1 ## <summary>Policy for SELinux policy and userland applications.</summary>
3 #######################################
5 ## Execute checkpolicy in the checkpolicy domain.
7 ## <param name="domain">
9 ## Domain allowed access.
13 interface(`seutil_domtrans_checkpolicy',`
15 type checkpolicy_t, checkpolicy_exec_t;
19 corecmd_search_bin($1)
20 domtrans_pattern($1,checkpolicy_exec_t,checkpolicy_t)
23 ########################################
25 ## Execute checkpolicy in the checkpolicy domain, and
26 ## allow the specified role the checkpolicy domain,
27 ## and use the caller's terminal.
29 ## <param name="domain">
31 ## Domain allowed access.
34 ## <param name="role">
36 ## The role to be allowed the checkpolicy domain.
41 interface(`seutil_run_checkpolicy',`
46 seutil_domtrans_checkpolicy($1)
47 role $2 types checkpolicy_t;
50 ########################################
52 ## Execute checkpolicy in the caller domain.
54 ## <param name="domain">
56 ## Domain allowed access.
61 interface(`seutil_exec_checkpolicy',`
63 type checkpolicy_exec_t;
67 corecmd_search_bin($1)
68 can_exec($1,checkpolicy_exec_t)
71 #######################################
73 ## Execute load_policy in the load_policy domain.
75 ## <param name="domain">
77 ## Domain allowed access.
81 interface(`seutil_domtrans_loadpolicy',`
83 type load_policy_t, load_policy_exec_t;
86 corecmd_search_bin($1)
87 domtrans_pattern($1,load_policy_exec_t,load_policy_t)
90 ########################################
92 ## Execute load_policy in the load_policy domain, and
93 ## allow the specified role the load_policy domain,
94 ## and use the caller's terminal.
96 ## <param name="domain">
98 ## Domain allowed access.
101 ## <param name="role">
103 ## The role to be allowed the load_policy domain.
108 interface(`seutil_run_loadpolicy',`
113 seutil_domtrans_loadpolicy($1)
114 role $2 types load_policy_t;
117 ########################################
119 ## Execute load_policy in the caller domain.
121 ## <param name="domain">
123 ## Domain allowed access.
127 interface(`seutil_exec_loadpolicy',`
129 type load_policy_exec_t;
132 corecmd_search_bin($1)
133 can_exec($1,load_policy_exec_t)
136 ########################################
138 ## Read the load_policy program file.
140 ## <param name="domain">
142 ## Domain allowed access.
146 interface(`seutil_read_loadpolicy',`
148 type load_policy_exec_t;
151 corecmd_search_bin($1)
152 allow $1 load_policy_exec_t:file read_file_perms;
155 #######################################
157 ## Execute newrole in the newole domain.
159 ## <param name="domain">
161 ## Domain allowed access.
165 interface(`seutil_domtrans_newrole',`
167 type newrole_t, newrole_exec_t;
171 corecmd_search_bin($1)
172 domtrans_pattern($1,newrole_exec_t,newrole_t)
175 ########################################
177 ## Execute newrole in the newrole domain, and
178 ## allow the specified role the newrole domain,
179 ## and use the caller's terminal.
181 ## <param name="domain">
183 ## Domain allowed access.
186 ## <param name="role">
188 ## The role to be allowed the newrole domain.
193 interface(`seutil_run_newrole',`
198 seutil_domtrans_newrole($1)
199 role $2 types newrole_t;
201 auth_run_upd_passwd(newrole_t, $2)
204 ########################################
206 ## Execute newrole in the caller domain.
208 ## <param name="domain">
210 ## Domain allowed access.
214 interface(`seutil_exec_newrole',`
216 type newrole_t, newrole_exec_t;
220 corecmd_search_bin($1)
221 can_exec($1,newrole_exec_t)
224 ########################################
226 ## Do not audit the caller attempts to send
227 ## a signal to newrole.
229 ## <param name="domain">
231 ## Domain allowed access.
235 interface(`seutil_dontaudit_signal_newrole',`
240 dontaudit $1 newrole_t:process signal;
243 ########################################
245 ## Send a SIGCHLD signal to newrole.
