##
## Basic filesystem types and interfaces.
##
##
##
## This module contains basic filesystem types and interfaces. This
## includes:
##
## - The concept of different file types including basic
## files, mount points, tmp files, etc.
## - Access to groups of files and all files.
## - Types and interfaces for the basic filesystem layout
## (/, /etc, /tmp, /usr, etc.).
##
##
##
##
## Contains the concept of a file.
## Comains the file initial SID.
##
########################################
##
## Make the specified type usable for files
## in a filesystem.
##
##
##
## Make the specified type usable for files
## in a filesystem. Types used for files that
## do not use this interface, or an interface that
## calls this one, will have unexpected behaviors
## while the system is running. If the type is used
## for device nodes (character or block files), then
## the dev_node() interface is more appropriate.
##
##
## Related interfaces:
##
##
## - application_domain()
## - application_executable_file()
## - corecmd_executable_file()
## - init_daemon_domain()
## - init_domaion()
## - init_ranged_daemon_domain()
## - init_ranged_domain()
## - init_ranged_system_domain()
## - init_script_file()
## - init_script_domain()
## - init_system_domain()
## - files_config_files()
## - files_lock_file()
## - files_mountpoint()
## - files_runtime_file()
## - files_security_file()
## - files_security_mountpoint()
## - files_tmp_file()
## - files_tmpfs_file()
## - logging_log_file()
## - userdom_user_home_content()
##
##
## Example:
##
##
## type myfile_t;
## files_type(myfile_t)
## allow mydomain_t myfile_t:file read_file_perms;
##
##
##
##
## Type to be used for files.
##
##
##
#
interface(`files_type',`
gen_require(`
attribute file_type, non_security_file_type, non_auth_file_type;
')
typeattribute $1 file_type, non_security_file_type, non_auth_file_type;
')
########################################
##
## Mark the specified type as a file
## that is related to authentication.
##
##
##
## Type of the authentication-related
## file.
##
##
#
interface(`files_auth_file',`
gen_require(`
attribute file_type, security_file_type, auth_file_type;
')
typeattribute $1 file_type, security_file_type, auth_file_type;
')
########################################
##
## Make the specified type a file that
## should not be dontaudited from
## browsing from user domains.
##
##
##
## Type of the file to be used as a
## member directory.
##
##
#
interface(`files_security_file',`
gen_require(`
attribute file_type, security_file_type, non_auth_file_type;
')
typeattribute $1 file_type, security_file_type, non_auth_file_type;
')
########################################
##
## Make the specified type usable for
## lock files.
##
##
##
## Type to be used for lock files.
##
##
#
interface(`files_lock_file',`
gen_require(`
attribute lockfile;
')
files_type($1)
typeattribute $1 lockfile;
')
########################################
##
## Make the specified type usable for
## filesystem mount points.
##
##
##
## Type to be used for mount points.
##
##
#
interface(`files_mountpoint',`
gen_require(`
attribute mountpoint;
')
files_type($1)
typeattribute $1 mountpoint;
optional_policy(`
init_mountpoint($1)
')
')
########################################
##
## Make the specified type usable for
## security file filesystem mount points.
##
##
##
## Type to be used for mount points.
##
##
#
interface(`files_security_mountpoint',`
gen_require(`
attribute mountpoint;
')
files_security_file($1)
typeattribute $1 mountpoint;
')
########################################
##
## Make the specified type usable for
## runtime process ID files.
##
##
##
## Make the specified type usable for runtime process ID files,
## typically found in /var/run.
## This will also make the type usable for files, making
## calls to files_type() redundant. Failure to use this interface
## for a PID file type may result in problems with starting
## or stopping services.
##
##
## Related interfaces:
##
##
## - files_runtime_filetrans()
##
##
## Example usage with a domain that can create and
## write its PID file with a private PID file type in the
## /var/run directory:
##
##
## type mypidfile_t;
## files_runtime_file(mypidfile_t)
## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms };
## files_runtime_filetrans(mydomain_t, mypidfile_t, file)
##
##
##
##
## Type to be used for PID files.
##
##
##
#
interface(`files_runtime_file',`
gen_require(`
attribute pidfile;
')
files_type($1)
typeattribute $1 pidfile;
')
########################################
##
## Make the specified type a
## configuration file.
##
##
##
## Make the specified type usable for configuration files.
## This will also make the type usable for files, making
## calls to files_type() redundant. Failure to use this interface
## for a temporary file may result in problems with
## configuration management tools.
##
##
## Example usage with a domain that can read
## its configuration file /etc:
##
##
## type myconffile_t;
## files_config_file(myconffile_t)
## allow mydomain_t myconffile_t:file read_file_perms;
## files_search_etc(mydomain_t)
##
##
##
##
## Type to be used as a configuration file.
##
##
##
#
interface(`files_config_file',`
gen_require(`
attribute configfile;
')
files_type($1)
typeattribute $1 configfile;
')
########################################
##
## Make the specified type a
## polyinstantiated directory.
##
##
##
## Type of the file to be used as a
## polyinstantiated directory.
##
##
#
interface(`files_poly',`
gen_require(`
attribute polydir;
')
files_type($1)
typeattribute $1 polydir;
')
########################################
##
## Make the specified type a parent
## of a polyinstantiated directory.
##
##
##
## Type of the file to be used as a
## parent directory.
##
##
#
interface(`files_poly_parent',`
gen_require(`
attribute polyparent;
')
files_type($1)
typeattribute $1 polyparent;
')
########################################
##
## Make the specified type a
## polyinstantiation member directory.
##
##
##
## Type of the file to be used as a
## member directory.
##
##
#
interface(`files_poly_member',`
gen_require(`
attribute polymember;
')
files_type($1)
typeattribute $1 polymember;
')
########################################
##
## Make the domain use the specified
## type of polyinstantiated directory.
##
##
##
## Domain using the polyinstantiated
## directory.
##
##
##
##
## Type of the file to be used as a
## member directory.
##
##
#
interface(`files_poly_member_tmp',`
gen_require(`
type tmp_t;
')
type_member $1 tmp_t:dir $2;
')
########################################
##
## Make the specified type a file
## used for temporary files.
##
##
##
## Make the specified type usable for temporary files.
## This will also make the type usable for files, making
## calls to files_type() redundant. Failure to use this interface
## for a temporary file may result in problems with
## purging temporary files.
##
##
## Related interfaces:
##
##
## - files_tmp_filetrans()
##
##
## Example usage with a domain that can create and
## write its temporary file in the system temporary file
## directories (/tmp or /var/tmp):
##
##
## type mytmpfile_t;
## files_tmp_file(mytmpfile_t)
## allow mydomain_t mytmpfile_t:file { create_file_perms write_file_perms };
## files_tmp_filetrans(mydomain_t, mytmpfile_t, file)
##
##
##
##
## Type of the file to be used as a
## temporary file.
##
##
##
#
interface(`files_tmp_file',`
gen_require(`
attribute tmpfile;
')
files_type($1)
files_poly_member($1)
typeattribute $1 tmpfile;
')
########################################
##
## Transform the type into a file, for use on a
## virtual memory filesystem (tmpfs).
##
##
##
## The type to be transformed.
##
##
#
interface(`files_tmpfs_file',`
gen_require(`
attribute tmpfsfile;
')
files_type($1)
typeattribute $1 tmpfsfile;
')
########################################
##
## dontaudit getattr on tmpfs files
##
##
##
## Domain to not have stat on tmpfs files audited
##
##
#
interface(`files_dontaudit_getattr_all_tmpfs_files',`
gen_require(`
attribute tmpfsfile;
')
dontaudit $1 tmpfsfile:file getattr;
')
########################################
##
## Get the attributes of all directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_getattr_all_dirs',`
gen_require(`
attribute file_type;
')
getattr_dirs_pattern($1, file_type, file_type)
')
########################################
##
## Do not audit attempts to get the attributes
## of all directories.
##
##
##
## Domain to not audit.
##
##
#
interface(`files_dontaudit_getattr_all_dirs',`
gen_require(`
attribute file_type;
')
dontaudit $1 file_type:dir getattr;
')
########################################
##
## List all non-security directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_list_non_security',`
gen_require(`
attribute non_security_file_type;
')
list_dirs_pattern($1, non_security_file_type, non_security_file_type)
')
########################################
##
## Do not audit attempts to list all
## non-security directories.
##
##
##
## Domain to not audit.
##
##
#
interface(`files_dontaudit_list_non_security',`
gen_require(`
attribute non_security_file_type;
')
dontaudit $1 non_security_file_type:dir list_dir_perms;
')
########################################
##
## Mount a filesystem on all non-security
## directories and files.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_mounton_non_security',`
gen_require(`
attribute non_security_file_type;
')
allow $1 non_security_file_type:dir { mounton_dir_perms search };
allow $1 non_security_file_type:file mounton_file_perms;
')
########################################
##
## Allow attempts to modify any directory
##
##
##
## Domain allowed access.
##
##
#
interface(`files_write_non_security_dirs',`
gen_require(`
attribute non_security_file_type;
')
allow $1 non_security_file_type:dir write;
')
########################################
##
## Allow attempts to manage non-security directories
##
##
##
## Domain allowed access.
##
##
#
interface(`files_manage_non_security_dirs',`
gen_require(`
attribute non_security_file_type;
')
allow $1 non_security_file_type:dir manage_dir_perms;
')
########################################
##
## Create non-security directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_create_non_security_dirs',`
gen_require(`
attribute non_security_file_type;
')
create_dirs_pattern($1, non_security_file_type, non_security_file_type)
')
########################################
##
## Relabel from/to non-security directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_relabel_non_security_dirs',`
gen_require(`
attribute non_security_file_type;
')
relabel_dirs_pattern($1, non_security_file_type, non_security_file_type)
')
########################################
##
## Get the attributes of all files.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_getattr_all_files',`
gen_require(`
attribute file_type;
')
getattr_files_pattern($1, file_type, file_type)
getattr_lnk_files_pattern($1, file_type, file_type)
')
########################################
##
## Do not audit attempts to get the attributes
## of all files.
##
##
##
## Domain to not audit.
##
##
#
interface(`files_dontaudit_getattr_all_files',`
gen_require(`
attribute file_type;
')
dontaudit $1 file_type:file getattr;
')
########################################
##
## Do not audit attempts to get the attributes
## of non security files.
##
##
##
## Domain to not audit.
##
##
#
interface(`files_dontaudit_getattr_non_security_files',`
gen_require(`
attribute non_security_file_type;
')
dontaudit $1 non_security_file_type:file getattr;
')
########################################
##
## Create, read, write, and delete all non-security files.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`files_manage_non_security_files',`
gen_require(`
attribute non_security_file_type;
')
manage_files_pattern($1, non_security_file_type, non_security_file_type)
')
########################################
##
## Relabel from/to all non-security files.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`files_relabel_non_security_files',`
gen_require(`
attribute non_security_file_type;
')
relabel_files_pattern($1, non_security_file_type, non_security_file_type)
')
########################################
##
## Read all files.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_read_all_files',`
gen_require(`
attribute file_type;
')
allow $1 file_type:dir list_dir_perms;
read_files_pattern($1, file_type, file_type)
optional_policy(`
auth_read_shadow($1)
')
')
########################################
##
## Read and memory map all files.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_mmap_read_all_files',`
gen_require(`
attribute file_type;
')
allow $1 file_type:dir list_dir_perms;
mmap_read_files_pattern($1, file_type, file_type)
optional_policy(`
auth_read_shadow($1)
auth_map_shadow($1)
')
')
########################################
##
## Allow shared library text relocations in all files.
##
##
##
## Allow shared library text relocations in all files.
##
##
## This is added to support WINE policy.
##
##
##
##
## Domain allowed access.
##
##
#
interface(`files_execmod_all_files',`
gen_require(`
attribute file_type;
')
allow $1 file_type:file execmod;
')
########################################
##
## Read all non-security files.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`files_read_non_security_files',`
gen_require(`
attribute non_security_file_type;
')
read_files_pattern($1, non_security_file_type, non_security_file_type)
read_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
')
########################################
##
## Write all non-security files.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`files_write_non_security_files',`
gen_require(`
attribute non_security_file_type;
')
write_files_pattern($1, non_security_file_type, non_security_file_type)
read_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
')
########################################
##
## Create all non-security files.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`files_create_non_security_files',`
gen_require(`
attribute non_security_file_type;
')
create_files_pattern($1, non_security_file_type, non_security_file_type)
read_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
')
