3368 ## Get the attributes of the home directories root
3371 ## <param name="domain">
3373 ## Domain allowed access.
3377 interface(`files_getattr_home_dir',`
3382 allow $1 home_root_t:dir getattr;
3383 allow $1 home_root_t:lnk_file getattr;
3386 ########################################
3388 ## Do not audit attempts to get the
3389 ## attributes of the home directories root
3392 ## <param name="domain">
3394 ## Domain to not audit.
3398 interface(`files_dontaudit_getattr_home_dir',`
3403 dontaudit $1 home_root_t:dir getattr;
3404 dontaudit $1 home_root_t:lnk_file getattr;
3407 ########################################
3409 ## Search home directories root (/home).
3411 ## <param name="domain">
3413 ## Domain allowed access.
3417 interface(`files_search_home',`
3422 allow $1 home_root_t:dir search_dir_perms;
3423 allow $1 home_root_t:lnk_file read_lnk_file_perms;
3426 ########################################
3428 ## Do not audit attempts to search
3429 ## home directories root (/home).
3431 ## <param name="domain">
3433 ## Domain to not audit.
3437 interface(`files_dontaudit_search_home',`
3442 dontaudit $1 home_root_t:dir search_dir_perms;
3443 dontaudit $1 home_root_t:lnk_file read_lnk_file_perms;
3446 ########################################
3448 ## Do not audit attempts to list
3449 ## home directories root (/home).
3451 ## <param name="domain">
3453 ## Domain to not audit.
3457 interface(`files_dontaudit_list_home',`
3462 dontaudit $1 home_root_t:dir list_dir_perms;
3463 dontaudit $1 home_root_t:lnk_file read_lnk_file_perms;
3466 ########################################
3468 ## Get listing of home directories.
3470 ## <param name="domain">
3472 ## Domain allowed access.
3476 interface(`files_list_home',`
3481 allow $1 home_root_t:dir list_dir_perms;
3482 allow $1 home_root_t:lnk_file read_lnk_file_perms;
3485 ########################################
3487 ## Relabel to user home root (/home).
3489 ## <param name="domain">
3491 ## Domain allowed access.
3495 interface(`files_relabelto_home',`
3500 allow $1 home_root_t:dir relabelto;
3503 ########################################
3505 ## Create objects in /home.
3507 ## <param name="domain">
3509 ## Domain allowed access.
3512 ## <param name="home_type">
3514 ## The private type.
3517 ## <param name="object">
3519 ## The class of the object being created.
3523 interface(`files_home_filetrans',`
3528 filetrans_pattern($1, home_root_t, $2, $3, $4)
3531 ########################################
3533 ## Get the attributes of lost+found directories.
3535 ## <param name="domain">
3537 ## Domain allowed access.
3541 interface(`files_getattr_lost_found_dirs',`
3546 allow $1 lost_found_t:dir getattr;
3549 ########################################
3551 ## Do not audit attempts to get the attributes of
3552 ## lost+found directories.
3554 ## <param name="domain">
3556 ## Domain to not audit.
3560 interface(`files_dontaudit_getattr_lost_found_dirs',`
3565 dontaudit $1 lost_found_t:dir getattr;
3568 #######################################
3570 ## List the contents of lost+found directories.
3572 ## <param name="domain">
3574 ## Domain allowed access.
3578 interface(`files_list_lost_found',`
3583 allow $1 lost_found_t:dir list_dir_perms;
3586 ########################################
3588 ## Create, read, write, and delete objects in
3589 ## lost+found directories.
3591 ## <param name="domain">
3593 ## Domain allowed access.
3598 interface(`files_manage_lost_found',`
3603 manage_dirs_pattern($1, lost_found_t, lost_found_t)
3604 manage_files_pattern($1, lost_found_t, lost_found_t)
3605 manage_lnk_files_pattern($1, lost_found_t, lost_found_t)
3606 manage_fifo_files_pattern($1, lost_found_t, lost_found_t)
3607 manage_sock_files_pattern($1, lost_found_t, lost_found_t)
3610 ########################################
3612 ## Search the contents of /mnt.
3614 ## <param name="domain">
3616 ## Domain allowed access.
3620 interface(`files_search_mnt',`
3625 allow $1 mnt_t:dir search_dir_perms;
3628 ########################################
3630 ## Do not audit attempts to search /mnt.
3632 ## <param name="domain">
3634 ## Domain to not audit.
3638 interface(`files_dontaudit_search_mnt',`
3643 dontaudit $1 mnt_t:dir search_dir_perms;
3646 ########################################
3648 ## List the contents of /mnt.
3650 ## <param name="domain">
3652 ## Domain allowed access.
3656 interface(`files_list_mnt',`
3661 allow $1 mnt_t:dir list_dir_perms;
3664 ######################################
3666 ## dontaudit List the contents of /mnt.
3668 ## <param name="domain">
3670 ## Domain to not audit.
3674 interface(`files_dontaudit_list_mnt',`
3679 dontaudit $1 mnt_t:dir list_dir_perms;
3682 ########################################
3684 ## Do not audit attempts to check the
3685 ## write access on mnt files
3687 ## <param name="domain">
3689 ## Domain to not audit.
3693 interface(`files_dontaudit_access_check_mnt',`
3697 dontaudit $1 mnt_t:file_class_set audit_access;
3700 ########################################
3702 ## Mount a filesystem on /mnt.
3704 ## <param name="domain">
3706 ## Domain allowed access.
3710 interface(`files_mounton_mnt',`
3715 allow $1 mnt_t:dir { search_dir_perms mounton };
3718 ########################################
3720 ## Create, read, write, and delete directories in /mnt.
3722 ## <param name="domain">
3724 ## Domain allowed access.
3729 interface(`files_manage_mnt_dirs',`
3734 allow $1 mnt_t:dir manage_dir_perms;
3737 ########################################
3739 ## Create, read, write, and delete files in /mnt.
3741 ## <param name="domain">
3743 ## Domain allowed access.
3747 interface(`files_manage_mnt_files',`
3752 manage_files_pattern($1, mnt_t, mnt_t)
3755 ########################################
3757 ## read files in /mnt.
3759 ## <param name="domain">
3761 ## Domain allowed access.
3765 interface(`files_read_mnt_files',`
3770 read_files_pattern($1, mnt_t, mnt_t)
3773 ######################################
3775 ## Read symbolic links in /mnt.
3777 ## <param name="domain">
3779 ## Domain allowed access.
3783 interface(`files_read_mnt_symlinks',`
3788 read_lnk_files_pattern($1, mnt_t, mnt_t)
3791 ########################################
3793 ## Create, read, write, and delete symbolic links in /mnt.
3795 ## <param name="domain">
3797 ## Domain allowed access.
3801 interface(`files_manage_mnt_symlinks',`
3806 manage_lnk_files_pattern($1, mnt_t, mnt_t)
3809 ########################################
3811 ## Search the contents of the kernel module directories.
3813 ## <param name="domain">
3815 ## Domain allowed access.
3819 interface(`files_search_kernel_modules',`
3821 type modules_object_t;
3824 allow $1 modules_object_t:dir search_dir_perms;
3825 read_lnk_files_pattern($1, modules_object_t, modules_object_t)
3828 ########################################
3830 ## List the contents of the kernel module directories.
3832 ## <param name="domain">
3834 ## Domain allowed access.
3838 interface(`files_list_kernel_modules',`
3840 type modules_object_t;
3843 allow $1 modules_object_t:dir list_dir_perms;
3846 ########################################
3848 ## Get the attributes of kernel module files.
3850 ## <param name="domain">
3852 ## Domain allowed access.