247 ## <param name="domain">
249 ## Domain allowed access.
253 interface(`seutil_sigchld_newrole',`
258 allow $1 newrole_t:process sigchld;
261 ########################################
263 ## Inherit and use newrole file descriptors.
265 ## <param name="domain">
267 ## Domain allowed access.
271 interface(`seutil_use_newrole_fds',`
276 allow $1 newrole_t:fd use;
279 ########################################
281 ## Do not audit attempts to inherit and use
282 ## newrole file descriptors.
284 ## <param name="domain">
286 ## Domain to not audit.
290 interface(`seutil_dontaudit_use_newrole_fds',`
295 dontaudit $1 newrole_t:fd use;
298 #######################################
300 ## Execute restorecon in the restorecon domain. (Deprecated)
302 ## <param name="domain">
304 ## Domain allowed access.
308 interface(`seutil_domtrans_restorecon',`
309 refpolicywarn(`$0($*) has been deprecated, please use seutil_domtrans_setfiles() instead.')
310 seutil_domtrans_setfiles($1)
313 ########################################
315 ## Execute restorecon in the restorecon domain, and
316 ## allow the specified role the restorecon domain,
317 ## and use the caller's terminal. (Deprecated)
319 ## <param name="domain">
321 ## Domain allowed access.
324 ## <param name="role">
326 ## The role to be allowed the restorecon domain.
331 interface(`seutil_run_restorecon',`
332 refpolicywarn(`$0($*) has been deprecated, please use seutil_run_setfiles() instead.')
333 seutil_run_setfiles($1,$2)
336 ########################################
338 ## Execute restorecon in the caller domain. (Deprecated)
340 ## <param name="domain">
342 ## Domain allowed access.
347 interface(`seutil_exec_restorecon',`
348 refpolicywarn(`$0($*) has been deprecated, please use seutil_exec_setfiles() instead.')
349 seutil_exec_setfiles($1)
352 ########################################
354 ## Execute run_init in the run_init domain.
356 ## <param name="domain">
358 ## Domain allowed access.
362 interface(`seutil_domtrans_runinit',`
364 type run_init_t, run_init_exec_t;
368 corecmd_search_bin($1)
369 domtrans_pattern($1,run_init_exec_t,run_init_t)
372 ########################################
374 ## Execute init scripts in the run_init domain.
378 ## Execute init scripts in the run_init domain.
379 ## This is used for the Gentoo integrated run_init.
382 ## <param name="domain">
384 ## Domain allowed access.
388 interface(`seutil_init_script_domtrans_runinit',`
393 init_script_file_domtrans($1,run_init_t)
395 allow run_init_t $1:fd use;
396 allow run_init_t $1:fifo_file rw_file_perms;
397 allow run_init_t $1:process sigchld;
400 ########################################
402 ## Execute run_init in the run_init domain, and
403 ## allow the specified role the run_init domain,
404 ## and use the caller's terminal.
406 ## <param name="domain">
408 ## Domain allowed access.
411 ## <param name="role">
413 ## The role to be allowed the run_init domain.
418 interface(`seutil_run_runinit',`
424 auth_run_chk_passwd(run_init_t, $2)
425 seutil_domtrans_runinit($1)
426 role $2 types run_init_t;
431 ########################################
433 ## Execute init scripts in the run_init domain, and
434 ## allow the specified role the run_init domain,
435 ## and use the caller's terminal.
439 ## Execute init scripts in the run_init domain, and
440 ## allow the specified role the run_init domain,
441 ## and use the caller's terminal.
444 ## This is used for the Gentoo integrated run_init.
447 ## <param name="domain">
449 ## Domain allowed access.
452 ## <param name="role">
454 ## The role to be allowed the run_init domain.
458 interface(`seutil_init_script_run_runinit',`
464 auth_run_chk_passwd(run_init_t, $2)
465 seutil_init_script_domtrans_runinit($1)
466 role $2 types run_init_t;
471 ########################################
473 ## Inherit and use run_init file descriptors.
475 ## <param name="domain">
477 ## Domain allowed access.