########################################
##
## Read all directories on the filesystem, except
## the listed exceptions.
##
##
##
## Domain allowed access.
##
##
##
##
## The types to be excluded. Each type or attribute
## must be negated by the caller.
##
##
#
interface(`files_read_all_dirs_except',`
gen_require(`
attribute file_type;
')
allow $1 { file_type $2 }:dir list_dir_perms;
')
########################################
##
## Read all files on the filesystem, except
## the listed exceptions.
##
##
##
## Domain allowed access.
##
##
##
##
## The types to be excluded. Each type or attribute
## must be negated by the caller.
##
##
#
interface(`files_read_all_files_except',`
gen_require(`
attribute file_type;
')
read_files_pattern($1, { file_type $2 }, { file_type $2 })
')
########################################
##
## Read all symbolic links on the filesystem, except
## the listed exceptions.
##
##
##
## Domain allowed access.
##
##
##
##
## The types to be excluded. Each type or attribute
## must be negated by the caller.
##
##
#
interface(`files_read_all_symlinks_except',`
gen_require(`
attribute file_type;
')
read_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
')
########################################
##
## Get the attributes of all symbolic links.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_getattr_all_symlinks',`
gen_require(`
attribute file_type;
')
getattr_lnk_files_pattern($1, file_type, file_type)
')
########################################
##
## Do not audit attempts to get the attributes
## of all symbolic links.
##
##
##
## Domain to not audit.
##
##
#
interface(`files_dontaudit_getattr_all_symlinks',`
gen_require(`
attribute file_type;
')
dontaudit $1 file_type:lnk_file getattr;
')
########################################
##
## Do not audit attempts to read all symbolic links.
##
##
##
## Domain to not audit.
##
##
#
interface(`files_dontaudit_read_all_symlinks',`
gen_require(`
attribute file_type;
')
dontaudit $1 file_type:lnk_file read;
')
########################################
##
## Do not audit attempts to get the attributes
## of non security symbolic links.
##
##
##
## Domain to not audit.
##
##
#
interface(`files_dontaudit_getattr_non_security_symlinks',`
gen_require(`
attribute non_security_file_type;
')
dontaudit $1 non_security_file_type:lnk_file getattr;
')
########################################
##
## Do not audit attempts to get the attributes
## of non security block devices.
##
##
##
## Domain to not audit.
##
##
#
interface(`files_dontaudit_getattr_non_security_blk_files',`
gen_require(`
attribute non_security_file_type;
')
dontaudit $1 non_security_file_type:blk_file getattr;
')
########################################
##
## Do not audit attempts to get the attributes
## of non security character devices.
##
##
##
## Domain to not audit.
##
##
#
interface(`files_dontaudit_getattr_non_security_chr_files',`
gen_require(`
attribute non_security_file_type;
')
dontaudit $1 non_security_file_type:chr_file getattr;
')
########################################
##
## Read all symbolic links.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`files_read_all_symlinks',`
gen_require(`
attribute file_type;
')
allow $1 file_type:dir list_dir_perms;
read_lnk_files_pattern($1, file_type, file_type)
')
########################################
##
## Get the attributes of all named pipes.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_getattr_all_pipes',`
gen_require(`
attribute file_type;
')
allow $1 file_type:dir list_dir_perms;
getattr_fifo_files_pattern($1, file_type, file_type)
')
########################################
##
## Do not audit attempts to get the attributes
## of all named pipes.
##
##
##
## Domain to not audit.
##
##
#
interface(`files_dontaudit_getattr_all_pipes',`
gen_require(`
attribute file_type;
')
dontaudit $1 file_type:fifo_file getattr;
')
########################################
##
## Do not audit attempts to get the attributes
## of non security named pipes.
##
##
##
## Domain to not audit.
##
##
#
interface(`files_dontaudit_getattr_non_security_pipes',`
gen_require(`
attribute non_security_file_type;
')
dontaudit $1 non_security_file_type:fifo_file getattr;
')
########################################
##
## Get the attributes of all named sockets.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_getattr_all_sockets',`
gen_require(`
attribute file_type;
')
allow $1 file_type:dir list_dir_perms;
getattr_sock_files_pattern($1, file_type, file_type)
')
########################################
##
## Do not audit attempts to get the attributes
## of all named sockets.
##
##
##
## Domain to not audit.
##
##
#
interface(`files_dontaudit_getattr_all_sockets',`
gen_require(`
attribute file_type;
')
dontaudit $1 file_type:sock_file getattr;
')
########################################
##
## Do not audit attempts to get the attributes
## of non security named sockets.
##
##
##
## Domain to not audit.
##
##
#
interface(`files_dontaudit_getattr_non_security_sockets',`
gen_require(`
attribute non_security_file_type;
')
dontaudit $1 non_security_file_type:sock_file getattr;
')
########################################
##
## Read all block nodes with file types.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_read_all_blk_files',`
gen_require(`
attribute file_type;
')
read_blk_files_pattern($1, file_type, file_type)
')
########################################
##
## Read all character nodes with file types.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_read_all_chr_files',`
gen_require(`
attribute file_type;
')
read_chr_files_pattern($1, file_type, file_type)
')
########################################
##
## Relabel all files on the filesystem, except
## the listed exceptions.
##
##
##
## Domain allowed access.
##
##
##
##
## The types to be excluded. Each type or attribute
## must be negated by the caller.
##
##
##
#
interface(`files_relabel_all_files',`
gen_require(`
attribute file_type;
')
allow $1 { file_type $2 }:dir list_dir_perms;
relabel_dirs_pattern($1, { file_type $2 }, { file_type $2 })
relabel_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
# this is only relabelfrom since there should be no
# device nodes with file types.
relabelfrom_blk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabelfrom_chr_files_pattern($1, { file_type $2 }, { file_type $2 })
# satisfy the assertions:
seutil_relabelto_bin_policy($1)
')
########################################
##
## rw all files on the filesystem, except
## the listed exceptions.
##
##
##
## Domain allowed access.
##
##
##
##
## The types to be excluded. Each type or attribute
## must be negated by the caller.
##
##
##
#
interface(`files_rw_all_files',`
gen_require(`
attribute file_type;
')
rw_files_pattern($1, { file_type $2 }, { file_type $2 })
')
########################################
##
## Manage all files on the filesystem, except
## the listed exceptions.
##
##
##
## Domain allowed access.
##
##
##
##
## The types to be excluded. Each type or attribute
## must be negated by the caller.
##
##
##
#
interface(`files_manage_all_files',`
gen_require(`
attribute file_type;
')
manage_dirs_pattern($1, { file_type $2 }, { file_type $2 })
manage_files_pattern($1, { file_type $2 }, { file_type $2 })
manage_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
manage_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
manage_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
')
########################################
##
## Search the contents of all directories on
## extended attribute filesystems.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_search_all',`
gen_require(`
attribute file_type;
')
allow $1 file_type:dir search_dir_perms;
')
########################################
##
## List the contents of all directories on
## extended attribute filesystems.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_list_all',`
gen_require(`
attribute file_type;
')
allow $1 file_type:dir list_dir_perms;
')
########################################
##
## Create all files as is.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_create_all_files_as',`
gen_require(`
attribute file_type;
')
allow $1 file_type:kernel_service create_files_as;
')
########################################
##
## Do not audit attempts to search the
## contents of any directories on extended
## attribute filesystems.
##
##
##
## Domain to not audit.
##
##
#
interface(`files_dontaudit_search_all_dirs',`
gen_require(`
attribute file_type;
')
dontaudit $1 file_type:dir search_dir_perms;
')
########################################
##
## Get the attributes of all filesystems
## with the type of a file.
##
##
##
## Domain allowed access.
##
##
#
# dwalsh: This interface is to allow quotacheck to work on a
# a filesystem mounted with the --context switch
# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=212957
#
interface(`files_getattr_all_file_type_fs',`
gen_require(`
attribute file_type;
')
allow $1 file_type:filesystem getattr;
')
########################################
##
## Relabel a filesystem to the type of a file.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_relabelto_all_file_type_fs',`
gen_require(`
attribute file_type;
')
allow $1 file_type:filesystem relabelto;
')
########################################
##
## Relabel a filesystem to and from the type of a file.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_relabel_all_file_type_fs',`
gen_require(`
attribute file_type;
')
allow $1 file_type:filesystem { relabelfrom relabelto };
')
########################################
##
## Mount all filesystems with the type of a file.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_mount_all_file_type_fs',`
gen_require(`
attribute file_type;
')
allow $1 file_type:filesystem mount;
')
########################################
##
## Unmount all filesystems with the type of a file.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_unmount_all_file_type_fs',`
gen_require(`
attribute file_type;
')
allow $1 file_type:filesystem unmount;
')
########################################
##
## watch all directories of file_type
##
##
##
## Domain allowed access.
##
##
#
interface(`files_watch_all_dirs',`
gen_require(`
attribute file_type;
')
allow $1 file_type:dir watch;
')
########################################
##
## Read all non-authentication related
## directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_list_non_auth_dirs',`
gen_require(`
attribute non_auth_file_type;
')
allow $1 non_auth_file_type:dir list_dir_perms;
')
########################################
##
## Read all non-authentication related
## files.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_read_non_auth_files',`
gen_require(`
attribute non_auth_file_type;
')
read_files_pattern($1, non_auth_file_type, non_auth_file_type)
')
########################################
##
## Read all non-authentication related
## symbolic links.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_read_non_auth_symlinks',`
gen_require(`
attribute non_auth_file_type;
')
read_lnk_files_pattern($1, non_auth_file_type, non_auth_file_type)
')
########################################
##
## rw non-authentication related files.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_rw_non_auth_files',`
gen_require(`
attribute non_auth_file_type;
')
rw_files_pattern($1, non_auth_file_type, non_auth_file_type)
')
########################################
##
## Manage non-authentication related
## files.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`files_manage_non_auth_files',`
gen_require(`
attribute non_auth_file_type;
')
manage_dirs_pattern($1, non_auth_file_type, non_auth_file_type)
manage_files_pattern($1, non_auth_file_type, non_auth_file_type)
manage_lnk_files_pattern($1, non_auth_file_type, non_auth_file_type)
manage_fifo_files_pattern($1, non_auth_file_type, non_auth_file_type)
manage_sock_files_pattern($1, non_auth_file_type, non_auth_file_type)
')
########################################
##
## Mmap non-authentication related
## files.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`files_map_non_auth_files',`
gen_require(`
attribute non_auth_file_type;
')
allow $1 non_auth_file_type:file map;
')
########################################
##
## Relabel all non-authentication related
## files.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`files_relabel_non_auth_files',`
gen_require(`
attribute non_auth_file_type;
')
allow $1 non_auth_file_type:dir list_dir_perms;
relabel_dirs_pattern($1, non_auth_file_type, non_auth_file_type)
relabel_files_pattern($1, non_auth_file_type, non_auth_file_type)
relabel_lnk_files_pattern($1, non_auth_file_type, non_auth_file_type)
relabel_fifo_files_pattern($1, non_auth_file_type, non_auth_file_type)
relabel_sock_files_pattern($1, non_auth_file_type, non_auth_file_type)
# this is only relabelfrom since there should be no
# device nodes with file types.
relabelfrom_blk_files_pattern($1, non_auth_file_type, non_auth_file_type)
relabelfrom_chr_files_pattern($1, non_auth_file_type, non_auth_file_type)
# satisfy the assertions:
# seutil_relabelto_bin_policy($1)
# Gentoo: this is removed as we do not want to set attributes in this phase, we want
# to allow files_relabel_non_auth_files to be an optional setting (tunable).
')
#############################################
##
## Manage all configuration directories on filesystem
##
##
##
## Domain allowed access.
##
##
##
#
interface(`files_manage_config_dirs',`
gen_require(`
attribute configfile;
')
manage_dirs_pattern($1, configfile, configfile)
')
#########################################
##
## Relabel configuration directories
##
##
##
## Domain allowed access.
##
##
##
#
interface(`files_relabel_config_dirs',`
gen_require(`
attribute configfile;
')
relabel_dirs_pattern($1, configfile, configfile)
')