3856 interface(`files_getattr_kernel_modules',`
3858 type modules_object_t;
3861 getattr_files_pattern($1, modules_object_t, modules_object_t)
3864 ########################################
3866 ## Read kernel module files.
3868 ## <param name="domain">
3870 ## Domain allowed access.
3874 interface(`files_read_kernel_modules',`
3876 type modules_object_t;
3879 allow $1 modules_object_t:dir list_dir_perms;
3880 read_files_pattern($1, modules_object_t, modules_object_t)
3881 read_lnk_files_pattern($1, modules_object_t, modules_object_t)
3884 ########################################
3886 ## Write kernel module files.
3888 ## <param name="domain">
3890 ## Domain allowed access.
3894 interface(`files_write_kernel_modules',`
3896 type modules_object_t;
3899 allow $1 modules_object_t:dir list_dir_perms;
3900 write_files_pattern($1, modules_object_t, modules_object_t)
3903 ########################################
3905 ## Delete kernel module files.
3907 ## <param name="domain">
3909 ## Domain allowed access.
3913 interface(`files_delete_kernel_modules',`
3915 type modules_object_t;
3918 delete_files_pattern($1, modules_object_t, modules_object_t)
3921 ########################################
3923 ## Create, read, write, and delete
3924 ## kernel module files.
3926 ## <param name="domain">
3928 ## Domain allowed access.
3933 interface(`files_manage_kernel_modules',`
3935 type modules_object_t;
3938 manage_files_pattern($1, modules_object_t, modules_object_t)
3941 ########################################
3943 ## Relabel from and to kernel module files.
3945 ## <param name="domain">
3947 ## Domain allowed access.
3951 interface(`files_relabel_kernel_modules',`
3953 type modules_object_t;
3956 relabel_files_pattern($1, modules_object_t, modules_object_t)
3957 allow $1 modules_object_t:dir list_dir_perms;
3960 ########################################
3962 ## Create objects in the kernel module directories
3963 ## with a private type via an automatic type transition.
3965 ## <param name="domain">
3967 ## Domain allowed access.
3970 ## <param name="private_type">
3972 ## The type of the object to be created.
3975 ## <param name="object_class">
3977 ## The object class of the object being created.
3981 interface(`files_kernel_modules_filetrans',`
3983 type modules_object_t;
3986 filetrans_pattern($1, modules_object_t, $2, $3, $4)
3989 ########################################
3991 ## List world-readable directories.
3993 ## <param name="domain">
3995 ## Domain allowed access.
4000 interface(`files_list_world_readable',`
4005 allow $1 readable_t:dir list_dir_perms;
4008 ########################################
4010 ## Read world-readable files.
4012 ## <param name="domain">
4014 ## Domain allowed access.
4019 interface(`files_read_world_readable_files',`
4024 allow $1 readable_t:file read_file_perms;
4027 ########################################
4029 ## Read world-readable symbolic links.
4031 ## <param name="domain">
4033 ## Domain allowed access.
4038 interface(`files_read_world_readable_symlinks',`
4043 allow $1 readable_t:lnk_file read_lnk_file_perms;
4046 ########################################
4048 ## Read world-readable named pipes.
4050 ## <param name="domain">
4052 ## Domain allowed access.
4056 interface(`files_read_world_readable_pipes',`
4061 allow $1 readable_t:fifo_file read_fifo_file_perms;
4064 ########################################
4066 ## Read world-readable sockets.
4068 ## <param name="domain">
4070 ## Domain allowed access.
4074 interface(`files_read_world_readable_sockets',`
4079 allow $1 readable_t:sock_file read_sock_file_perms;
4082 #######################################
4084 ## Read manageable system configuration files in /etc
4086 ## <param name="domain">
4088 ## Domain allowed access.
4092 interface(`files_read_system_conf_files',`
4094 type etc_t, system_conf_t;
4097 allow $1 etc_t:dir list_dir_perms;
4098 read_files_pattern($1, etc_t, system_conf_t)
4099 read_lnk_files_pattern($1, etc_t, system_conf_t)
4102 ######################################
4104 ## Manage manageable system configuration files in /etc.
4106 ## <param name="domain">
4108 ## Domain allowed access.
4112 interface(`files_manage_system_conf_files',`
4114 type etc_t, system_conf_t;
4117 manage_files_pattern($1, { etc_t system_conf_t }, system_conf_t)
4120 ######################################
4122 ## Relabel manageable system configuration files in /etc.
4124 ## <param name="domain">
4126 ## Domain allowed access.
4130 interface(`files_relabelto_system_conf_files',`
4135 relabelto_files_pattern($1, system_conf_t, system_conf_t)
4138 ######################################
4140 ## Relabel manageable system configuration files in /etc.
4142 ## <param name="domain">
4144 ## Domain allowed access.
4148 interface(`files_relabelfrom_system_conf_files',`
4153 relabelfrom_files_pattern($1, system_conf_t, system_conf_t)
4156 ###################################
4158 ## Create files in /etc with the type used for
4159 ## the manageable system config files.
4161 ## <param name="domain">
4163 ## The type of the process performing this action.
4167 interface(`files_etc_filetrans_system_conf',`
4169 type etc_t, system_conf_t;
4172 filetrans_pattern($1, etc_t, system_conf_t, file)
4175 ########################################
4177 ## Allow the specified type to associate
4178 ## to a filesystem with the type of the
4179 ## temporary directory (/tmp).
4181 ## <param name="file_type">
4183 ## Type of the file to associate.
4187 interface(`files_associate_tmp',`
4192 allow $1 tmp_t:filesystem associate;
4195 ########################################
4197 ## Get the attributes of the tmp directory (/tmp).
4199 ## <param name="domain">
4201 ## Domain allowed access.
4205 interface(`files_getattr_tmp_dirs',`
4210 allow $1 tmp_t:dir getattr;
4213 ########################################
4215 ## Do not audit attempts to get the
4216 ## attributes of the tmp directory (/tmp).
4218 ## <param name="domain">
4220 ## Domain to not audit.
4224 interface(`files_dontaudit_getattr_tmp_dirs',`
4229 dontaudit $1 tmp_t:dir getattr;
4232 ########################################
4234 ## Search the tmp directory (/tmp).
4236 ## <param name="domain">
4238 ## Domain allowed access.
4242 interface(`files_search_tmp',`
4247 allow $1 tmp_t:dir search_dir_perms;
4250 ########################################
4252 ## Do not audit attempts to search the tmp directory (/tmp).
4254 ## <param name="domain">
4256 ## Domain to not audit.
4260 interface(`files_dontaudit_search_tmp',`
4265 dontaudit $1 tmp_t:dir search_dir_perms;
4268 ########################################
4270 ## Read the tmp directory (/tmp).
4272 ## <param name="domain">
4274 ## Domain allowed access.
4278 interface(`files_list_tmp',`
4283 allow $1 tmp_t:dir list_dir_perms;
4286 ########################################
4288 ## Do not audit listing of the tmp directory (/tmp).
4290 ## <param name="domain">
4292 ## Domain to not audit.
4296 interface(`files_dontaudit_list_tmp',`
4301 dontaudit $1 tmp_t:dir list_dir_perms;
4304 #######################################
4306 ## Allow read and write to the tmp directory (/tmp).
4308 ## <param name="domain">
4310 ## Domain not to audit.
4314 interface(`files_rw_generic_tmp_dir',`
4319 allow $1 tmp_t:dir rw_dir_perms;
4322 ########################################
4324 ## Remove entries from the tmp directory.
4326 ## <param name="domain">
4328 ## Domain allowed access.
4332 interface(`files_delete_tmp_dir_entry',`
4337 allow $1 tmp_t:dir del_entry_dir_perms;
4340 ########################################
4342 ## Read files in the tmp directory (/tmp).