481 interface(`seutil_use_runinit_fds',`
486 allow $1 run_init_t:fd use;
489 ########################################
491 ## Execute setfiles in the setfiles domain.
493 ## <param name="domain">
495 ## Domain allowed access.
499 interface(`seutil_domtrans_setfiles',`
501 type setfiles_t, setfiles_exec_t;
505 corecmd_search_bin($1)
506 domtrans_pattern($1,setfiles_exec_t,setfiles_t)
509 ########################################
511 ## Execute setfiles in the setfiles domain, and
512 ## allow the specified role the setfiles domain,
513 ## and use the caller's terminal.
515 ## <param name="domain">
517 ## Domain allowed access.
520 ## <param name="role">
522 ## The role to be allowed the setfiles domain.
527 interface(`seutil_run_setfiles',`
532 seutil_domtrans_setfiles($1)
533 role $2 types setfiles_t;
536 ########################################
538 ## Execute setfiles in the caller domain.
540 ## <param name="domain">
542 ## Domain allowed access.
546 interface(`seutil_exec_setfiles',`
548 type setfiles_exec_t;
552 corecmd_search_bin($1)
553 can_exec($1,setfiles_exec_t)
556 ########################################
558 ## Do not audit attempts to search the SELinux
559 ## configuration directory (/etc/selinux).
561 ## <param name="domain">
563 ## Domain to not audit.
567 interface(`seutil_dontaudit_search_config',`
569 type selinux_config_t;
572 dontaudit $1 selinux_config_t:dir search_dir_perms;
575 ########################################
577 ## Do not audit attempts to read the SELinux
578 ## userland configuration (/etc/selinux).
580 ## <param name="domain">
582 ## Domain to not audit.
586 interface(`seutil_dontaudit_read_config',`
588 type selinux_config_t;
591 dontaudit $1 selinux_config_t:dir search_dir_perms;
592 dontaudit $1 selinux_config_t:file read_file_perms;
595 ########################################
597 ## Read the general SELinux configuration files.
599 ## <param name="domain">
601 ## Domain allowed access.
606 interface(`seutil_read_config',`
608 type selinux_config_t;
612 allow $1 selinux_config_t:dir list_dir_perms;
613 read_files_pattern($1,selinux_config_t,selinux_config_t)
614 read_lnk_files_pattern($1,selinux_config_t,selinux_config_t)
617 ########################################
619 ## Read and write the general SELinux configuration files.
621 ## <param name="domain">
623 ## Domain allowed access.
628 interface(`seutil_rw_config',`
630 type selinux_config_t;
634 allow $1 selinux_config_t:dir list_dir_perms;
635 rw_files_pattern($1,selinux_config_t,selinux_config_t)
638 #######################################
640 ## Create, read, write, and delete
641 ## the general selinux configuration files. (Deprecated)
645 ## Create, read, write, and delete
646 ## the general selinux configuration files.
649 ## This interface has been deprecated, please
650 ## use the seutil_manage_config() interface instead.
653 ## <param name="domain">
655 ## Domain allowed access.
660 interface(`seutil_manage_selinux_config',`
661 refpolicywarn(`$0($*) has been deprecated. Please use seutil_manage_config() instead.')
662 seutil_manage_config($1)
665 #######################################
667 ## Create, read, write, and delete
668 ## the general selinux configuration files.
670 ## <param name="domain">
672 ## Domain allowed access.
677 interface(`seutil_manage_config',`
679 type selinux_config_t;
683 manage_files_pattern($1,selinux_config_t,selinux_config_t)
684 read_lnk_files_pattern($1,selinux_config_t,selinux_config_t)
687 #######################################
689 ## Create, read, write, and delete
690 ## the general selinux configuration files.
692 ## <param name="domain">
694 ## Domain allowed access.
699 interface(`seutil_manage_config_dirs',`
701 type selinux_config_t;
705 allow $1 selinux_config_t:dir manage_dir_perms;
708 ########################################
710 ## Search the policy directory with default_context files.
712 ## <param name="domain">
714 ## Domain allowed access.
718 interface(`seutil_search_default_contexts',`
720 type selinux_config_t, default_context_t;
724 search_dirs_pattern($1,selinux_config_t,default_context_t)
727 ########################################
729 ## Read the default_contexts files.