#########################################
##
## Do not audit attempts to relabel configuration directories
##
##
##
## Domain not to audit.
##
##
##
#
interface(`files_dontaudit_relabel_config_dirs',`
gen_require(`
attribute configfile;
')
dontaudit $1 configfile:dir relabel_dir_perms;
')
########################################
##
## Read config files in /etc.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_read_config_files',`
gen_require(`
attribute configfile;
')
allow $1 configfile:dir list_dir_perms;
read_files_pattern($1, configfile, configfile)
read_lnk_files_pattern($1, configfile, configfile)
')
###########################################
##
## Manage all configuration files on filesystem
##
##
##
## Domain allowed access.
##
##
##
#
interface(`files_manage_config_files',`
gen_require(`
attribute configfile;
')
manage_files_pattern($1, configfile, configfile)
')
#######################################
##
## Relabel configuration files
##
##
##
## Domain allowed access.
##
##
##
#
interface(`files_relabel_config_files',`
gen_require(`
attribute configfile;
')
relabel_files_pattern($1, configfile, configfile)
')
#######################################
##
## Do not audit attempts to relabel configuration files
##
##
##
## Domain not to audit.
##
##
##
#
interface(`files_dontaudit_relabel_config_files',`
gen_require(`
attribute configfile;
')
dontaudit $1 configfile:file relabel_file_perms;
')
#######################################
##
## Relabel configuration symlinks.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`files_relabel_config_symlinks',`
gen_require(`
attribute configfile;
')
relabel_lnk_files_pattern($1, configfile, configfile)
')
########################################
##
## Mount a filesystem on all mount points.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_mounton_all_mountpoints',`
gen_require(`
attribute mountpoint;
')
allow $1 mountpoint:dir { mounton search_dir_perms };
allow $1 mountpoint:file mounton_file_perms;
kernel_mounton_unlabeled_dirs($1)
')
########################################
##
## Get the attributes of all mount points.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_getattr_all_mountpoints',`
gen_require(`
attribute mountpoint;
')
allow $1 mountpoint:dir getattr;
')
########################################
##
## Set the attributes of all mount points.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_setattr_all_mountpoints',`
gen_require(`
attribute mountpoint;
')
allow $1 mountpoint:dir setattr;
')
########################################
##
## Do not audit attempts to set the attributes on all mount points.
##
##
##
## Domain to not audit.
##
##
#
interface(`files_dontaudit_setattr_all_mountpoints',`
gen_require(`
attribute mountpoint;
')
dontaudit $1 mountpoint:dir setattr;
')
########################################
##
## Search all mount points.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_search_all_mountpoints',`
gen_require(`
attribute mountpoint;
')
allow $1 mountpoint:dir search_dir_perms;
')
########################################
##
## Do not audit searching of all mount points.
##
##
##
## Domain to not audit.
##
##
#
interface(`files_dontaudit_search_all_mountpoints',`
gen_require(`
attribute mountpoint;
')
dontaudit $1 mountpoint:dir search_dir_perms;
')
########################################
##
## List all mount points.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_list_all_mountpoints',`
gen_require(`
attribute mountpoint;
')
allow $1 mountpoint:dir list_dir_perms;
')
########################################
##
## Do not audit listing of all mount points.
##
##
##
## Domain to not audit.
##
##
#
interface(`files_dontaudit_list_all_mountpoints',`
gen_require(`
attribute mountpoint;
')
dontaudit $1 mountpoint:dir list_dir_perms;
')
########################################
##
## Watch all mountpoints.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_watch_all_mountpoints',`
gen_require(`
attribute mountpoint;
')
allow $1 mountpoint:dir watch_mount;
')
########################################
##
## Watch all mountpoints.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_watch_all_mount_perm',`
gen_require(`
attribute mountpoint;
')
allow $1 mountpoint:dir watch_with_perm;
')
########################################
##
## Watch all mount superblock changes
##
##
##
## Domain allowed access.
##
##
#
interface(`files_watch_all_mount_sb',`
gen_require(`
attribute mountpoint;
')
allow $1 mountpoint:dir watch_sb;
')
########################################
##
## Check if all mountpoints are writable.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_write_all_mountpoints',`
gen_require(`
attribute mountpoint;
')
allow $1 mountpoint:dir write;
')
########################################
##
## Do not audit attempts to write to mount points.
##
##
##
## Domain to not audit.
##
##
#
interface(`files_dontaudit_write_all_mountpoints',`
gen_require(`
attribute mountpoint;
')
dontaudit $1 mountpoint:dir write;
')
########################################
##
## List the contents of the root directory.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_list_root',`
gen_require(`
type root_t;
')
allow $1 root_t:dir list_dir_perms;
allow $1 root_t:lnk_file { ioctl lock read_lnk_file_perms };
')
########################################
##
## Delete symbolic links in the
## root directory.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_delete_root_symlinks',`
gen_require(`
type root_t;
')
allow $1 root_t:lnk_file delete_lnk_file_perms;
')
########################################
##
## Do not audit attempts to write to / dirs.
##
##
##
## Domain to not audit.
##
##
#
interface(`files_dontaudit_write_root_dirs',`
gen_require(`
type root_t;
')
dontaudit $1 root_t:dir write;
')
###################
##
## Do not audit attempts to write
## files in the root directory.
##
##
##
## Domain to not audit.
##
##
#
interface(`files_dontaudit_rw_root_dir',`
gen_require(`
type root_t;
')
dontaudit $1 root_t:dir rw_dir_perms;
')
########################################
##
## Watch the root directory.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_watch_root_dirs',`
gen_require(`
type root_t;
')
allow $1 root_t:dir watch;
')
########################################
##
## Create an object in the root directory, with a private
## type using a type transition.
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to be created.
##
##
##
##
## The object class of the object being created.
##
##
##
##
## The name of the object being created.
##
##
#
interface(`files_root_filetrans',`
gen_require(`
type root_t;
')
filetrans_pattern($1, root_t, $2, $3, $4)
')
########################################
##
## Do not audit attempts to read files in
## the root directory.
##
##
##
## Domain to not audit.
##
##
#
interface(`files_dontaudit_read_root_files',`
gen_require(`
type root_t;
')
dontaudit $1 root_t:file { getattr read };
')
########################################
##
## Do not audit attempts to read or write
## files in the root directory.
##
##
##
## Domain to not audit.
##
##
#
interface(`files_dontaudit_rw_root_files',`
gen_require(`
type root_t;
')
dontaudit $1 root_t:file { read write };
')
########################################
##
## Do not audit attempts to read or write
## character device nodes in the root directory.
##
##
##
## Domain to not audit.
##
##
#
interface(`files_dontaudit_rw_root_chr_files',`
gen_require(`
type root_t;
')
dontaudit $1 root_t:chr_file { read write };
')
########################################
##
## Delete character device nodes in
## the root directory.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_delete_root_chr_files',`
gen_require(`
type root_t;
')
allow $1 root_t:chr_file delete_chr_file_perms;
')
########################################
##
## Delete files in the root directory.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_delete_root_files',`
gen_require(`
type root_t;
')
allow $1 root_t:file unlink;
')
########################################
##
## Execute files in the root directory.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_exec_root_files',`
gen_require(`
type root_t;
')
allow $1 root_t:file exec_file_perms;
')
########################################
##
## Remove entries from the root directory.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_delete_root_dir_entry',`
gen_require(`
type root_t;
')
allow $1 root_t:dir rw_dir_perms;
')
########################################
##
## Manage the root directory.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_manage_root_dir',`
gen_require(`
type root_t;
')
allow $1 root_t:dir manage_dir_perms;
')
########################################
##
## Get the attributes of a rootfs
## file system.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_getattr_rootfs',`
gen_require(`
type root_t;
')
allow $1 root_t:filesystem getattr;
')
########################################
##
## Associate to root file system.
##
##
##
## Type of the file to associate.
##
##
#
interface(`files_associate_rootfs',`
gen_require(`
type root_t;
')
allow $1 root_t:filesystem associate;
')
########################################
##
## Relabel to and from rootfs file system.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_relabel_rootfs',`
gen_require(`
type root_t;
')
allow $1 root_t:filesystem { relabelfrom relabelto };
')
########################################
##
## Unmount a rootfs filesystem.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_unmount_rootfs',`
gen_require(`
type root_t;
')
allow $1 root_t:filesystem unmount;
')
########################################
##
## Mount on the root directory (/)
##
##
##
## Domain allowed access.
##
##
#
interface(`files_mounton_root',`
gen_require(`
type root_t;
')
allow $1 root_t:dir mounton;
')
########################################
##
## Get the attributes of a filesystem
## mounted on /boot.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_getattr_boot_fs',`
gen_require(`
type boot_t;
')
allow $1 boot_t:filesystem getattr;
')
########################################
##
## Remount a filesystem mounted on /boot.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_remount_boot',`
gen_require(`
type boot_t;
')
allow $1 boot_t:filesystem remount;
')
########################################
##
## Get attributes of the /boot directory.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_getattr_boot_dirs',`
gen_require(`
type boot_t;
')
allow $1 boot_t:dir getattr;
')
########################################
##
## Do not audit attempts to get attributes
## of the /boot directory.
##
##
##
## Domain to not audit.
##
##
#
interface(`files_dontaudit_getattr_boot_dirs',`
gen_require(`
type boot_t;
')
dontaudit $1 boot_t:dir getattr;
')
########################################
##
## Search the /boot directory.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_search_boot',`
gen_require(`
type boot_t;
')
allow $1 boot_t:dir search_dir_perms;
')
########################################
##
## Do not audit attempts to search the /boot directory.
##
##
##
## Domain to not audit.
##
##
#
interface(`files_dontaudit_search_boot',`
gen_require(`
type boot_t;
')
dontaudit $1 boot_t:dir search_dir_perms;
')
########################################
##
## List the /boot directory.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_list_boot',`
gen_require(`
type boot_t;
')
allow $1 boot_t:dir list_dir_perms;
')
#######################################
##
## Do not audit attempts to list the /boot directory.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_dontaudit_list_boot',`
gen_require(`
type boot_t;
')
dontaudit $1 boot_t:dir list_dir_perms;
')
########################################
##
## Create directories in /boot
##
##
##
## Domain allowed access.
##
##
#
interface(`files_create_boot_dirs',`
gen_require(`
type boot_t;
')
allow $1 boot_t:dir { create rw_dir_perms };
')
########################################
##
## Create, read, write, and delete
## directories in /boot.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_manage_boot_dirs',`
gen_require(`
type boot_t;
')
allow $1 boot_t:dir manage_dir_perms;
')
########################################
##
## Create a private type object in boot
## with an automatic type transition
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to be created.
##
##
##
##
## The object class of the object being created.
##
##
##
##
## The name of the object being created.
##
##
#
interface(`files_boot_filetrans',`
gen_require(`
type boot_t;
')
filetrans_pattern($1, boot_t, $2, $3, $4)
')
########################################
##
## read files in the /boot directory.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`files_read_boot_files',`
gen_require(`
type boot_t;
')
read_files_pattern($1, boot_t, boot_t)
')
########################################
##
## Read and memory map files in the /boot directory.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`files_mmap_read_boot_files',`
gen_require(`
type boot_t;
')
mmap_read_files_pattern($1, boot_t, boot_t)
')
########################################
##
## Create, read, write, and delete files
## in the /boot directory.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`files_manage_boot_files',`
gen_require(`
type boot_t;
')
manage_files_pattern($1, boot_t, boot_t)
')
########################################
##
## Relabel from files in the /boot directory.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_relabelfrom_boot_files',`
gen_require(`
type boot_t;
')
relabelfrom_files_pattern($1, boot_t, boot_t)
')
######################################
##
## Read symbolic links in the /boot directory.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_read_boot_symlinks',`
gen_require(`
type boot_t;
')
read_lnk_files_pattern($1, boot_t, boot_t)
')
########################################
##
## Read and write symbolic links
## in the /boot directory.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_rw_boot_symlinks',`
gen_require(`
type boot_t;
')
allow $1 boot_t:dir list_dir_perms;
rw_lnk_files_pattern($1, boot_t, boot_t)
')
########################################
##
## Create, read, write, and delete symbolic links
## in the /boot directory.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_manage_boot_symlinks',`
gen_require(`
type boot_t;
')
manage_lnk_files_pattern($1, boot_t, boot_t)
')
########################################
##
## Read kernel files in the /boot directory.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_read_kernel_img',`
gen_require(`
type boot_t;
')
allow $1 boot_t:dir list_dir_perms;
read_files_pattern($1, boot_t, boot_t)
read_lnk_files_pattern($1, boot_t, boot_t)
')
########################################
##
## Install a kernel into the /boot directory.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`files_create_kernel_img',`
gen_require(`
type boot_t;
')
allow $1 boot_t:file { create_file_perms rw_file_perms };
manage_lnk_files_pattern($1, boot_t, boot_t)
')
########################################
##
## Delete a kernel from /boot.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`files_delete_kernel',`
gen_require(`
type boot_t;
')
delete_files_pattern($1, boot_t, boot_t)
')
########################################
##
## Getattr of directories with the default file type.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_getattr_default_dirs',`
gen_require(`
type default_t;
')
allow $1 default_t:dir getattr;
')