4344 ## <param name="domain">
4346 ## Domain allowed access.
4350 interface(`files_read_generic_tmp_files',`
4355 read_files_pattern($1, tmp_t, tmp_t)
4358 ########################################
4360 ## Manage temporary directories in /tmp.
4362 ## <param name="domain">
4364 ## Domain allowed access.
4368 interface(`files_manage_generic_tmp_dirs',`
4373 manage_dirs_pattern($1, tmp_t, tmp_t)
4376 ########################################
4378 ## Allow shared library text relocations in tmp files.
4382 ## Allow shared library text relocations in tmp files.
4385 ## This is added to support java policy.
4388 ## <param name="domain">
4390 ## Domain allowed access.
4394 interface(`files_execmod_tmp',`
4399 allow $1 tmpfile:file execmod;
4402 ########################################
4404 ## Manage temporary files and directories in /tmp.
4406 ## <param name="domain">
4408 ## Domain allowed access.
4412 interface(`files_manage_generic_tmp_files',`
4417 manage_files_pattern($1, tmp_t, tmp_t)
4420 ########################################
4422 ## Read symbolic links in the tmp directory (/tmp).
4424 ## <param name="domain">
4426 ## Domain allowed access.
4430 interface(`files_read_generic_tmp_symlinks',`
4435 read_lnk_files_pattern($1, tmp_t, tmp_t)
4438 ########################################
4440 ## Read and write generic named sockets in the tmp directory (/tmp).
4442 ## <param name="domain">
4444 ## Domain allowed access.
4448 interface(`files_rw_generic_tmp_sockets',`
4453 rw_sock_files_pattern($1, tmp_t, tmp_t)
4456 ########################################
4458 ## Relabel a dir from the type used in /tmp.
4460 ## <param name="domain">
4462 ## Domain allowed access.
4466 interface(`files_relabelfrom_tmp_dirs',`
4471 relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
4474 ########################################
4476 ## Relabel a file from the type used in /tmp.
4478 ## <param name="domain">
4480 ## Domain allowed access.
4484 interface(`files_relabelfrom_tmp_files',`
4489 relabelfrom_files_pattern($1, tmp_t, tmp_t)
4492 ########################################
4494 ## Set the attributes of all tmp directories.
4496 ## <param name="domain">
4498 ## Domain allowed access.
4502 interface(`files_setattr_all_tmp_dirs',`
4507 allow $1 tmpfile:dir { search_dir_perms setattr };
4510 ########################################
4512 ## List all tmp directories.
4514 ## <param name="domain">
4516 ## Domain allowed access.
4520 interface(`files_list_all_tmp',`
4525 allow $1 tmpfile:dir list_dir_perms;
4528 ########################################
4530 ## Relabel to and from all temporary
4533 ## <param name="domain">
4535 ## Domain allowed access.
4540 interface(`files_relabel_all_tmp_dirs',`
4546 allow $1 var_t:dir search_dir_perms;
4547 relabel_dirs_pattern($1, tmpfile, tmpfile)
4550 ########################################
4552 ## Do not audit attempts to get the attributes
4553 ## of all tmp files.
4555 ## <param name="domain">
4557 ## Domain to not audit.
4561 interface(`files_dontaudit_getattr_all_tmp_files',`
4566 dontaudit $1 tmpfile:file getattr;
4569 ########################################
4571 ## Allow attempts to get the attributes
4572 ## of all tmp files.
4574 ## <param name="domain">
4576 ## Domain allowed access.
4580 interface(`files_getattr_all_tmp_files',`
4585 allow $1 tmpfile:file getattr;
4588 ########################################
4590 ## Relabel to and from all temporary
4593 ## <param name="domain">
4595 ## Domain allowed access.
4600 interface(`files_relabel_all_tmp_files',`
4606 allow $1 var_t:dir search_dir_perms;
4607 relabel_files_pattern($1, tmpfile, tmpfile)
4610 ########################################
4612 ## Do not audit attempts to get the attributes
4613 ## of all tmp sock_file.
4615 ## <param name="domain">
4617 ## Domain to not audit.
4621 interface(`files_dontaudit_getattr_all_tmp_sockets',`
4626 dontaudit $1 tmpfile:sock_file getattr;
4629 ########################################
4631 ## Read all tmp files.
4633 ## <param name="domain">
4635 ## Domain allowed access.
4639 interface(`files_read_all_tmp_files',`
4644 read_files_pattern($1, tmpfile, tmpfile)
4647 ########################################
4649 ## Create an object in the tmp directories, with a private
4650 ## type using a type transition.
4652 ## <param name="domain">
4654 ## Domain allowed access.
4657 ## <param name="private type">
4659 ## The type of the object to be created.
4662 ## <param name="object">
4664 ## The object class of the object being created.
4668 interface(`files_tmp_filetrans',`
4673 filetrans_pattern($1, tmp_t, $2, $3, $4)
4676 ########################################
4678 ## Delete the contents of /tmp.
4680 ## <param name="domain">
4682 ## Domain allowed access.
4686 interface(`files_purge_tmp',`
4691 allow $1 tmpfile:dir list_dir_perms;
4692 delete_dirs_pattern($1, tmpfile, tmpfile)
4693 delete_files_pattern($1, tmpfile, tmpfile)
4694 delete_lnk_files_pattern($1, tmpfile, tmpfile)
4695 delete_fifo_files_pattern($1, tmpfile, tmpfile)
4696 delete_sock_files_pattern($1, tmpfile, tmpfile)
4697 delete_chr_files_pattern($1, tmpfile, tmpfile)
4698 delete_blk_files_pattern($1, tmpfile, tmpfile)
4699 files_list_isid_type_dirs($1)
4700 files_delete_isid_type_dirs($1)
4701 files_delete_isid_type_files($1)
4702 files_delete_isid_type_symlinks($1)
4703 files_delete_isid_type_fifo_files($1)
4704 files_delete_isid_type_sock_files($1)
4705 files_delete_isid_type_blk_files($1)
4706 files_delete_isid_type_chr_files($1)
4709 ########################################
4711 ## Set the attributes of the /usr directory.
4713 ## <param name="domain">
4715 ## Domain allowed access.
4719 interface(`files_setattr_usr_dirs',`
4724 allow $1 usr_t:dir setattr;
4727 ########################################
4729 ## Search the content of /usr.
4731 ## <param name="domain">
4733 ## Domain allowed access.
4737 interface(`files_search_usr',`
4742 allow $1 usr_t:dir search_dir_perms;
4745 ########################################
4747 ## List the contents of generic
4748 ## directories in /usr.
4750 ## <param name="domain">
4752 ## Domain allowed access.
4756 interface(`files_list_usr',`
4761 allow $1 usr_t:dir list_dir_perms;
4764 ########################################
4766 ## Do not audit write of /usr dirs
4768 ## <param name="domain">
4770 ## Domain to not audit.
4774 interface(`files_dontaudit_write_usr_dirs',`
4779 dontaudit $1 usr_t:dir write;
4782 ########################################
4784 ## Add and remove entries from /usr directories.
4786 ## <param name="domain">
4788 ## Domain allowed access.
4792 interface(`files_rw_usr_dirs',`
4797 allow $1 usr_t:dir rw_dir_perms;
4800 ########################################
4802 ## Do not audit attempts to add and remove
4803 ## entries from /usr directories.
4805 ## <param name="domain">
4807 ## Domain to not audit.
4811 interface(`files_dontaudit_rw_usr_dirs',`
4816 dontaudit $1 usr_t:dir rw_dir_perms;
4819 ########################################
4821 ## Delete generic directories in /usr in the caller domain.