731 ## <param name="domain">
733 ## Domain allowed access.
738 interface(`seutil_read_default_contexts',`
740 type selinux_config_t, default_context_t;
744 allow $1 selinux_config_t:dir search_dir_perms;
745 allow $1 default_context_t:dir list_dir_perms;
746 read_files_pattern($1,default_context_t,default_context_t)
749 ########################################
751 ## Create, read, write, and delete the default_contexts files.
753 ## <param name="domain">
755 ## Domain allowed access.
759 interface(`seutil_manage_default_contexts',`
761 type selinux_config_t, default_context_t;
765 allow $1 selinux_config_t:dir search_dir_perms;
766 manage_files_pattern($1,default_context_t,default_context_t)
769 ########################################
771 ## Read the file_contexts files.
773 ## <param name="domain">
775 ## Domain allowed access.
780 interface(`seutil_read_file_contexts',`
782 type selinux_config_t, default_context_t, file_context_t;
786 allow $1 { selinux_config_t default_context_t }:dir search_dir_perms;
787 read_files_pattern($1,file_context_t,file_context_t)
790 ########################################
792 ## Do not audit attempts to read the file_contexts files.
794 ## <param name="domain">
796 ## Domain allowed access.
801 interface(`seutil_dontaudit_read_file_contexts',`
803 type selinux_config_t, default_context_t, file_context_t;
806 dontaudit $1 { selinux_config_t default_context_t file_context_t }:dir search_dir_perms;
807 dontaudit $1 file_context_t:file read_file_perms;
810 ########################################
812 ## Read and write the file_contexts files.
814 ## <param name="domain">
816 ## Domain allowed access.
820 interface(`seutil_rw_file_contexts',`
822 type selinux_config_t, file_context_t, default_context_t;
826 allow $1 { selinux_config_t default_context_t }:dir search_dir_perms;
827 rw_files_pattern($1,file_context_t,file_context_t)
830 ########################################
832 ## Create, read, write, and delete the file_contexts files.
834 ## <param name="domain">
836 ## Domain allowed access.
841 interface(`seutil_manage_file_contexts',`
843 type selinux_config_t, file_context_t, default_context_t;
847 allow $1 { selinux_config_t default_context_t }:dir search_dir_perms;
848 manage_files_pattern($1,file_context_t,file_context_t)
851 ########################################
853 ## Read the SELinux binary policy.
855 ## <param name="domain">
857 ## Domain allowed access.
861 interface(`seutil_read_bin_policy',`
863 type selinux_config_t, policy_config_t;
867 allow $1 selinux_config_t:dir search_dir_perms;
868 read_files_pattern($1,policy_config_t,policy_config_t)
871 ########################################
873 ## Create the SELinux binary policy.
875 ## <param name="domain">
877 ## Domain allowed access.
881 interface(`seutil_create_bin_policy',`
883 # attribute can_write_binary_policy;
884 type selinux_config_t, policy_config_t;
888 allow $1 selinux_config_t:dir search_dir_perms;
889 create_files_pattern($1,policy_config_t,policy_config_t)
890 write_files_pattern($1,policy_config_t,policy_config_t)
891 # typeattribute $1 can_write_binary_policy;
894 ########################################
896 ## Allow the caller to relabel a file to the binary policy type.
898 ## <param name="domain">
900 ## Domain allowed access.
904 interface(`seutil_relabelto_bin_policy',`
906 attribute can_relabelto_binary_policy;
907 type policy_config_t;
910 allow $1 policy_config_t:file relabelto;
911 typeattribute $1 can_relabelto_binary_policy;
914 ########################################
916 ## Create, read, write, and delete the SELinux
919 ## <param name="domain">
921 ## Domain allowed access.
925 interface(`seutil_manage_bin_policy',`
927 attribute can_write_binary_policy;
928 type selinux_config_t, policy_config_t;
932 allow $1 selinux_config_t:dir search_dir_perms;
933 manage_files_pattern($1,policy_config_t,policy_config_t)
934 typeattribute $1 can_write_binary_policy;
937 ########################################
939 ## Read SELinux policy source files.