########################################
##
## Do not audit attempts to get the attributes of
## directories with the default file type.
##
##
##
## Domain to not audit.
##
##
#
interface(`files_dontaudit_getattr_default_dirs',`
gen_require(`
type default_t;
')
dontaudit $1 default_t:dir getattr;
')
########################################
##
## Search the contents of directories with the default file type.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_search_default',`
gen_require(`
type default_t;
')
allow $1 default_t:dir search_dir_perms;
')
########################################
##
## List contents of directories with the default file type.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_list_default',`
gen_require(`
type default_t;
')
allow $1 default_t:dir list_dir_perms;
')
########################################
##
## Do not audit attempts to list contents of
## directories with the default file type.
##
##
##
## Domain to not audit.
##
##
#
interface(`files_dontaudit_list_default',`
gen_require(`
type default_t;
')
dontaudit $1 default_t:dir list_dir_perms;
')
########################################
##
## Create, read, write, and delete directories with
## the default file type.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_manage_default_dirs',`
gen_require(`
type default_t;
')
manage_dirs_pattern($1, default_t, default_t)
')
########################################
##
## Mount a filesystem on a directory with the default file type.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_mounton_default',`
gen_require(`
type default_t;
')
allow $1 default_t:dir { mounton search_dir_perms };
')
########################################
##
## Do not audit attempts to get the attributes of
## files with the default file type.
##
##
##
## Domain to not audit.
##
##
#
interface(`files_dontaudit_getattr_default_files',`
gen_require(`
type default_t;
')
dontaudit $1 default_t:file getattr;
')
########################################
##
## Read files with the default file type.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_read_default_files',`
gen_require(`
type default_t;
')
allow $1 default_t:file read_file_perms;
')
########################################
##
## Do not audit attempts to read files
## with the default file type.
##
##
##
## Domain to not audit.
##
##
#
interface(`files_dontaudit_read_default_files',`
gen_require(`
type default_t;
')
dontaudit $1 default_t:file read_file_perms;
')
########################################
##
## Do not audit attempts to execute files
## with the default file type.
##
##
##
## Domain to not audit.
##
##
#
interface(`files_dontaudit_execute_default_files',`
gen_require(`
type default_t;
')
dontaudit $1 default_t:file execute;
')
########################################
##
## Create, read, write, and delete files with
## the default file type.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_manage_default_files',`
gen_require(`
type default_t;
')
manage_files_pattern($1, default_t, default_t)
')
########################################
##
## Read symbolic links with the default file type.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_read_default_symlinks',`
gen_require(`
type default_t;
')
allow $1 default_t:lnk_file read_lnk_file_perms;
')
########################################
##
## Read sockets with the default file type.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_read_default_sockets',`
gen_require(`
type default_t;
')
allow $1 default_t:sock_file read_sock_file_perms;
')
########################################
##
## Read named pipes with the default file type.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_read_default_pipes',`
gen_require(`
type default_t;
')
allow $1 default_t:fifo_file read_fifo_file_perms;
')
########################################
##
## Search the contents of /etc directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_search_etc',`
gen_require(`
type etc_t;
')
allow $1 etc_t:dir search_dir_perms;
')
########################################
##
## Set the attributes of the /etc directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_setattr_etc_dirs',`
gen_require(`
type etc_t;
')
allow $1 etc_t:dir setattr;
')
########################################
##
## List the contents of /etc directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_list_etc',`
gen_require(`
type etc_t;
')
allow $1 etc_t:dir list_dir_perms;
')
########################################
##
## Do not audit attempts to write to /etc dirs.
##
##
##
## Domain to not audit.
##
##
#
interface(`files_dontaudit_write_etc_dirs',`
gen_require(`
type etc_t;
')
dontaudit $1 etc_t:dir write;
')
########################################
##
## Add and remove entries from /etc directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_rw_etc_dirs',`
gen_require(`
type etc_t;
')
allow $1 etc_t:dir rw_dir_perms;
')
##########################################
##
## Manage generic directories in /etc
##
##
##
## Domain allowed access
##
##
##
#
interface(`files_manage_etc_dirs',`
gen_require(`
type etc_t;
')
manage_dirs_pattern($1, etc_t, etc_t)
')
########################################
##
## Relabel directories to etc_t.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_relabelto_etc_dirs',`
gen_require(`
type etc_t;
')
allow $1 etc_t:dir relabelto;
')
########################################
##
## Mount a filesystem on the
## etc directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_mounton_etc_dirs',`
gen_require(`
type etc_t;
')
allow $1 etc_t:dir mounton;
')
########################################
##
## Remount etc filesystems.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_remount_etc',`
gen_require(`
type etc_t;
')
allow $1 etc_t:filesystem remount;
')
########################################
##
## Watch /etc directories
##
##
##
## Domain allowed access.
##
##
#
interface(`files_watch_etc_dirs',`
gen_require(`
type etc_t;
')
allow $1 etc_t:dir watch;
')
########################################
##
## Read generic files in /etc.
##
##
##
## Allow the specified domain to read generic
## files in /etc. These files are typically
## general system configuration files that do
## not have more specific SELinux types. Some
## examples of these files are:
##
##
## - /etc/fstab
## - /etc/passwd
## - /etc/services
## - /etc/shells
##
##
## This interface does not include access to /etc/shadow.
##
##
## Generally, it is safe for many domains to have
## this access. However, since this interface provides
## access to the /etc/passwd file, caution must be
## exercised, as user account names can be leaked
## through this access.
##
##
## Related interfaces:
##
##
## - auth_read_shadow()
## - files_read_etc_runtime_files()
## - seutil_read_config()
##
##
##
##
## Domain allowed access.
##
##
##
#
interface(`files_read_etc_files',`
gen_require(`
type etc_t;
')
allow $1 etc_t:dir list_dir_perms;
read_files_pattern($1, etc_t, etc_t)
read_lnk_files_pattern($1, etc_t, etc_t)
')
########################################
##
## Map generic files in /etc.
##
##
##
## Allow the specified domain to map generic files in /etc.
##
##
## Related interfaces:
##
##
## - files_read_etc_files()
##
##
##
##
## Domain allowed access.
##
##
##
#
interface(`files_map_etc_files',`
gen_require(`
type etc_t;
')
allow $1 etc_t:file map;
')
########################################
##
## Do not audit attempts to write generic files in /etc.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_dontaudit_write_etc_files',`
gen_require(`
type etc_t;
')
dontaudit $1 etc_t:file write;
')
########################################
##
## Read and write generic files in /etc.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`files_rw_etc_files',`
gen_require(`
type etc_t;
')
allow $1 etc_t:dir list_dir_perms;
rw_files_pattern($1, etc_t, etc_t)
read_lnk_files_pattern($1, etc_t, etc_t)
')
########################################
##
## Create, read, write, and delete generic
## files in /etc.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`files_manage_etc_files',`
gen_require(`
type etc_t;
')
manage_files_pattern($1, etc_t, etc_t)
read_lnk_files_pattern($1, etc_t, etc_t)
')
########################################
##
## Do not audit attempts to create, read, write,
## and delete generic files in /etc.
##
##
##
## Domain to not audit.
##
##
##
#
interface(`files_dontaudit_manage_etc_files',`
gen_require(`
type etc_t;
')
dontaudit $1 etc_t:file manage_file_perms;
')
########################################
##
## Delete system configuration files in /etc.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_delete_etc_files',`
gen_require(`
type etc_t;
')
delete_files_pattern($1, etc_t, etc_t)
')
########################################
##
## Execute generic files in /etc.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_exec_etc_files',`
gen_require(`
type etc_t;
')
allow $1 etc_t:dir list_dir_perms;
read_lnk_files_pattern($1, etc_t, etc_t)
exec_files_pattern($1, etc_t, etc_t)
')
########################################
##
## Watch /etc files.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_watch_etc_files', `
gen_require(`
type etc_t;
')
allow $1 etc_t:file watch;
')
########################################
##
## Get etc_t service status.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_get_etc_unit_status',`
gen_require(`
type etc_t;
class service status;
')
allow $1 etc_t:service status;
')
########################################
##
## start etc_t service
##
##
##
## Domain allowed access.
##
##
#
interface(`files_start_etc_service',`
gen_require(`
type etc_t;
class service start;
')
allow $1 etc_t:service start;
')
########################################
##
## stop etc_t service
##
##
##
## Domain allowed access.
##
##
#
interface(`files_stop_etc_service',`
gen_require(`
type etc_t;
class service stop;
')
allow $1 etc_t:service stop;
')
#######################################
##
## Relabel from and to generic files in /etc.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_relabel_etc_files',`
gen_require(`
type etc_t;
')
allow $1 etc_t:dir list_dir_perms;
relabel_files_pattern($1, etc_t, etc_t)
')
########################################
##
## Read symbolic links in /etc.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_read_etc_symlinks',`
gen_require(`
type etc_t;
')
read_lnk_files_pattern($1, etc_t, etc_t)
')
########################################
##
## Watch /etc symlinks
##
##
##
## Domain allowed access.
##
##
#
interface(`files_watch_etc_symlinks', `
gen_require(`
type etc_t;
')
allow $1 etc_t:lnk_file watch;
')
########################################
##
## Create, read, write, and delete symbolic links in /etc.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_manage_etc_symlinks',`
gen_require(`
type etc_t;
')
manage_lnk_files_pattern($1, etc_t, etc_t)
')
########################################
##
## Create objects in /etc with a private
## type using a type_transition.
##
##
##
## Domain allowed access.
##
##
##
##
## Private file type.
##
##
##
##
## Object classes to be created.
##
##
##
##
## The name of the object being created.
##
##
#
interface(`files_etc_filetrans',`
gen_require(`
type etc_t;
')
filetrans_pattern($1, etc_t, $2, $3, $4)
')
########################################
##
## Create a boot flag.
##
##
##
## Create a boot flag, such as
## /.autorelabel and /.autofsck.
##
##
##
##
## Domain allowed access.
##
##
##
##
## The name of the object being created.
##
##
##
#
interface(`files_create_boot_flag',`
gen_require(`
type root_t, etc_runtime_t;
')
allow $1 etc_runtime_t:file manage_file_perms;
filetrans_pattern($1, root_t, etc_runtime_t, file, $2)
')
########################################
##
## Delete a boot flag.
##
##
##
## Delete a boot flag, such as
## /.autorelabel and /.autofsck.
##
##
##
##
## Domain allowed access.
##
##
##
#
interface(`files_delete_boot_flag',`
gen_require(`
type root_t, etc_runtime_t;
')
delete_files_pattern($1, root_t, etc_runtime_t)
')
########################################
##
## Get the attributes of the
## etc_runtime directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_getattr_etc_runtime_dirs',`
gen_require(`
type etc_runtime_t;
')
allow $1 etc_runtime_t:dir getattr;
')
########################################
##
## Mount a filesystem on the
## etc_runtime directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_mounton_etc_runtime_dirs',`
gen_require(`
type etc_runtime_t;
')
allow $1 etc_runtime_t:dir mounton;
')
########################################
##
## Relabel to etc_runtime_t dirs.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_relabelto_etc_runtime_dirs',`
gen_require(`
type etc_runtime_t;
')
allow $1 etc_runtime_t:dir relabelto;
')
########################################
##
## Do not audit attempts to set the attributes of the etc_runtime files
##
##
##
## Domain to not audit.
##
##
#
interface(`files_dontaudit_setattr_etc_runtime_files',`
gen_require(`
type etc_runtime_t;
')
dontaudit $1 etc_runtime_t:file setattr;
')