4823 ## <param name="domain">
4825 ## Domain allowed access.
4829 interface(`files_delete_usr_dirs',`
4834 delete_dirs_pattern($1, usr_t, usr_t)
4837 ########################################
4839 ## Delete generic files in /usr in the caller domain.
4841 ## <param name="domain">
4843 ## Domain allowed access.
4847 interface(`files_delete_usr_files',`
4852 delete_files_pattern($1, usr_t, usr_t)
4855 ########################################
4857 ## Get the attributes of files in /usr.
4859 ## <param name="domain">
4861 ## Domain allowed access.
4865 interface(`files_getattr_usr_files',`
4870 getattr_files_pattern($1, usr_t, usr_t)
4873 ########################################
4875 ## Read generic files in /usr.
4879 ## Allow the specified domain to read generic
4880 ## files in /usr. These files are various program
4881 ## files that do not have more specific SELinux types.
4882 ## Some examples of these files are:
4885 ## <li>/usr/include/*</li>
4886 ## <li>/usr/share/doc/*</li>
4887 ## <li>/usr/share/info/*</li>
4890 ## Generally, it is safe for many domains to have
4894 ## <param name="domain">
4896 ## Domain allowed access.
4899 ## <infoflow type="read" weight="10"/>
4901 interface(`files_read_usr_files',`
4906 allow $1 usr_t:dir list_dir_perms;
4907 read_files_pattern($1, usr_t, usr_t)
4908 read_lnk_files_pattern($1, usr_t, usr_t)
4911 ########################################
4913 ## Execute generic programs in /usr in the caller domain.
4915 ## <param name="domain">
4917 ## Domain allowed access.
4921 interface(`files_exec_usr_files',`
4926 allow $1 usr_t:dir list_dir_perms;
4927 exec_files_pattern($1, usr_t, usr_t)
4928 read_lnk_files_pattern($1, usr_t, usr_t)
4931 ########################################
4933 ## dontaudit write of /usr files
4935 ## <param name="domain">
4937 ## Domain to not audit.
4941 interface(`files_dontaudit_write_usr_files',`
4946 dontaudit $1 usr_t:file write;
4949 ########################################
4951 ## Create, read, write, and delete files in the /usr directory.
4953 ## <param name="domain">
4955 ## Domain allowed access.
4959 interface(`files_manage_usr_files',`
4964 manage_files_pattern($1, usr_t, usr_t)
4967 ########################################
4969 ## Relabel a file to the type used in /usr.
4971 ## <param name="domain">
4973 ## Domain allowed access.
4977 interface(`files_relabelto_usr_files',`
4982 relabelto_files_pattern($1, usr_t, usr_t)
4985 ########################################
4987 ## Relabel a file from the type used in /usr.
4989 ## <param name="domain">
4991 ## Domain allowed access.
4995 interface(`files_relabelfrom_usr_files',`
5000 relabelfrom_files_pattern($1, usr_t, usr_t)
5003 ########################################
5005 ## Read symbolic links in /usr.
5007 ## <param name="domain">
5009 ## Domain allowed access.
5013 interface(`files_read_usr_symlinks',`
5018 read_lnk_files_pattern($1, usr_t, usr_t)
5021 ########################################
5023 ## Create objects in the /usr directory
5025 ## <param name="domain">
5027 ## Domain allowed access.
5030 ## <param name="file_type">
5032 ## The type of the object to be created
5035 ## <param name="object_class">
5037 ## The object class.
5041 interface(`files_usr_filetrans',`
5046 filetrans_pattern($1, usr_t, $2, $3, $4)
5049 ########################################
5051 ## Do not audit attempts to search /usr/src.
5053 ## <param name="domain">
5055 ## Domain to not audit.
5059 interface(`files_dontaudit_search_src',`
5064 dontaudit $1 src_t:dir search_dir_perms;
5067 ########################################
5069 ## Get the attributes of files in /usr/src.
5071 ## <param name="domain">
5073 ## Domain allowed access.
5077 interface(`files_getattr_usr_src_files',`
5082 getattr_files_pattern($1, src_t, src_t)
5084 # /usr/src/linux symlink:
5085 read_lnk_files_pattern($1, usr_t, src_t)
5088 ########################################
5090 ## Read files in /usr/src.
5092 ## <param name="domain">
5094 ## Domain allowed access.
5098 interface(`files_read_usr_src_files',`
5103 allow $1 usr_t:dir search_dir_perms;
5104 read_files_pattern($1, { usr_t src_t }, src_t)
5105 read_lnk_files_pattern($1, { usr_t src_t }, src_t)
5106 allow $1 src_t:dir list_dir_perms;
5109 ########################################
5111 ## Execute programs in /usr/src in the caller domain.
5113 ## <param name="domain">
5115 ## Domain allowed access.
5119 interface(`files_exec_usr_src_files',`
5124 list_dirs_pattern($1, usr_t, src_t)
5125 exec_files_pattern($1, src_t, src_t)
5126 read_lnk_files_pattern($1, src_t, src_t)
5129 ########################################
5131 ## Install a system.map into the /boot directory.
5133 ## <param name="domain">
5135 ## Domain allowed access.
5139 interface(`files_create_kernel_symbol_table',`
5141 type boot_t, system_map_t;
5144 allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms };
5145 allow $1 system_map_t:file { create_file_perms rw_file_perms };
5148 ########################################
5150 ## Read system.map in the /boot directory.
5152 ## <param name="domain">
5154 ## Domain allowed access.
5158 interface(`files_read_kernel_symbol_table',`
5160 type boot_t, system_map_t;
5163 allow $1 boot_t:dir list_dir_perms;
5164 read_files_pattern($1, boot_t, system_map_t)
5167 ########################################
5169 ## Delete a system.map in the /boot directory.
5171 ## <param name="domain">
5173 ## Domain allowed access.
5177 interface(`files_delete_kernel_symbol_table',`
5179 type boot_t, system_map_t;
5182 allow $1 boot_t:dir list_dir_perms;
5183 delete_files_pattern($1, boot_t, system_map_t)
5186 ########################################
5188 ## Search the contents of /var.
5190 ## <param name="domain">
5192 ## Domain allowed access.
5196 interface(`files_search_var',`
5201 allow $1 var_t:dir search_dir_perms;
5204 ########################################
5206 ## Do not audit attempts to write to /var.
5208 ## <param name="domain">
5210 ## Domain to not audit.
5214 interface(`files_dontaudit_write_var_dirs',`
5219 dontaudit $1 var_t:dir write;
5222 ########################################
5224 ## Allow attempts to write to /var.dirs
5226 ## <param name="domain">
5228 ## Domain allowed access.
5232 interface(`files_write_var_dirs',`
5237 allow $1 var_t:dir write;
5240 ########################################
5242 ## Do not audit attempts to search
5243 ## the contents of /var.
5245 ## <param name="domain">
5247 ## Domain to not audit.
5251 interface(`files_dontaudit_search_var',`
5256 dontaudit $1 var_t:dir search_dir_perms;
5259 ########################################
5261 ## List the contents of /var.
5263 ## <param name="domain">
5265 ## Domain allowed access.
5269 interface(`files_list_var',`
5274 allow $1 var_t:dir list_dir_perms;
5277 ########################################
5279 ## Create, read, write, and delete directories
5280 ## in the /var directory.
5282 ## <param name="domain">
5284 ## Domain allowed access.
5288 interface(`files_manage_var_dirs',`
5293 allow $1 var_t:dir manage_dir_perms;
5296 ########################################
5298 ## Read files in the /var directory.
5300 ## <param name="domain">
5302 ## Domain allowed access.
5306 interface(`files_read_var_files',`
5311 read_files_pattern($1, var_t, var_t)
5314 ########################################
5316 ## Append files in the /var directory.
