+++ /dev/null
-## <summary>Livecd tool for building alternate livecd for different os and policy versions.</summary>
-
-########################################
-## <summary>
-## Execute a domain transition to run livecd.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`livecd_domtrans',`
- gen_require(`
- type livecd_t, livecd_exec_t;
- ')
-
- domtrans_pattern($1, livecd_exec_t, livecd_t)
-')
-
-########################################
-## <summary>
-## Execute livecd in the livecd domain, and
-## allow the specified role the livecd domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-#
-interface(`livecd_run',`
- gen_require(`
- type livecd_t;
- type livecd_exec_t;
- ')
-
- livecd_domtrans($1)
- role $2 types livecd_t;
- role_transition $2 livecd_exec_t system_r;
-
- seutil_run_setfiles_mac(livecd_t, system_r)
-
- optional_policy(`
- mount_run(livecd_t, $2)
- ')
-')
-
-########################################
-## <summary>
-## Dontaudit read/write to a livecd leaks
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`livecd_dontaudit_leaks',`
- gen_require(`
- type livecd_t;
- ')
-
- dontaudit $1 livecd_t:unix_dgram_socket { read write };
-')
-
-########################################
-## <summary>
-## Read livecd temporary files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`livecd_read_tmp_files',`
- gen_require(`
- type livecd_tmp_t;
- ')
-
- files_search_tmp($1)
- read_files_pattern($1, livecd_tmp_t, livecd_tmp_t)
-')
-
-########################################
-## <summary>
-## Read and write livecd temporary files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`livecd_rw_tmp_files',`
- gen_require(`
- type livecd_tmp_t;
- ')
-
- files_search_tmp($1)
- rw_files_pattern($1, livecd_tmp_t, livecd_tmp_t)
-')
-
-########################################
-## <summary>
-## Allow read and write access to livecd semaphores.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`livecd_rw_semaphores',`
- gen_require(`
- type livecd_t;
- ')
-
- allow $1 livecd_t:sem { unix_read unix_write associate read write };
-')
+++ /dev/null
-policy_module(livecd, 1.0.1)
-
-########################################
-#
-# Declarations
-#
-
-type livecd_t;
-type livecd_exec_t;
-application_domain(livecd_t, livecd_exec_t)
-role system_r types livecd_t;
-
-type livecd_tmp_t;
-files_tmp_file(livecd_tmp_t)
-
-########################################
-#
-# livecd local policy
-#
-
-dontaudit livecd_t self:capability2 mac_admin;
-
-tunable_policy(`deny_ptrace',`',`
- domain_ptrace_all_domains(livecd_t)
-')
-
-domain_interactive_fd(livecd_t)
-
-manage_dirs_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
-manage_files_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
-files_tmp_filetrans(livecd_t, livecd_tmp_t, { dir file })
-
-dev_filetrans_all_named_dev(livecd_t)
-storage_filetrans_all_named_dev(livecd_t)
-term_filetrans_all_named_dev(livecd_t)
-
-sysnet_filetrans_named_content(livecd_t)
-
-optional_policy(`
- ssh_filetrans_admin_home_content(livecd_t)
-')
-
-optional_policy(`
- unconfined_domain_noaudit(livecd_t)
-')
-
-optional_policy(`
- hal_dbus_chat(livecd_t)
-')
-
-optional_policy(`
- # Allow SELinux aware applications to request rpm_script execution
- rpm_transition_script(livecd_t)
- rpm_domtrans(livecd_t)
-')
projects / people / stevee / selinux-policy.git / commitdiff