########################################
##
## Read files in /etc that are dynamically
## created on boot, such as mtab.
##
##
##
## Allow the specified domain to read dynamically created
## configuration files in /etc. These files are typically
## general system configuration files that do
## not have more specific SELinux types. Some
## examples of these files are:
##
##
## - /etc/motd
## - /etc/mtab
## - /etc/nologin
##
##
## This interface does not include access to /etc/shadow.
##
##
##
##
## Domain allowed access.
##
##
##
##
#
interface(`files_read_etc_runtime_files',`
gen_require(`
type etc_t, etc_runtime_t;
')
allow $1 etc_t:dir list_dir_perms;
read_files_pattern($1, etc_t, etc_runtime_t)
read_lnk_files_pattern($1, etc_t, etc_runtime_t)
')
########################################
##
## Do not audit attempts to read files
## in /etc that are dynamically
## created on boot, such as mtab.
##
##
##
## Domain to not audit.
##
##
#
interface(`files_dontaudit_read_etc_runtime_files',`
gen_require(`
type etc_runtime_t;
')
dontaudit $1 etc_runtime_t:file { getattr read };
')
########################################
##
## Do not audit attempts to execuite files
## in /etc that are dynamically
## created on boot, such as mtab.
##
##
##
## Domain to not audit.
##
##
#
interface(`files_dontaudit_execuite_etc_runtime_files',`
gen_require(`
type etc_runtime_t;
')
dontaudit $1 etc_runtime_t:file execute;
')
########################################
##
## Do not audit attempts to read files
## in /etc
##
##
##
## Domain to not audit.
##
##
#
interface(`files_dontaudit_read_etc_files',`
gen_require(`
type etc_t;
')
dontaudit $1 etc_t:file { getattr read };
')
########################################
##
## Do not audit attempts to write
## etc runtime files.
##
##
##
## Domain to not audit.
##
##
#
interface(`files_dontaudit_write_etc_runtime_files',`
gen_require(`
type etc_runtime_t;
')
dontaudit $1 etc_runtime_t:file write;
')
########################################
##
## Read and write files in /etc that are dynamically
## created on boot, such as mtab.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`files_rw_etc_runtime_files',`
gen_require(`
type etc_t, etc_runtime_t;
')
allow $1 etc_t:dir list_dir_perms;
rw_files_pattern($1, etc_t, etc_runtime_t)
')
########################################
##
## Create, read, write, and delete files in
## /etc that are dynamically created on boot,
## such as mtab.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`files_manage_etc_runtime_files',`
gen_require(`
type etc_t, etc_runtime_t;
')
manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
')
########################################
##
## Relabel to etc_runtime_t files.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_relabelto_etc_runtime_files',`
gen_require(`
type etc_runtime_t;
')
allow $1 etc_runtime_t:file relabelto;
')
########################################
##
## Create, etc runtime objects with an automatic
## type transition.
##
##
##
## Domain allowed access.
##
##
##
##
## The class of the object being created.
##
##
##
##
## The name of the object being created.
##
##
#
interface(`files_etc_filetrans_etc_runtime',`
gen_require(`
type etc_t, etc_runtime_t;
')
filetrans_pattern($1, etc_t, etc_runtime_t, $2, $3)
')
########################################
##
## Get the attributes of the home directories root
## (/home).
##
##
##
## Domain allowed access.
##
##
#
interface(`files_getattr_home_dir',`
gen_require(`
type home_root_t;
')
allow $1 home_root_t:dir getattr;
allow $1 home_root_t:lnk_file getattr;
')
########################################
##
## Do not audit attempts to get the
## attributes of the home directories root
## (/home).
##
##
##
## Domain to not audit.
##
##
#
interface(`files_dontaudit_getattr_home_dir',`
gen_require(`
type home_root_t;
')
dontaudit $1 home_root_t:dir getattr;
dontaudit $1 home_root_t:lnk_file getattr;
')
########################################
##
## Search home directories root (/home).
##
##
##
## Domain allowed access.
##
##
#
interface(`files_search_home',`
gen_require(`
type home_root_t;
')
allow $1 home_root_t:dir search_dir_perms;
allow $1 home_root_t:lnk_file read_lnk_file_perms;
')
########################################
##
## Do not audit attempts to search
## home directories root (/home).
##
##
##
## Domain to not audit.
##
##
#
interface(`files_dontaudit_search_home',`
gen_require(`
type home_root_t;
')
dontaudit $1 home_root_t:dir search_dir_perms;
dontaudit $1 home_root_t:lnk_file read_lnk_file_perms;
')
########################################
##
## Do not audit attempts to list
## home directories root (/home).
##
##
##
## Domain to not audit.
##
##
#
interface(`files_dontaudit_list_home',`
gen_require(`
type home_root_t;
')
dontaudit $1 home_root_t:dir list_dir_perms;
dontaudit $1 home_root_t:lnk_file read_lnk_file_perms;
')
########################################
##
## Get listing of home directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_list_home',`
gen_require(`
type home_root_t;
')
allow $1 home_root_t:dir list_dir_perms;
allow $1 home_root_t:lnk_file read_lnk_file_perms;
')
########################################
##
## Relabel to user home root (/home).
##
##
##
## Domain allowed access.
##
##
#
interface(`files_relabelto_home',`
gen_require(`
type home_root_t;
')
allow $1 home_root_t:dir relabelto;
')
########################################
##
## Relabel from user home root (/home).
##
##
##
## Domain allowed access.
##
##
#
interface(`files_relabelfrom_home',`
gen_require(`
type home_root_t;
')
allow $1 home_root_t:dir relabelfrom;
')
########################################
##
## Watch the user home root (/home).
##
##
##
## Domain allowed access.
##
##
#
interface(`files_watch_home',`
gen_require(`
type home_root_t;
')
allow $1 home_root_t:dir watch;
')
########################################
##
## Create objects in /home.
##
##
##
## Domain allowed access.
##
##
##
##
## The private type.
##
##
##
##
## The class of the object being created.
##
##
##
##
## The name of the object being created.
##
##
#
interface(`files_home_filetrans',`
gen_require(`
type home_root_t;
')
filetrans_pattern($1, home_root_t, $2, $3, $4)
')
########################################
##
## Get the attributes of lost+found directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_getattr_lost_found_dirs',`
gen_require(`
type lost_found_t;
')
allow $1 lost_found_t:dir getattr;
')
########################################
##
## Do not audit attempts to get the attributes of
## lost+found directories.
##
##
##
## Domain to not audit.
##
##
#
interface(`files_dontaudit_getattr_lost_found_dirs',`
gen_require(`
type lost_found_t;
')
dontaudit $1 lost_found_t:dir getattr;
')
#######################################
##
## List the contents of lost+found directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_list_lost_found',`
gen_require(`
type lost_found_t;
')
allow $1 lost_found_t:dir list_dir_perms;
')
########################################
##
## Create, read, write, and delete objects in
## lost+found directories.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`files_manage_lost_found',`
gen_require(`
type lost_found_t;
')
manage_dirs_pattern($1, lost_found_t, lost_found_t)
manage_files_pattern($1, lost_found_t, lost_found_t)
manage_lnk_files_pattern($1, lost_found_t, lost_found_t)
manage_fifo_files_pattern($1, lost_found_t, lost_found_t)
manage_sock_files_pattern($1, lost_found_t, lost_found_t)
')
########################################
##
## Search the contents of /mnt.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_search_mnt',`
gen_require(`
type mnt_t;
')
allow $1 mnt_t:dir search_dir_perms;
')
########################################
##
## Do not audit attempts to search /mnt.
##
##
##
## Domain to not audit.
##
##
#
interface(`files_dontaudit_search_mnt',`
gen_require(`
type mnt_t;
')
dontaudit $1 mnt_t:dir search_dir_perms;
')
########################################
##
## List the contents of /mnt.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_list_mnt',`
gen_require(`
type mnt_t;
')
allow $1 mnt_t:dir list_dir_perms;
')
######################################
##
## Do not audit attempts to list the contents of /mnt.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_dontaudit_list_mnt',`
gen_require(`
type mnt_t;
')
dontaudit $1 mnt_t:dir list_dir_perms;
')
########################################
##
## Mount a filesystem on /mnt.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_mounton_mnt',`
gen_require(`
type mnt_t;
')
allow $1 mnt_t:dir { mounton search_dir_perms };
')
########################################
##
## Create, read, write, and delete directories in /mnt.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`files_manage_mnt_dirs',`
gen_require(`
type mnt_t;
')
allow $1 mnt_t:dir manage_dir_perms;
')
########################################
##
## Create, read, write, and delete files in /mnt.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_manage_mnt_files',`
gen_require(`
type mnt_t;
')
manage_files_pattern($1, mnt_t, mnt_t)
')
########################################
##
## read files in /mnt.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_read_mnt_files',`
gen_require(`
type mnt_t;
')
read_files_pattern($1, mnt_t, mnt_t)
')
######################################
##
## Read symbolic links in /mnt.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_read_mnt_symlinks',`
gen_require(`
type mnt_t;
')
read_lnk_files_pattern($1, mnt_t, mnt_t)
')
########################################
##
## Create, read, write, and delete symbolic links in /mnt.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_manage_mnt_symlinks',`
gen_require(`
type mnt_t;
')
manage_lnk_files_pattern($1, mnt_t, mnt_t)
')
########################################
##
## Search the contents of the kernel module directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_search_kernel_modules',`
gen_require(`
type modules_object_t;
')
allow $1 modules_object_t:dir search_dir_perms;
read_lnk_files_pattern($1, modules_object_t, modules_object_t)
')
########################################
##
## List the contents of the kernel module directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_list_kernel_modules',`
gen_require(`
type modules_object_t;
')
allow $1 modules_object_t:dir list_dir_perms;
read_lnk_files_pattern($1, modules_object_t, modules_object_t)
')
########################################
##
## Get the attributes of kernel module files.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_getattr_kernel_modules',`
gen_require(`
type modules_object_t;
')
getattr_files_pattern($1, modules_object_t, modules_object_t)
')
########################################
##
## Read kernel module files.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_read_kernel_modules',`
gen_require(`
type modules_object_t;
')
allow $1 modules_object_t:dir list_dir_perms;
read_files_pattern($1, modules_object_t, modules_object_t)
read_lnk_files_pattern($1, modules_object_t, modules_object_t)
')
########################################
##
## Read and mmap kernel module files.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_mmap_read_kernel_modules',`
gen_require(`
type modules_object_t;
')
allow $1 modules_object_t:dir list_dir_perms;
read_files_pattern($1, modules_object_t, modules_object_t)
allow $1 modules_object_t:file map;
read_lnk_files_pattern($1, modules_object_t, modules_object_t)
')
########################################
##
## Write kernel module files.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_write_kernel_modules',`
gen_require(`
type modules_object_t;
')
allow $1 modules_object_t:dir list_dir_perms;
write_files_pattern($1, modules_object_t, modules_object_t)
')
########################################
##
## Delete kernel module files.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_delete_kernel_modules',`
gen_require(`
type modules_object_t;
')
delete_files_pattern($1, modules_object_t, modules_object_t)
')
########################################
##
## Create, read, write, and delete
## kernel module files.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`files_manage_kernel_modules',`
gen_require(`
type modules_object_t;
')
allow $1 modules_object_t:dir rw_dir_perms;
manage_files_pattern($1, modules_object_t, modules_object_t)
allow $1 modules_object_t:file map;
')
########################################
##
## Relabel from and to kernel module files.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_relabel_kernel_modules',`
gen_require(`
type modules_object_t;
')
relabel_files_pattern($1, modules_object_t, modules_object_t)
allow $1 modules_object_t:dir list_dir_perms;
')
########################################
##
## Mount on kernel module directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_mounton_kernel_modules_dirs',`
gen_require(`
type modules_object_t;
')
allow $1 modules_object_t:dir mounton;
')
########################################
##
## Create objects in the kernel module directories
## with a private type via an automatic type transition.
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to be created.