5318 ## <param name="domain">
5320 ## Domain allowed access.
5324 interface(`files_append_var_files',`
5329 append_files_pattern($1, var_t, var_t)
5332 ########################################
5334 ## Read and write files in the /var directory.
5336 ## <param name="domain">
5338 ## Domain allowed access.
5342 interface(`files_rw_var_files',`
5347 rw_files_pattern($1, var_t, var_t)
5350 ########################################
5352 ## Do not audit attempts to read and write
5353 ## files in the /var directory.
5355 ## <param name="domain">
5357 ## Domain to not audit.
5361 interface(`files_dontaudit_rw_var_files',`
5366 dontaudit $1 var_t:file rw_file_perms;
5369 ########################################
5371 ## Create, read, write, and delete files in the /var directory.
5373 ## <param name="domain">
5375 ## Domain allowed access.
5379 interface(`files_manage_var_files',`
5384 manage_files_pattern($1, var_t, var_t)
5387 ########################################
5389 ## Read symbolic links in the /var directory.
5391 ## <param name="domain">
5393 ## Domain allowed access.
5397 interface(`files_read_var_symlinks',`
5402 read_lnk_files_pattern($1, var_t, var_t)
5405 ########################################
5407 ## Create, read, write, and delete symbolic
5408 ## links in the /var directory.
5410 ## <param name="domain">
5412 ## Domain allowed access.
5416 interface(`files_manage_var_symlinks',`
5421 manage_lnk_files_pattern($1, var_t, var_t)
5424 ########################################
5426 ## Create objects in the /var directory
5428 ## <param name="domain">
5430 ## Domain allowed access.
5433 ## <param name="file_type">
5435 ## The type of the object to be created
5438 ## <param name="object_class">
5440 ## The object class.
5444 interface(`files_var_filetrans',`
5449 filetrans_pattern($1, var_t, $2, $3, $4)
5452 ########################################
5454 ## Get the attributes of the /var/lib directory.
5456 ## <param name="domain">
5458 ## Domain allowed access.
5462 interface(`files_getattr_var_lib_dirs',`
5464 type var_t, var_lib_t;
5467 getattr_dirs_pattern($1, var_t, var_lib_t)
5470 ########################################
5472 ## Search the /var/lib directory.
5476 ## Search the /var/lib directory. This is
5477 ## necessary to access files or directories under
5478 ## /var/lib that have a private type. For example, a
5479 ## domain accessing a private library file in the
5480 ## /var/lib directory:
5483 ## allow mydomain_t mylibfile_t:file read_file_perms;
5484 ## files_search_var_lib(mydomain_t)
5487 ## <param name="domain">
5489 ## Domain allowed access.
5492 ## <infoflow type="read" weight="5"/>
5494 interface(`files_search_var_lib',`
5496 type var_t, var_lib_t;
5499 search_dirs_pattern($1, var_t, var_lib_t)
5502 ########################################
5504 ## Do not audit attempts to search the
5505 ## contents of /var/lib.
5507 ## <param name="domain">
5509 ## Domain to not audit.
5512 ## <infoflow type="read" weight="5"/>
5514 interface(`files_dontaudit_search_var_lib',`
5519 dontaudit $1 var_lib_t:dir search_dir_perms;
5522 ########################################
5524 ## List the contents of the /var/lib directory.
5526 ## <param name="domain">
5528 ## Domain allowed access.
5532 interface(`files_list_var_lib',`
5534 type var_t, var_lib_t;
5537 list_dirs_pattern($1, var_t, var_lib_t)
5540 ##########################################
5542 ## Add entries to /var/lib directories
5544 ## <param name="domain">
5546 ## Domain allowed access.
5550 interface(`files_add_entry_var_lib_dirs',`
5555 add_entry_dirs_pattern($1, var_lib_t, var_lib_t)
5558 ###########################################
5560 ## Read-write /var/lib directories
5562 ## <param name="domain">
5564 ## Domain allowed access.
5568 interface(`files_rw_var_lib_dirs',`
5573 rw_dirs_pattern($1, var_lib_t, var_lib_t)
5576 ########################################
5578 ## Create objects in the /var/lib directory
5580 ## <param name="domain">
5582 ## Domain allowed access.
5585 ## <param name="file_type">
5587 ## The type of the object to be created
5590 ## <param name="object_class">
5592 ## The object class.
5596 interface(`files_var_lib_filetrans',`
5598 type var_t, var_lib_t;
5601 allow $1 var_t:dir search_dir_perms;
5602 filetrans_pattern($1, var_lib_t, $2, $3, $4)
5605 ########################################
5607 ## Read generic files in /var/lib.
5609 ## <param name="domain">
5611 ## Domain allowed access.
5615 interface(`files_read_var_lib_files',`
5617 type var_t, var_lib_t;
5620 allow $1 var_lib_t:dir list_dir_perms;
5621 read_files_pattern($1, { var_t var_lib_t }, var_lib_t)
5624 ########################################
5626 ## Read generic symbolic links in /var/lib
5628 ## <param name="domain">
5630 ## Domain allowed access.
5634 interface(`files_read_var_lib_symlinks',`
5636 type var_t, var_lib_t;
5639 read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
5642 # cjp: the next two interfaces really need to be fixed
5643 # in some way. They really neeed their own types.
5645 ########################################
5647 ## Create, read, write, and delete the
5648 ## pseudorandom number generator seed.
5650 ## <param name="domain">
5652 ## Domain allowed access.
5656 interface(`files_manage_urandom_seed',`
5658 type var_t, var_lib_t;
5661 allow $1 var_t:dir search_dir_perms;
5662 manage_files_pattern($1, var_lib_t, var_lib_t)
5665 ########################################
5667 ## Allow domain to manage mount tables
5668 ## necessary for rpcd, nfsd, etc.
5670 ## <param name="domain">
5672 ## Domain allowed access.
5676 interface(`files_manage_mounttab',`
5678 type var_t, var_lib_t;
5681 allow $1 var_t:dir search_dir_perms;
5682 manage_files_pattern($1, var_lib_t, var_lib_t)
5685 ########################################
5687 ## List generic lock directories.
5689 ## <param name="domain">
5691 ## Domain allowed access.
5695 interface(`files_list_locks',`
5697 type var_t, var_lock_t;
5700 files_search_locks($1)
5701 list_dirs_pattern($1, var_t, var_lock_t)
5704 ########################################
5706 ## Search the locks directory (/var/lock).
5708 ## <param name="domain">
5710 ## Domain allowed access.
5714 interface(`files_search_locks',`
5716 type var_t, var_lock_t;
5719 files_search_pids($1)
5720 allow $1 var_lock_t:lnk_file read_lnk_file_perms;
5721 search_dirs_pattern($1, var_t, var_lock_t)
5724 ########################################
5726 ## Do not audit attempts to search the
5727 ## locks directory (/var/lock).
5729 ## <param name="domain">
5731 ## Domain to not audit.
5735 interface(`files_dontaudit_search_locks',`
5740 dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms;
5741 dontaudit $1 var_lock_t:dir search_dir_perms;
5744 ########################################
5746 ## create a directory in the /var/lock
5749 ## <param name="domain">
5751 ## Domain allowed access.
5755 interface(`files_create_lock_dirs',`
5757 type var_t, var_lock_t;
5759 files_search_locks($1)
5760 allow $1 var_lock_t:dir create_dir_perms;
5763 ########################################
5765 ## Set the attributes of the /var/lock directory.
5767 ## <param name="domain">
5769 ## Domain allowed access.