941 ## <param name="domain">
943 ## Domain allowed access.
947 interface(`seutil_read_src_policy',`
949 type selinux_config_t, policy_src_t;
953 list_dirs_pattern($1,selinux_config_t,policy_src_t)
954 read_files_pattern($1,policy_src_t,policy_src_t)
957 ########################################
959 ## Create, read, write, and delete SELinux
960 ## policy source files.
962 ## <param name="domain">
964 ## Domain allowed access.
969 interface(`seutil_manage_src_policy',`
971 type selinux_config_t, policy_src_t;
975 allow $1 selinux_config_t:dir search_dir_perms;
976 manage_dirs_pattern($1,policy_src_t,policy_src_t)
977 manage_files_pattern($1,policy_src_t,policy_src_t)
980 ########################################
982 ## Execute a domain transition to run semanage.
984 ## <param name="domain">
986 ## Domain allowed to transition.
990 interface(`seutil_domtrans_semanage',`
992 type semanage_t, semanage_exec_t;
996 corecmd_search_bin($1)
997 domtrans_pattern($1,semanage_exec_t,semanage_t)
1000 ########################################
1002 ## Execute semanage in the semanage domain, and
1003 ## allow the specified role the semanage domain,
1004 ## and use the caller's terminal.
1006 ## <param name="domain">
1008 ## Domain allowed access.
1011 ## <param name="role">
1013 ## The role to be allowed the checkpolicy domain.
1018 interface(`seutil_run_semanage',`
1023 seutil_domtrans_semanage($1)
1024 seutil_run_setfiles(semanage_t, $2)
1025 seutil_run_loadpolicy(semanage_t, $2)
1026 role $2 types semanage_t;
1029 ########################################
1031 ## Full management of the semanage
1034 ## <param name="domain">
1036 ## Domain allowed access.
1040 interface(`seutil_manage_module_store',`
1042 type selinux_config_t, semanage_store_t;
1045 files_search_etc($1)
1046 manage_dirs_pattern($1,selinux_config_t,semanage_store_t)
1047 manage_files_pattern($1,semanage_store_t,semanage_store_t)
1048 filetrans_pattern($1,selinux_config_t,semanage_store_t,dir)
1051 #######################################
1053 ## Get read lock on module store
1055 ## <param name="domain">
1057 ## Domain allowed access.
1061 interface(`seutil_get_semanage_read_lock',`
1063 type selinux_config_t, semanage_read_lock_t;
1066 files_search_etc($1)
1067 rw_files_pattern($1,selinux_config_t,semanage_read_lock_t)
1070 #######################################
1072 ## Get trans lock on module store
1074 ## <param name="domain">
1076 ## Domain allowed access.
1080 interface(`seutil_get_semanage_trans_lock',`
1082 type selinux_config_t, semanage_trans_lock_t;
1085 files_search_etc($1)
1086 rw_files_pattern($1,selinux_config_t,semanage_trans_lock_t)
1089 ########################################
1091 ## SELinux-enabled program access for
1092 ## libselinux-linked programs.
1096 ## SELinux-enabled programs are typically
1097 ## linked to the libselinux library. This
1098 ## interface will allow access required for
1099 ## the libselinux constructor to function.
1102 ## <param name="domain">
1104 ## Domain allowed access.
1108 interface(`seutil_libselinux_linked',`
1109 selinux_get_fs_mount($1)
1110 seutil_read_config($1)
1113 ########################################
1115 ## Do not audit SELinux-enabled program access for
1116 ## libselinux-linked programs.
1120 ## SELinux-enabled programs are typically
1121 ## linked to the libselinux library. This
1122 ## interface will dontaudit access required for
1123 ## the libselinux constructor to function.
1126 ## Generally this should not be used on anything
1127 ## but simple SELinux-enabled programs that do not
1128 ## rely on data initialized by the libselinux
1132 ## <param name="domain">
1134 ## Domain allowed access.
1138 interface(`seutil_dontaudit_libselinux_linked',`
1139 selinux_dontaudit_get_fs_mount($1)
1140 seutil_dontaudit_read_config($1)