##
##
##
##
## The object class of the object being created.
##
##
##
##
## The name of the object being created.
##
##
#
interface(`files_kernel_modules_filetrans',`
gen_require(`
type modules_object_t;
')
filetrans_pattern($1, modules_object_t, $2, $3, $4)
')
########################################
##
## Load kernel module files.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_load_kernel_modules',`
gen_require(`
type modules_object_t;
')
files_read_kernel_modules($1)
allow $1 modules_object_t:system module_load;
')
########################################
##
## Load kernel module files.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_dontaudit_load_kernel_modules',`
gen_require(`
type modules_object_t;
')
dontaudit $1 modules_object_t:file read_file_perms;
dontaudit $1 modules_object_t:system module_load;
')
########################################
##
## List world-readable directories.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`files_list_world_readable',`
gen_require(`
type readable_t;
')
allow $1 readable_t:dir list_dir_perms;
')
########################################
##
## Read world-readable files.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`files_read_world_readable_files',`
gen_require(`
type readable_t;
')
allow $1 readable_t:file read_file_perms;
')
########################################
##
## Read world-readable symbolic links.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`files_read_world_readable_symlinks',`
gen_require(`
type readable_t;
')
allow $1 readable_t:lnk_file read_lnk_file_perms;
')
########################################
##
## Read world-readable named pipes.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_read_world_readable_pipes',`
gen_require(`
type readable_t;
')
allow $1 readable_t:fifo_file read_fifo_file_perms;
')
########################################
##
## Read world-readable sockets.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_read_world_readable_sockets',`
gen_require(`
type readable_t;
')
allow $1 readable_t:sock_file read_sock_file_perms;
')
########################################
##
## Allow the specified type to associate
## to a filesystem with the type of the
## temporary directory (/tmp).
##
##
##
## Type of the file to associate.
##
##
#
interface(`files_associate_tmp',`
gen_require(`
type tmp_t;
')
allow $1 tmp_t:filesystem associate;
')
########################################
##
## Get the attributes of the tmp directory (/tmp).
##
##
##
## Domain allowed access.
##
##
#
interface(`files_getattr_tmp_dirs',`
gen_require(`
type tmp_t;
')
allow $1 tmp_t:dir getattr;
')
########################################
##
## Do not audit attempts to get the
## attributes of the tmp directory (/tmp).
##
##
##
## Domain allowed access.
##
##
#
interface(`files_dontaudit_getattr_tmp_dirs',`
gen_require(`
type tmp_t;
')
dontaudit $1 tmp_t:dir getattr;
')
########################################
##
## Search the tmp directory (/tmp).
##
##
##
## Domain allowed access.
##
##
#
interface(`files_search_tmp',`
gen_require(`
type tmp_t;
')
allow $1 tmp_t:dir search_dir_perms;
')
########################################
##
## Do not audit attempts to search the tmp directory (/tmp).
##
##
##
## Domain to not audit.
##
##
#
interface(`files_dontaudit_search_tmp',`
gen_require(`
type tmp_t;
')
dontaudit $1 tmp_t:dir search_dir_perms;
')
########################################
##
## Read the tmp directory (/tmp).
##
##
##
## Domain allowed access.
##
##
#
interface(`files_list_tmp',`
gen_require(`
type tmp_t;
')
allow $1 tmp_t:dir list_dir_perms;
')
########################################
##
## Do not audit listing of the tmp directory (/tmp).
##
##
##
## Domain not to audit.
##
##
#
interface(`files_dontaudit_list_tmp',`
gen_require(`
type tmp_t;
')
dontaudit $1 tmp_t:dir list_dir_perms;
')
########################################
##
## Remove entries from the tmp directory.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_delete_tmp_dir_entry',`
gen_require(`
type tmp_t;
')
allow $1 tmp_t:dir del_entry_dir_perms;
')
########################################
##
## Read files in the tmp directory (/tmp).
##
##
##
## Domain allowed access.
##
##
#
interface(`files_read_generic_tmp_files',`
gen_require(`
type tmp_t;
')
read_files_pattern($1, tmp_t, tmp_t)
')
########################################
##
## Manage temporary directories in /tmp.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_manage_generic_tmp_dirs',`
gen_require(`
type tmp_t;
')
manage_dirs_pattern($1, tmp_t, tmp_t)
')
########################################
##
## Relabel temporary directories in /tmp.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_relabel_generic_tmp_dirs',`
gen_require(`
type tmp_t;
')
relabel_dirs_pattern($1, tmp_t, tmp_t)
')
########################################
##
## Manage temporary files and directories in /tmp.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_manage_generic_tmp_files',`
gen_require(`
type tmp_t;
')
manage_files_pattern($1, tmp_t, tmp_t)
')
########################################
##
## Read symbolic links in the tmp directory (/tmp).
##
##
##
## Domain allowed access.
##
##
#
interface(`files_read_generic_tmp_symlinks',`
gen_require(`
type tmp_t;
')
read_lnk_files_pattern($1, tmp_t, tmp_t)
')
########################################
##
## Read and write generic named sockets in the tmp directory (/tmp).
##
##
##
## Domain allowed access.
##
##
#
interface(`files_rw_generic_tmp_sockets',`
gen_require(`
type tmp_t;
')
rw_sock_files_pattern($1, tmp_t, tmp_t)
')
########################################
##
## Mount filesystems in the tmp directory (/tmp)
##
##
##
## Domain allowed access.
##
##
#
interface(`files_mounton_tmp',`
gen_require(`
type tmp_t;
')
allow $1 tmp_t:dir mounton;
')
########################################
##
## Set the attributes of all tmp directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_setattr_all_tmp_dirs',`
gen_require(`
attribute tmpfile;
')
allow $1 tmpfile:dir { search_dir_perms setattr };
')
########################################
##
## List all tmp directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_list_all_tmp',`
gen_require(`
attribute tmpfile;
')
allow $1 tmpfile:dir list_dir_perms;
')
########################################
##
## Relabel to and from all temporary
## directory types.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`files_relabel_all_tmp_dirs',`
gen_require(`
attribute tmpfile;
type var_t;
')
allow $1 var_t:dir search_dir_perms;
relabel_dirs_pattern($1, tmpfile, tmpfile)
')
########################################
##
## Do not audit attempts to get the attributes
## of all tmp files.
##
##
##
## Domain not to audit.
##
##
#
interface(`files_dontaudit_getattr_all_tmp_files',`
gen_require(`
attribute tmpfile;
')
dontaudit $1 tmpfile:file getattr;
')
########################################
##
## Allow attempts to get the attributes
## of all tmp files.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_getattr_all_tmp_files',`
gen_require(`
attribute tmpfile;
')
allow $1 tmpfile:file getattr;
')
########################################
##
## Relabel to and from all temporary
## file types.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`files_relabel_all_tmp_files',`
gen_require(`
attribute tmpfile;
type var_t;
')
allow $1 var_t:dir search_dir_perms;
relabel_files_pattern($1, tmpfile, tmpfile)
')
########################################
##
## Do not audit attempts to get the attributes
## of all tmp sock_file.
##
##
##
## Domain not to audit.
##
##
#
interface(`files_dontaudit_getattr_all_tmp_sockets',`
gen_require(`
attribute tmpfile;
')
dontaudit $1 tmpfile:sock_file getattr;
')
########################################
##
## Read all tmp files.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_read_all_tmp_files',`
gen_require(`
attribute tmpfile;
')
read_files_pattern($1, tmpfile, tmpfile)
')
########################################
##
## Create an object in the tmp directories, with a private
## type using a type transition.
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to be created.
##
##
##
##
## The object class of the object being created.
##
##
##
##
## The name of the object being created.
##
##
#
interface(`files_tmp_filetrans',`
gen_require(`
type tmp_t;
')
filetrans_pattern($1, tmp_t, $2, $3, $4)
')
########################################
##
## Delete the contents of /tmp.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_purge_tmp',`
gen_require(`
attribute tmpfile;
')
allow $1 tmpfile:dir list_dir_perms;
delete_dirs_pattern($1, tmpfile, tmpfile)
delete_files_pattern($1, tmpfile, tmpfile)
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
')
########################################
##
## Get the attributes of all tmpfs files.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_getattr_all_tmpfs_files',`
gen_require(`
attribute tmpfsfile;
')
getattr_files_pattern($1, tmpfsfile, tmpfsfile)
fs_search_tmpfs($1)
')
########################################
##
## Set the attributes of the /usr directory.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_setattr_usr_dirs',`
gen_require(`
type usr_t;
')
allow $1 usr_t:dir setattr;
')
########################################
##
## Search the content of /usr.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_search_usr',`
gen_require(`
type usr_t;
')
allow $1 usr_t:dir search_dir_perms;
')
########################################
##
## List the contents of generic
## directories in /usr.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_list_usr',`
gen_require(`
type usr_t;
')
allow $1 usr_t:dir list_dir_perms;
')
########################################
##
## Do not audit write of /usr dirs
##
##
##
## Domain to not audit.
##
##
#
interface(`files_dontaudit_write_usr_dirs',`
gen_require(`
type usr_t;
')
dontaudit $1 usr_t:dir write;
')
########################################
##
## Add and remove entries from /usr directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_rw_usr_dirs',`
gen_require(`
type usr_t;
')
allow $1 usr_t:dir rw_dir_perms;
')
########################################
##
## Do not audit attempts to add and remove
## entries from /usr directories.
##
##
##
## Domain to not audit.
##
##
#
interface(`files_dontaudit_rw_usr_dirs',`
gen_require(`
type usr_t;
')
dontaudit $1 usr_t:dir rw_dir_perms;
')
########################################
##
## Delete generic directories in /usr in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_delete_usr_dirs',`
gen_require(`
type usr_t;
')
delete_dirs_pattern($1, usr_t, usr_t)
')
########################################
##
## Watch generic directories in /usr.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_watch_usr_dirs',`
gen_require(`
type usr_t;
')
allow $1 usr_t:dir watch;
')
########################################
##
## Delete generic files in /usr in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_delete_usr_files',`
gen_require(`
type usr_t;
')
delete_files_pattern($1, usr_t, usr_t)
')
########################################
##
## Get the attributes of files in /usr.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_getattr_usr_files',`
gen_require(`
type usr_t;
')
getattr_files_pattern($1, usr_t, usr_t)
')
########################################
##
## Map generic files in /usr.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`files_map_usr_files',`
gen_require(`
type usr_t;
')
allow $1 usr_t:file map;
')
########################################
##
## Read generic files in /usr.
##
##
##
## Allow the specified domain to read generic
## files in /usr. These files are various program
## files that do not have more specific SELinux types.
## Some examples of these files are:
##
##
## - /usr/include/*
## - /usr/share/doc/*
## - /usr/share/info/*
##
##
## Generally, it is safe for many domains to have
## this access.
##
##
##
##
## Domain allowed access.
##
##
##
#
interface(`files_read_usr_files',`
gen_require(`
type usr_t;
')
allow $1 usr_t:dir list_dir_perms;
read_files_pattern($1, usr_t, usr_t)
read_lnk_files_pattern($1, usr_t, usr_t)
')
########################################
##
## Execute generic programs in /usr in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_exec_usr_files',`
gen_require(`
type usr_t;
')
allow $1 usr_t:dir list_dir_perms;
exec_files_pattern($1, usr_t, usr_t)
read_lnk_files_pattern($1, usr_t, usr_t)
')
########################################
##
## dontaudit write of /usr files
##
##
##
## Domain to not audit.
##
##
#
interface(`files_dontaudit_write_usr_files',`
gen_require(`
type usr_t;
')
dontaudit $1 usr_t:file write;
')
########################################
##
## Create, read, write, and delete files in the /usr directory.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_manage_usr_files',`
gen_require(`
type usr_t;
')
manage_files_pattern($1, usr_t, usr_t)
')
########################################
##
## Relabel a file to the type used in /usr.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_relabelto_usr_files',`
gen_require(`
type usr_t;
')
relabelto_files_pattern($1, usr_t, usr_t)
')
########################################
##
## Relabel a file from the type used in /usr.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_relabelfrom_usr_files',`
gen_require(`
type usr_t;
')
relabelfrom_files_pattern($1, usr_t, usr_t)
')
########################################
##
## Read symbolic links in /usr.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_read_usr_symlinks',`
gen_require(`
type usr_t;
')
read_lnk_files_pattern($1, usr_t, usr_t)
')
########################################
##
## Create objects in the /usr directory
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to be created
##
##
##
##
## The object class.
##
##
##
##
## The name of the object being created.
##
##
#
interface(`files_usr_filetrans',`
gen_require(`
type usr_t;
')
filetrans_pattern($1, usr_t, $2, $3, $4)
')
########################################
##
## Search directories in /usr/src.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_search_src',`
gen_require(`
type src_t;
')
allow $1 src_t:dir search_dir_perms;
')