5773 interface(`files_setattr_lock_dirs',`
5778 allow $1 var_lock_t:dir setattr;
5781 ########################################
5783 ## Add and remove entries in the /var/lock
5786 ## <param name="domain">
5788 ## Domain allowed access.
5792 interface(`files_rw_lock_dirs',`
5794 type var_t, var_lock_t;
5797 files_search_locks($1)
5798 rw_dirs_pattern($1, var_t, var_lock_t)
5801 ########################################
5803 ## Relabel to and from all lock directory types.
5805 ## <param name="domain">
5807 ## Domain allowed access.
5811 interface(`files_relabel_all_lock_dirs',`
5817 allow $1 var_t:dir search_dir_perms;
5818 relabel_dirs_pattern($1, lockfile, lockfile)
5821 ########################################
5823 ## Get the attributes of generic lock files.
5825 ## <param name="domain">
5827 ## Domain allowed access.
5831 interface(`files_getattr_generic_locks',`
5833 type var_t, var_lock_t;
5836 files_search_locks($1)
5837 allow $1 var_lock_t:dir list_dir_perms;
5838 getattr_files_pattern($1, var_lock_t, var_lock_t)
5841 ########################################
5843 ## Delete generic lock files.
5845 ## <param name="domain">
5847 ## Domain allowed access.
5851 interface(`files_delete_generic_locks',`
5853 type var_t, var_lock_t;
5856 files_search_locks($1)
5857 delete_files_pattern($1, var_lock_t, var_lock_t)
5860 ########################################
5862 ## Create, read, write, and delete generic
5865 ## <param name="domain">
5867 ## Domain allowed access.
5871 interface(`files_manage_generic_locks',`
5873 type var_t, var_lock_t;
5876 files_search_locks($1)
5877 manage_files_pattern($1, var_lock_t, var_lock_t)
5880 ########################################
5882 ## Delete all lock files.
5884 ## <param name="domain">
5886 ## Domain allowed access.
5891 interface(`files_delete_all_locks',`
5897 allow $1 var_t:dir search_dir_perms;
5898 delete_files_pattern($1, lockfile, lockfile)
5901 ########################################
5903 ## Read all lock files.
5905 ## <param name="domain">
5907 ## Domain allowed access.
5911 interface(`files_read_all_locks',`
5914 type var_t, var_lock_t;
5917 files_search_locks($1)
5918 allow $1 lockfile:dir list_dir_perms;
5919 read_files_pattern($1, lockfile, lockfile)
5920 read_lnk_files_pattern($1, lockfile, lockfile)
5923 ########################################
5925 ## manage all lock files.
5927 ## <param name="domain">
5929 ## Domain allowed access.
5933 interface(`files_manage_all_locks',`
5936 type var_t, var_lock_t;
5939 files_search_locks($1)
5940 manage_dirs_pattern($1, lockfile, lockfile)
5941 manage_files_pattern($1, lockfile, lockfile)
5942 manage_lnk_files_pattern($1, lockfile, lockfile)
5945 ########################################
5947 ## Create an object in the locks directory, with a private
5948 ## type using a type transition.
5950 ## <param name="domain">
5952 ## Domain allowed access.
5955 ## <param name="private type">
5957 ## The type of the object to be created.
5960 ## <param name="object">
5962 ## The object class of the object being created.
5966 interface(`files_lock_filetrans',`
5968 type var_t, var_lock_t;
5971 files_search_locks($1)
5972 filetrans_pattern($1, var_lock_t, $2, $3, $4)
5975 ########################################
5977 ## Do not audit attempts to get the attributes
5978 ## of the /var/run directory.
5980 ## <param name="domain">
5982 ## Domain to not audit.
5986 interface(`files_dontaudit_getattr_pid_dirs',`
5991 dontaudit $1 var_run_t:dir getattr;
5994 ########################################
5996 ## Set the attributes of the /var/run directory.
5998 ## <param name="domain">
6000 ## Domain allowed access.
6004 interface(`files_setattr_pid_dirs',`
6009 allow $1 var_run_t:dir setattr;
6012 ########################################
6014 ## Search the contents of runtime process
6015 ## ID directories (/var/run).
6017 ## <param name="domain">
6019 ## Domain allowed access.
6023 interface(`files_search_pids',`
6025 type var_t, var_run_t;
6028 allow $1 var_run_t:lnk_file read_lnk_file_perms;
6029 search_dirs_pattern($1, var_t, var_run_t)
6032 ######################################
6034 ## Add and remove entries from pid directories.
6036 ## <param name="domain">
6038 ## Domain allowed access.
6042 interface(`files_rw_pid_dirs',`
6047 allow $1 var_run_t:dir rw_dir_perms;
6050 #######################################
6052 ## Create generic pid directory.
6054 ## <param name="domain">
6056 ## Domain allowed access.
6060 interface(`files_create_var_run_dirs',`
6062 type var_t, var_run_t;
6065 allow $1 var_t:dir search_dir_perms;
6066 allow $1 var_run_t:dir create_dir_perms;
6069 ########################################
6071 ## Do not audit attempts to search
6072 ## the /var/run directory.
6074 ## <param name="domain">
6076 ## Domain to not audit.
6080 interface(`files_dontaudit_search_pids',`
6085 dontaudit $1 var_run_t:dir search_dir_perms;
6088 ########################################
6090 ## Do not audit attempts to search
6091 ## the all /var/run directory.
6093 ## <param name="domain">
6095 ## Domain to not audit.
6099 interface(`files_dontaudit_search_all_pids',`
6104 dontaudit $1 pidfile:dir search_dir_perms;
6107 ########################################
6109 ## List the contents of the runtime process
6110 ## ID directories (/var/run).
6112 ## <param name="domain">
6114 ## Domain allowed access.
6118 interface(`files_list_pids',`
6120 type var_t, var_run_t;
6123 list_dirs_pattern($1, var_t, var_run_t)
6126 ########################################
6128 ## Read generic process ID files.
6130 ## <param name="domain">
6132 ## Domain allowed access.
6136 interface(`files_read_generic_pids',`
6138 type var_t, var_run_t;
6141 list_dirs_pattern($1, var_t, var_run_t)
6142 read_files_pattern($1, var_run_t, var_run_t)
6145 ########################################
6147 ## Write named generic process ID pipes
6149 ## <param name="domain">
6151 ## Domain allowed access.
6155 interface(`files_write_generic_pid_pipes',`
6160 allow $1 var_run_t:fifo_file write;
6163 ########################################
6165 ## Create an object in the process ID directory, with a private type.
6169 ## Create an object in the process ID directory (e.g., /var/run)
6170 ## with a private type. Typically this is used for creating
6171 ## private PID files in /var/run with the private type instead
6172 ## of the general PID file type. To accomplish this goal,
6173 ## either the program must be SELinux-aware, or use this interface.
6176 ## Related interfaces:
6179 ## <li>files_pid_file()</li>
6182 ## Example usage with a domain that can create and
6183 ## write its PID file with a private PID file type in the
6184 ## /var/run directory:
6187 ## type mypidfile_t;
6188 ## files_pid_file(mypidfile_t)
6189 ## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms };
6190 ## files_pid_filetrans(mydomain_t, mypidfile_t, file)
6193 ## <param name="domain">
6195 ## Domain allowed access.
6198 ## <param name="private type">
6200 ## The type of the object to be created.
6203 ## <param name="object">
6205 ## The object class of the object being created.
6208 ## <infoflow type="write" weight="10"/>
6210 interface(`files_pid_filetrans',`
6212 type var_t, var_run_t;
6215 allow $1 var_t:dir search_dir_perms;
6216 filetrans_pattern($1, var_run_t, $2, $3, $4)
6219 ########################################
6221 ## Read and write generic process ID files.
6223 ## <param name="domain">
6225 ## Domain allowed access.
6229 interface(`files_rw_generic_pids',`
6231 type var_t, var_run_t;
6234 list_dirs_pattern($1, var_t, var_run_t)
6235 rw_files_pattern($1, var_run_t, var_run_t)
6238 ########################################
6240 ## Do not audit attempts to get the attributes of
6241 ## daemon runtime data files.
6243 ## <param name="domain">
6245 ## Domain to not audit.
6249 interface(`files_dontaudit_getattr_all_pids',`
6254 dontaudit $1 pidfile:file getattr;
6257 ########################################
6259 ## Do not audit attempts to write to daemon runtime data files.
6261 ## <param name="domain">
6263 ## Domain to not audit.
6267 interface(`files_dontaudit_write_all_pids',`
6272 dontaudit $1 pidfile:file write;
6275 ########################################
6277 ## Do not audit attempts to ioctl daemon runtime data files.
6279 ## <param name="domain">
6281 ## Domain to not audit.
6285 interface(`files_dontaudit_ioctl_all_pids',`
6290 dontaudit $1 pidfile:file ioctl;
6293 ########################################
6295 ## Relable all pid directories
6297 ## <param name="domain">
6299 ## Domain allowed access.
6303 interface(`files_relabel_all_pid_dirs',`
6308 relabel_dirs_pattern($1, pidfile, pidfile)
6311 ########################################
6313 ## Delete all pid sockets
6315 ## <param name="domain">
6317 ## Domain allowed access.
6321 interface(`files_delete_all_pid_sockets',`
6326 allow $1 pidfile:sock_file delete_sock_file_perms;
6329 ########################################
6331 ## Create all pid sockets
6333 ## <param name="domain">
6335 ## Domain allowed access.
6339 interface(`files_create_all_pid_sockets',`
6344 allow $1 pidfile:sock_file create_sock_file_perms;
6347 ########################################
6349 ## Create all pid named pipes
6351 ## <param name="domain">
6353 ## Domain allowed access.
6357 interface(`files_create_all_pid_pipes',`
6362 allow $1 pidfile:fifo_file create_fifo_file_perms;
6365 ########################################
6367 ## Delete all pid named pipes
6369 ## <param name="domain">
6371 ## Domain allowed access.
6375 interface(`files_delete_all_pid_pipes',`
6380 allow $1 pidfile:fifo_file delete_fifo_file_perms;
6383 ########################################
6385 ## manage all pidfile directories
6386 ## in the /var/run directory.
6388 ## <param name="domain">
6390 ## Domain allowed access.
6394 interface(`files_manage_all_pid_dirs',`
6399 manage_dirs_pattern($1,pidfile,pidfile)
6403 ########################################
6405 ## Read all process ID files.
6407 ## <param name="domain">
6409 ## Domain allowed access.
6414 interface(`files_read_all_pids',`
6420 list_dirs_pattern($1, var_t, pidfile)
6421 read_files_pattern($1, pidfile, pidfile)
6422 read_lnk_files_pattern($1, pidfile, pidfile)
6425 ########################################
6427 ## Relable all pid files
6429 ## <param name="domain">
6431 ## Domain allowed access.
6435 interface(`files_relabel_all_pid_files',`
6440 relabel_files_pattern($1, pidfile, pidfile)
6443 ########################################
6445 ## Execute generic programs in /var/run in the caller domain.
6447 ## <param name="domain">
6449 ## Domain allowed access.
6453 interface(`files_exec_generic_pid_files',`
6458 exec_files_pattern($1, var_run_t, var_run_t)
6461 ########################################
6463 ## manage all pidfiles
6464 ## in the /var/run directory.
6466 ## <param name="domain">
6468 ## Domain allowed access.
6472 interface(`files_manage_all_pids',`
6477 manage_files_pattern($1,pidfile,pidfile)
6480 ########################################
6482 ## Mount filesystems on all polyinstantiation
6483 ## member directories.
6485 ## <param name="domain">
6487 ## Domain allowed access.
6491 interface(`files_mounton_all_poly_members',`
6493 attribute polymember;
6496 allow $1 polymember:dir mounton;
6499 ########################################
6501 ## Delete all process IDs.
6503 ## <param name="domain">
6505 ## Domain allowed access.
6510 interface(`files_delete_all_pids',`
6513 type var_t, var_run_t;
6516 allow $1 var_t:dir search_dir_perms;
6517 allow $1 var_run_t:dir rmdir;
6518 allow $1 var_run_t:lnk_file delete_lnk_file_perms;
6519 delete_files_pattern($1, pidfile, pidfile)
6520 delete_fifo_files_pattern($1, pidfile, pidfile)
6521 delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
6524 ########################################
6526 ## Delete all process ID directories.
6528 ## <param name="domain">
6530 ## Domain allowed access.
6534 interface(`files_delete_all_pid_dirs',`
6540 allow $1 var_t:dir search_dir_perms;
6541 delete_dirs_pattern($1, pidfile, pidfile)
6544 ########################################
6546 ## Make the specified type a file
6547 ## used for spool files.
6551 ## Make the specified type usable for spool files.
6552 ## This will also make the type usable for files, making
6553 ## calls to files_type() redundant. Failure to use this interface
6554 ## for a spool file may result in problems with
6555 ## purging spool files.
6558 ## Related interfaces:
6561 ## <li>files_spool_filetrans()</li>
6564 ## Example usage with a domain that can create and
6565 ## write its spool file in the system spool file
6566 ## directories (/var/spool):
6569 ## type myspoolfile_t;
6570 ## files_spool_file(myfile_spool_t)
6571 ## allow mydomain_t myfile_spool_t:file { create_file_perms write_file_perms };
6572 ## files_spool_filetrans(mydomain_t, myfile_spool_t, file)
6575 ## <param name="file_type">
6577 ## Type of the file to be used as a
6581 ## <infoflow type="none"/>
6583 interface(`files_spool_file',`
6585 attribute spoolfile;
6589 typeattribute $1 spoolfile;
6592 ########################################
6594 ## Create all spool sockets
6596 ## <param name="domain">
6598 ## Domain allowed access.
6602 interface(`files_create_all_spool_sockets',`
6604 attribute spoolfile;
6607 allow $1 spoolfile:sock_file create_sock_file_perms;
6610 ########################################
6612 ## Delete all spool sockets
6614 ## <param name="domain">
6616 ## Domain allowed access.
6620 interface(`files_delete_all_spool_sockets',`
6622 attribute spoolfile;
6625 allow $1 spoolfile:sock_file delete_sock_file_perms;
6628 ########################################
6630 ## Search the contents of generic spool
6631 ## directories (/var/spool).
6633 ## <param name="domain">
6635 ## Domain allowed access.
6639 interface(`files_search_spool',`
6641 type var_t, var_spool_t;
6644 search_dirs_pattern($1, var_t, var_spool_t)
6647 ########################################
6649 ## Do not audit attempts to search generic
6650 ## spool directories.
6652 ## <param name="domain">
6654 ## Domain to not audit.
6658 interface(`files_dontaudit_search_spool',`
6663 dontaudit $1 var_spool_t:dir search_dir_perms;
6666 ########################################
6668 ## List the contents of generic spool
6669 ## (/var/spool) directories.
6671 ## <param name="domain">
6673 ## Domain allowed access.
6677 interface(`files_list_spool',`
6679 type var_t, var_spool_t;
6682 list_dirs_pattern($1, var_t, var_spool_t)
6685 ########################################
6687 ## Create, read, write, and delete generic
6688 ## spool directories (/var/spool).
6690 ## <param name="domain">
6692 ## Domain allowed access.