########################################
##
## Do not audit attempts to search /usr/src.
##
##
##
## Domain to not audit.
##
##
#
interface(`files_dontaudit_search_src',`
gen_require(`
type src_t;
')
dontaudit $1 src_t:dir search_dir_perms;
')
########################################
##
## Get the attributes of files in /usr/src.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_getattr_usr_src_files',`
gen_require(`
type usr_t, src_t;
')
getattr_files_pattern($1, src_t, src_t)
# /usr/src/linux symlink:
read_lnk_files_pattern($1, usr_t, src_t)
')
########################################
##
## Read files in /usr/src.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_read_usr_src_files',`
gen_require(`
type usr_t, src_t;
')
allow $1 usr_t:dir search_dir_perms;
read_files_pattern($1, { usr_t src_t }, src_t)
read_lnk_files_pattern($1, { usr_t src_t }, src_t)
allow $1 src_t:dir list_dir_perms;
')
########################################
##
## Execute programs in /usr/src in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_exec_usr_src_files',`
gen_require(`
type usr_t, src_t;
')
list_dirs_pattern($1, usr_t, src_t)
exec_files_pattern($1, src_t, src_t)
read_lnk_files_pattern($1, src_t, src_t)
')
########################################
##
## Install a system.map into the /boot directory.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_create_kernel_symbol_table',`
gen_require(`
type boot_t, system_map_t;
')
allow $1 boot_t:dir { add_entry_dir_perms list_dir_perms };
allow $1 system_map_t:file { create_file_perms rw_file_perms };
')
########################################
##
## Read system.map in the /boot directory.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_read_kernel_symbol_table',`
gen_require(`
type boot_t, system_map_t;
')
allow $1 boot_t:dir list_dir_perms;
read_files_pattern($1, boot_t, system_map_t)
')
########################################
##
## Delete a system.map in the /boot directory.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_delete_kernel_symbol_table',`
gen_require(`
type boot_t, system_map_t;
')
allow $1 boot_t:dir list_dir_perms;
delete_files_pattern($1, boot_t, system_map_t)
')
########################################
##
## Mount on a system.map in the /boot directory (for bind mounts).
##
##
##
## Domain allowed access.
##
##
#
interface(`files_mounton_kernel_symbol_table',`
gen_require(`
type boot_t, system_map_t;
')
allow $1 boot_t:dir search_dir_perms;
allow $1 system_map_t:file mounton_file_perms;
')
########################################
##
## Search the contents of /var.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_search_var',`
gen_require(`
type var_t;
')
allow $1 var_t:dir search_dir_perms;
')
########################################
##
## Do not audit attempts to write to /var.
##
##
##
## Domain to not audit.
##
##
#
interface(`files_dontaudit_write_var_dirs',`
gen_require(`
type var_t;
')
dontaudit $1 var_t:dir write;
')
########################################
##
## Allow attempts to write to /var.dirs
##
##
##
## Domain allowed access.
##
##
#
interface(`files_write_var_dirs',`
gen_require(`
type var_t;
')
allow $1 var_t:dir write;
')
########################################
##
## Do not audit attempts to search
## the contents of /var.
##
##
##
## Domain to not audit.
##
##
#
interface(`files_dontaudit_search_var',`
gen_require(`
type var_t;
')
dontaudit $1 var_t:dir search_dir_perms;
')
########################################
##
## List the contents of /var.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_list_var',`
gen_require(`
type var_t;
')
allow $1 var_t:dir list_dir_perms;
')
########################################
##
## Do not audit attempts to list
## the contents of /var.
##
##
##
## Domain to not audit.
##
##
#
interface(`files_dontaudit_list_var',`
gen_require(`
type var_t;
')
dontaudit $1 var_t:dir list_dir_perms;
')
########################################
##
## Create, read, write, and delete directories
## in the /var directory.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_manage_var_dirs',`
gen_require(`
type var_t;
')
allow $1 var_t:dir manage_dir_perms;
')
########################################
##
## relabelto/from var directories
##
##
##
## Domain allowed access.
##
##
#
interface(`files_relabel_var_dirs',`
gen_require(`
type var_t;
')
allow $1 var_t:dir relabel_dir_perms;
')
########################################
##
## Read files in the /var directory.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_read_var_files',`
gen_require(`
type var_t;
')
read_files_pattern($1, var_t, var_t)
')
########################################
##
## Append files in the /var directory.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_append_var_files',`
gen_require(`
type var_t;
')
append_files_pattern($1, var_t, var_t)
')
########################################
##
## Read and write files in the /var directory.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_rw_var_files',`
gen_require(`
type var_t;
')
rw_files_pattern($1, var_t, var_t)
')
########################################
##
## Do not audit attempts to read and write
## files in the /var directory.
##
##
##
## Domain to not audit.
##
##
#
interface(`files_dontaudit_rw_var_files',`
gen_require(`
type var_t;
')
dontaudit $1 var_t:file rw_file_perms;
')
########################################
##
## Create, read, write, and delete files in the /var directory.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_manage_var_files',`
gen_require(`
type var_t;
')
manage_files_pattern($1, var_t, var_t)
')
########################################
##
## Read symbolic links in the /var directory.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_read_var_symlinks',`
gen_require(`
type var_t;
')
read_lnk_files_pattern($1, var_t, var_t)
')
########################################
##
## Create, read, write, and delete symbolic
## links in the /var directory.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_manage_var_symlinks',`
gen_require(`
type var_t;
')
manage_lnk_files_pattern($1, var_t, var_t)
')
########################################
##
## Create objects in the /var directory
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to be created
##
##
##
##
## The object class.
##
##
##
##
## The name of the object being created.
##
##
#
interface(`files_var_filetrans',`
gen_require(`
type var_t;
')
filetrans_pattern($1, var_t, $2, $3, $4)
')
########################################
##
## Get the attributes of the /var/lib directory.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_getattr_var_lib_dirs',`
gen_require(`
type var_t, var_lib_t;
')
getattr_dirs_pattern($1, var_t, var_lib_t)
')
########################################
##
## Search the /var/lib directory.
##
##
##
## Search the /var/lib directory. This is
## necessary to access files or directories under
## /var/lib that have a private type. For example, a
## domain accessing a private library file in the
## /var/lib directory:
##
##
## allow mydomain_t mylibfile_t:file read_file_perms;
## files_search_var_lib(mydomain_t)
##
##
##
##
## Domain allowed access.
##
##
##
#
interface(`files_search_var_lib',`
gen_require(`
type var_t, var_lib_t;
')
search_dirs_pattern($1, var_t, var_lib_t)
')
########################################
##
## Do not audit attempts to search the
## contents of /var/lib.
##
##
##
## Domain to not audit.
##
##
##
#
interface(`files_dontaudit_search_var_lib',`
gen_require(`
type var_lib_t;
')
dontaudit $1 var_lib_t:dir search_dir_perms;
')
########################################
##
## List the contents of the /var/lib directory.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_list_var_lib',`
gen_require(`
type var_t, var_lib_t;
')
list_dirs_pattern($1, var_t, var_lib_t)
')
###########################################
##
## Read-write /var/lib directories
##
##
##
## Domain allowed access.
##
##
#
interface(`files_rw_var_lib_dirs',`
gen_require(`
type var_lib_t;
')
rw_dirs_pattern($1, var_lib_t, var_lib_t)
')
########################################
##
## manage var_lib_t dirs
##
##
##
## Domain allowed access.
##
##
#
interface(`files_manage_var_lib_dirs',`
gen_require(`
type var_t, var_lib_t;
')
allow $1 var_t:dir search_dir_perms;
allow $1 var_lib_t:dir manage_dir_perms;
')
########################################
##
## relabel var_lib_t dirs
##
##
##
## Domain allowed access.
##
##
#
interface(`files_relabel_var_lib_dirs',`
gen_require(`
type var_t, var_lib_t;
')
allow $1 var_t:dir search_dir_perms;
allow $1 var_lib_t:dir relabel_dir_perms;
')
########################################
##
## Create objects in the /var/lib directory
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to be created
##
##
##
##
## The object class.
##
##
##
##
## The name of the object being created.
##
##
#
interface(`files_var_lib_filetrans',`
gen_require(`
type var_t, var_lib_t;
')
allow $1 var_t:dir search_dir_perms;
filetrans_pattern($1, var_lib_t, $2, $3, $4)
')
########################################
##
## Read generic files in /var/lib.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_read_var_lib_files',`
gen_require(`
type var_t, var_lib_t;
')
allow $1 var_lib_t:dir list_dir_perms;
read_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
########################################
##
## Read generic symbolic links in /var/lib
##
##
##
## Domain allowed access.
##
##
#
interface(`files_read_var_lib_symlinks',`
gen_require(`
type var_t, var_lib_t;
')
read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
# cjp: the next two interfaces really need to be fixed
# in some way. They really need their own types.
########################################
##
## Create, read, write, and delete the
## pseudorandom number generator seed.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_manage_urandom_seed',`
refpolicywarn(`$0($*) has been deprecated, please use init_manage_random_seed() instead.')
init_manage_random_seed($1)
')
# cjp: the next interface really needs to be fixed
# in some way. It really needs its own type.
########################################
##
## Allow domain to manage mount tables
## necessary for rpcd, nfsd, etc.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_manage_mounttab',`
gen_require(`
type var_t, var_lib_t;
')
allow $1 var_t:dir search_dir_perms;
manage_files_pattern($1, var_lib_t, var_lib_t)
')
########################################
##
## Set the attributes of the generic lock directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_setattr_lock_dirs',`
gen_require(`
type var_t, var_lock_t;
')
setattr_dirs_pattern($1, var_t, var_lock_t)
')
########################################
##
## Search the locks directory (/var/lock).
##
##
##
## Domain allowed access.
##
##
#
interface(`files_search_locks',`
gen_require(`
type var_t, var_lock_t;
')
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
search_dirs_pattern($1, var_t, var_lock_t)
')
########################################
##
## Do not audit attempts to search the
## locks directory (/var/lock).
##
##
##
## Domain to not audit.
##
##
#
interface(`files_dontaudit_search_locks',`
gen_require(`
type var_lock_t;
')
dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms;
dontaudit $1 var_lock_t:dir search_dir_perms;
')
########################################
##
## List generic lock directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_list_locks',`
gen_require(`
type var_t, var_lock_t;
')
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
list_dirs_pattern($1, var_t, var_lock_t)
')
########################################
##
## Test write access on lock directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_check_write_lock_dirs',`
gen_require(`
type var_lock_t;
')
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
allow $1 var_lock_t:dir write;
')
########################################
##
## Add entries in the /var/lock directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_add_entry_lock_dirs',`
gen_require(`
type var_t, var_lock_t;
')
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
add_entry_dirs_pattern($1, var_t, var_lock_t)
')
########################################
##
## Add and remove entries in the /var/lock
## directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_rw_lock_dirs',`
gen_require(`
type var_t, var_lock_t;
')
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
rw_dirs_pattern($1, var_t, var_lock_t)
')
########################################
##
## Create lock directories
##
##
##
## Domain allowed access
##
##
#
interface(`files_create_lock_dirs',`
gen_require(`
type var_t, var_lock_t;
')
allow $1 var_t:dir search_dir_perms;
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
create_dirs_pattern($1, var_lock_t, var_lock_t)
')
########################################
##
## Relabel to and from all lock directory types.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
attribute lockfile;
type var_t, var_lock_t;
')
allow $1 var_t:dir search_dir_perms;
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
relabel_dirs_pattern($1, lockfile, lockfile)
')
########################################
##
## Get the attributes of generic lock files.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_getattr_generic_locks',`
gen_require(`
type var_t, var_lock_t;
')
allow $1 var_t:dir search_dir_perms;
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
########################################
##
## Delete generic lock files.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_delete_generic_locks',`
gen_require(`
type var_t, var_lock_t;
')
allow $1 var_t:dir search_dir_perms;
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
delete_files_pattern($1, var_lock_t, var_lock_t)
')
########################################
##
## Create, read, write, and delete generic
## lock files.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_manage_generic_locks',`
gen_require(`
type var_t, var_lock_t;
')
allow $1 var_t:dir search_dir_perms;
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern($1, var_lock_t, var_lock_t)
manage_files_pattern($1, var_lock_t, var_lock_t)
')
########################################
##
## Delete all lock files.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`files_delete_all_locks',`
gen_require(`
attribute lockfile;
type var_t, var_lock_t;
')
allow $1 var_t:dir search_dir_perms;
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
delete_files_pattern($1, lockfile, lockfile)
')
########################################
##
## Read all lock files.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_read_all_locks',`
gen_require(`
attribute lockfile;
type var_t, var_lock_t;
')
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
allow $1 { var_t var_lock_t }:dir search_dir_perms;
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
')
########################################
##
## manage all lock files.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_manage_all_locks',`
gen_require(`
attribute lockfile;
type var_t, var_lock_t;
')
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
allow $1 { var_t var_lock_t }:dir search_dir_perms;
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
')
########################################
##
## Relabel from/to all lock files.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_relabel_all_locks',`
gen_require(`
attribute lockfile;
type var_t, var_lock_t;
')
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
allow $1 { var_t var_lock_t }:dir search_dir_perms;
relabel_dirs_pattern($1, lockfile, lockfile)
relabel_files_pattern($1, lockfile, lockfile)
relabel_lnk_files_pattern($1, lockfile, lockfile)
')
########################################
##
## Create an object in the locks directory, with a private
## type using a type transition.
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to be created.