6696 interface(`files_manage_generic_spool_dirs',`
6698 type var_t, var_spool_t;
6701 allow $1 var_t:dir search_dir_perms;
6702 manage_dirs_pattern($1, var_spool_t, var_spool_t)
6705 ########################################
6707 ## Read generic spool files.
6709 ## <param name="domain">
6711 ## Domain allowed access.
6715 interface(`files_read_generic_spool',`
6717 type var_t, var_spool_t;
6720 list_dirs_pattern($1, var_t, var_spool_t)
6721 read_files_pattern($1, var_spool_t, var_spool_t)
6724 ########################################
6726 ## Create, read, write, and delete generic
6729 ## <param name="domain">
6731 ## Domain allowed access.
6735 interface(`files_manage_generic_spool',`
6737 type var_t, var_spool_t;
6740 allow $1 var_t:dir search_dir_perms;
6741 manage_files_pattern($1, var_spool_t, var_spool_t)
6744 ########################################
6746 ## Create objects in the spool directory
6747 ## with a private type with a type transition.
6749 ## <param name="domain">
6751 ## Domain allowed access.
6754 ## <param name="file">
6756 ## Type to which the created node will be transitioned.
6759 ## <param name="class">
6761 ## Object class(es) (single or set including {}) for which this
6762 ## the transition will occur.
6766 interface(`files_spool_filetrans',`
6768 type var_t, var_spool_t;
6771 allow $1 var_t:dir search_dir_perms;
6772 filetrans_pattern($1, var_spool_t, $2, $3, $4)
6775 ########################################
6777 ## Allow access to manage all polyinstantiated
6778 ## directories on the system.
6780 ## <param name="domain">
6782 ## Domain allowed access.
6786 interface(`files_polyinstantiate_all',`
6788 attribute polydir, polymember, polyparent;
6792 # Need to give access to /selinux/member
6793 selinux_compute_member($1)
6795 # Need sys_admin capability for mounting
6796 allow $1 self:capability { chown fsetid sys_admin fowner };
6798 # Need to give access to the directories to be polyinstantiated
6799 allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
6801 # Need to give access to the polyinstantiated subdirectories
6802 allow $1 polymember:dir search_dir_perms;
6804 # Need to give access to parent directories where original
6805 # is remounted for polyinstantiation aware programs (like gdm)
6806 allow $1 polyparent:dir { getattr mounton };
6808 # Need to give permission to create directories where applicable
6809 allow $1 self:process setfscreate;
6810 allow $1 polymember: dir { create setattr relabelto };
6811 allow $1 polydir: dir { write add_name open };
6812 allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
6814 # Default type for mountpoints
6815 allow $1 poly_t:dir { create mounton };
6816 fs_unmount_xattr_fs($1)
6819 fs_unmount_tmpfs($1)
6821 ifdef(`distro_redhat',`
6823 files_search_tmp($1)
6824 files_search_home($1)
6825 corecmd_exec_bin($1)
6826 seutil_domtrans_setfiles($1)
6830 ########################################
6832 ## Unconfined access to files.
6834 ## <param name="domain">
6836 ## Domain allowed access.
6840 interface(`files_unconfined',`
6842 attribute files_unconfined_type;
6845 typeattribute $1 files_unconfined_type;
6848 ########################################
6850 ## Create a core files in /
6854 ## Create a core file in /,
6857 ## <param name="domain">
6859 ## Domain allowed access.
6864 interface(`files_manage_root_files',`
6869 manage_files_pattern($1, root_t, root_t)
6872 ########################################
6874 ## Create a default directory
6878 ## Create a default_t direcrory
6881 ## <param name="domain">
6883 ## Domain allowed access.
6888 interface(`files_create_default_dir',`
6893 allow $1 default_t:dir create;
6896 ########################################
6898 ## Create, default_t objects with an automatic
6901 ## <param name="domain">
6903 ## Domain allowed access.
6906 ## <param name="object">
6908 ## The class of the object being created.
6912 interface(`files_root_filetrans_default',`
6914 type root_t, default_t;
6917 filetrans_pattern($1, root_t, default_t, $2)
6920 ########################################
6922 ## manage generic symbolic links
6923 ## in the /var/run directory.
6925 ## <param name="domain">
6927 ## Domain allowed access.
6931 interface(`files_manage_generic_pids_symlinks',`
6936 manage_lnk_files_pattern($1,var_run_t,var_run_t)
6939 ########################################
6941 ## Do not audit attempts to getattr
6944 ## <param name="domain">
6946 ## Domain to not audit.
6950 interface(`files_dontaudit_getattr_tmpfs_files',`
6952 attribute tmpfsfile;
6955 allow $1 tmpfsfile:file getattr;
6958 ########################################
6960 ## Allow read write all tmpfs files
6962 ## <param name="domain">
6964 ## Domain to not audit.
6968 interface(`files_rw_tmpfs_files',`
6970 attribute tmpfsfile;
6973 allow $1 tmpfsfile:file { read write };
6976 ########################################
6978 ## Do not audit attempts to read security files
6980 ## <param name="domain">
6982 ## Domain to not audit.
6986 interface(`files_dontaudit_read_security_files',`
6988 attribute security_file_type;
6991 dontaudit $1 security_file_type:file read_file_perms;
6994 ########################################
6996 ## rw any files inherited from another process
6998 ## <param name="domain">
7000 ## Domain allowed access.
7005 interface(`files_rw_all_inherited_files',`
7007 attribute file_type;
7010 allow $1 { file_type $2 }:file rw_inherited_file_perms;
7011 allow $1 { file_type $2 }:fifo_file rw_inherited_fifo_file_perms;
7012 allow $1 { file_type $2 }:sock_file rw_inherited_sock_file_perms;
7013 allow $1 { file_type $2 }:chr_file rw_inherited_chr_file_perms;
7016 ########################################
7018 ## Allow any file point to be the entrypoint of this domain
7020 ## <param name="domain">
7022 ## Domain allowed access.
7027 interface(`files_entrypoint_all_files',`
7029 attribute file_type;
7031 allow $1 file_type:file entrypoint;
7034 ########################################
7036 ## Do not audit attempts to rw inherited file perms
7037 ## of non security files.
7039 ## <param name="domain">
7041 ## Domain to not audit.
7045 interface(`files_dontaudit_all_non_security_leaks',`
7047 attribute non_security_file_type;
7050 dontaudit $1 non_security_file_type:file_class_set rw_inherited_file_perms;
7053 ########################################
7055 ## Do not audit attempts to read or write
7056 ## all leaked files.
7058 ## <param name="domain">
7060 ## Domain to not audit.
7064 interface(`files_dontaudit_leaks',`
7066 attribute file_type;
7069 dontaudit $1 file_type:file rw_inherited_file_perms;
7070 dontaudit $1 file_type:lnk_file { read };
7073 ########################################
7075 ## Allow domain to create_file_ass all types
7077 ## <param name="domain">
7079 ## Domain allowed access.
7083 interface(`files_create_as_is_all_files',`
7085 attribute file_type;
7086 class kernel_service create_files_as;
7089 allow $1 file_type:kernel_service create_files_as;
7092 ########################################
7094 ## Do not audit attempts to check the
7095 ## write access on all files
7097 ## <param name="domain">
7099 ## Domain to not audit.
7103 interface(`files_dontaudit_all_access_check',`
7105 attribute file_type;
7108 dontaudit $1 file_type:file_class_set audit_access;
7111 ########################################
7113 ## Do not audit attempts to write to all files
7115 ## <param name="domain">
7117 ## Domain to not audit.
7121 interface(`files_dontaudit_write_all_files',`
7123 attribute file_type;
7126 dontaudit $1 file_type:dir_file_class_set write;