##
##
##
##
## The object class of the object being created.
##
##
##
##
## The name of the object being created.
##
##
#
interface(`files_lock_filetrans',`
gen_require(`
type var_t, var_lock_t;
')
allow $1 var_t:dir search_dir_perms;
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
filetrans_pattern($1, var_lock_t, $2, $3, $4)
')
########################################
##
## Do not audit attempts to get the attributes
## of the /var/run directory.
##
##
##
## Domain to not audit.
##
##
#
interface(`files_dontaudit_getattr_runtime_dirs',`
gen_require(`
type var_run_t;
')
dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
dontaudit $1 var_run_t:dir getattr;
')
########################################
##
## mounton a /var/run directory.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_mounton_runtime_dirs',`
gen_require(`
type var_run_t;
')
allow $1 var_run_t:dir mounton;
')
########################################
##
## Set the attributes of the /var/run directory.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_setattr_runtime_dirs',`
gen_require(`
type var_run_t;
')
allow $1 var_run_t:lnk_file read_lnk_file_perms;
allow $1 var_run_t:dir setattr;
')
########################################
##
## Search the contents of runtime process
## ID directories (/var/run).
##
##
##
## Domain allowed access.
##
##
#
interface(`files_search_runtime',`
gen_require(`
type var_t, var_run_t;
')
allow $1 var_run_t:lnk_file read_lnk_file_perms;
search_dirs_pattern($1, var_t, var_run_t)
')
########################################
##
## Do not audit attempts to search
## the /var/run directory.
##
##
##
## Domain to not audit.
##
##
#
interface(`files_dontaudit_search_runtime',`
gen_require(`
type var_run_t;
')
dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
dontaudit $1 var_run_t:dir search_dir_perms;
')
########################################
##
## List the contents of the runtime process
## ID directories (/var/run).
##
##
##
## Domain allowed access.
##
##
#
interface(`files_list_runtime',`
gen_require(`
type var_t, var_run_t;
')
allow $1 var_run_t:lnk_file read_lnk_file_perms;
list_dirs_pattern($1, var_t, var_run_t)
')
########################################
##
## Check write access on /var/run directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_check_write_runtime_dirs',`
gen_require(`
type var_run_t;
')
allow $1 var_run_t:dir write;
')
########################################
##
## Create a /var/run directory.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_create_runtime_dirs',`
gen_require(`
type var_run_t;
')
allow $1 var_run_t:dir create_dir_perms;
')
########################################
##
## Read and write a /var/run directory.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_rw_runtime_dirs',`
gen_require(`
type var_run_t;
')
rw_dirs_pattern($1, var_run_t, var_run_t)
')
########################################
##
## Watch /var/lib directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_watch_var_lib_dirs',`
gen_require(`
type var_lib_t;
')
allow $1 var_lib_t:dir watch;
')
########################################
##
## Watch /var/run directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_watch_runtime_dirs',`
gen_require(`
type var_run_t;
')
allow $1 var_run_t:dir watch;
')
########################################
##
## Watch /var directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_watch_var_dirs',`
gen_require(`
type var_t;
')
allow $1 var_t:dir watch;
')
########################################
##
## Read generic runtime files.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_read_runtime_files',`
gen_require(`
type var_t, var_run_t;
')
allow $1 var_run_t:lnk_file read_lnk_file_perms;
list_dirs_pattern($1, var_t, var_run_t)
read_files_pattern($1, var_run_t, var_run_t)
')
########################################
##
## Execute generic programs in /var/run in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_exec_runtime',`
gen_require(`
type var_run_t;
')
exec_files_pattern($1, var_run_t, var_run_t)
')
########################################
##
## Dontaudit attempt to execute generic programs in /var/run in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_dontaudit_exec_runtime',`
gen_require(`
type var_run_t;
')
dontaudit $1 var_run_t:file execute;
')
########################################
##
## Read and write generic runtime files.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_rw_runtime_files',`
gen_require(`
type var_t, var_run_t;
')
allow $1 var_run_t:lnk_file read_lnk_file_perms;
list_dirs_pattern($1, var_t, var_run_t)
rw_files_pattern($1, var_run_t, var_run_t)
')
########################################
##
## Delete generic runtime symlinks.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_delete_runtime_symlinks',`
gen_require(`
type var_run_t;
')
delete_lnk_files_pattern($1, var_run_t, var_run_t)
')
########################################
##
## Write named generic runtime pipes.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_write_runtime_pipes',`
gen_require(`
type var_run_t;
')
allow $1 var_run_t:lnk_file read_lnk_file_perms;
allow $1 var_run_t:fifo_file write;
')
########################################
##
## Delete all runtime dirs.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`files_delete_all_runtime_dirs',`
gen_require(`
attribute pidfile;
')
delete_dirs_pattern($1, pidfile, pidfile)
')
########################################
##
## Create, read, write, and delete all runtime directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_manage_all_runtime_dirs',`
gen_require(`
attribute pidfile;
')
manage_dirs_pattern($1, pidfile, pidfile)
')
########################################
##
## Relabel all runtime directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_relabel_all_runtime_dirs',`
gen_require(`
attribute pidfile;
')
relabel_dirs_pattern($1, pidfile, pidfile)
')
########################################
##
## Do not audit attempts to get the attributes of
## all runtime data files.
##
##
##
## Domain to not audit.
##
##
#
interface(`files_dontaudit_getattr_all_runtime_files',`
gen_require(`
attribute pidfile;
type var_run_t;
')
dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
dontaudit $1 pidfile:file getattr;
')
########################################
##
## Read all runtime files.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`files_read_all_runtime_files',`
gen_require(`
attribute pidfile;
type var_t, var_run_t;
')
allow $1 var_run_t:lnk_file read_lnk_file_perms;
list_dirs_pattern($1, var_t, pidfile)
read_files_pattern($1, pidfile, pidfile)
')
########################################
##
## Do not audit attempts to ioctl all runtime files.
##
##
##
## Domain to not audit.
##
##
#
interface(`files_dontaudit_ioctl_all_runtime_files',`
gen_require(`
attribute pidfile;
type var_run_t;
')
dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
dontaudit $1 pidfile:file ioctl;
')
########################################
##
## Do not audit attempts to write to all runtime files.
##
##
##
## Domain to not audit.
##
##
#
interface(`files_dontaudit_write_all_runtime_files',`
gen_require(`
attribute pidfile;
type var_run_t;
')
dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
dontaudit $1 pidfile:file write;
')
########################################
##
## Delete all runtime files.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`files_delete_all_runtime_files',`
gen_require(`
attribute pidfile;
')
delete_files_pattern($1, pidfile, pidfile)
')
########################################
##
## Create, read, write and delete all
## var_run (pid) files
##
##
##
## Domain allowed access.
##
##
#
interface(`files_manage_all_runtime_files',`
gen_require(`
attribute pidfile;
')
manage_files_pattern($1, pidfile, pidfile)
')
########################################
##
## Relabel all runtime files.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_relabel_all_runtime_files',`
gen_require(`
attribute pidfile;
')
relabel_files_pattern($1, pidfile, pidfile)
')
########################################
##
## Delete all runtime symlinks.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`files_delete_all_runtime_symlinks',`
gen_require(`
attribute pidfile;
')
delete_lnk_files_pattern($1, pidfile, pidfile)
')
########################################
##
## Create, read, write and delete all
## var_run (pid) symbolic links.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_manage_all_runtime_symlinks',`
gen_require(`
attribute pidfile;
')
manage_lnk_files_pattern($1, pidfile, pidfile)
')
########################################
##
## Relabel all runtime symbolic links.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_relabel_all_runtime_symlinks',`
gen_require(`
attribute pidfile;
')
relabel_lnk_files_pattern($1, pidfile, pidfile)
')
########################################
##
## Create all runtime named pipes
##
##
##
## Domain allowed access.
##
##
#
interface(`files_create_all_runtime_pipes',`
gen_require(`
attribute pidfile;
')
allow $1 pidfile:fifo_file create_fifo_file_perms;
')
########################################
##
## Delete all runtime named pipes
##
##
##
## Domain allowed access.
##
##
#
interface(`files_delete_all_runtime_pipes',`
gen_require(`
attribute pidfile;
')
allow $1 pidfile:fifo_file delete_fifo_file_perms;
')
########################################
##
## Create all runtime sockets.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_create_all_runtime_sockets',`
gen_require(`
attribute pidfile;
')
allow $1 pidfile:sock_file create_sock_file_perms;
')
########################################
##
## Delete all runtime sockets.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_delete_all_runtime_sockets',`
gen_require(`
attribute pidfile;
')
allow $1 pidfile:sock_file delete_sock_file_perms;
')
########################################
##
## Relabel all runtime named sockets.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_relabel_all_runtime_sockets',`
gen_require(`
attribute pidfile;
')
relabel_sock_files_pattern($1, pidfile, pidfile)
')
########################################
##
## Create an object in the /run directory, with a private type.
##
##
##
## Create an object in the process ID directory (e.g., /var/run)
## with a private type. Typically this is used for creating
## private PID files in /var/run with the private type instead
## of the general PID file type. To accomplish this goal,
## either the program must be SELinux-aware, or use this interface.
##
##
## Related interfaces:
##
##
## - files_runtime_file()
##
##
## Example usage with a domain that can create and
## write its PID file with a private PID file type in the
## /var/run directory:
##
##
## type mypidfile_t;
## files_runtime_file(mypidfile_t)
## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms };
## files_runtime_filetrans(mydomain_t, mypidfile_t, file)
##
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to be created.
##
##
##
##
## The object class of the object being created.
##
##
##
##
## The name of the object being created.
##
##
##
#
interface(`files_runtime_filetrans',`
gen_require(`
type var_t, var_run_t;
')
allow $1 var_t:dir search_dir_perms;
allow $1 var_run_t:lnk_file read_lnk_file_perms;
filetrans_pattern($1, var_run_t, $2, $3, $4)
')
########################################
##
## Create a generic lock directory within the run directories.
##
##
##
## Domain allowed access
##
##
##
##
## The name of the object being created.
##
##
#
interface(`files_runtime_filetrans_lock_dir',`
gen_require(`
type var_lock_t;
')
files_runtime_filetrans($1, var_lock_t, dir, $2)
')
########################################
##
## Create all spool sockets
##
##
##
## Domain allowed access.
##
##
#
interface(`files_create_all_spool_sockets',`
gen_require(`
attribute spoolfile;
')
allow $1 spoolfile:sock_file create_sock_file_perms;
')
########################################
##
## Delete all spool sockets
##
##
##
## Domain allowed access.
##
##
#
interface(`files_delete_all_spool_sockets',`
gen_require(`
attribute spoolfile;
')
allow $1 spoolfile:sock_file delete_sock_file_perms;
')
########################################
##
## Mount filesystems on all polyinstantiation
## member directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_mounton_all_poly_members',`
gen_require(`
attribute polymember;
')
allow $1 polymember:dir mounton;
')
########################################
##
## Search the contents of generic spool
## directories (/var/spool).
##
##
##
## Domain allowed access.
##
##
#
interface(`files_search_spool',`
gen_require(`
type var_t, var_spool_t;
')
search_dirs_pattern($1, var_t, var_spool_t)
')
########################################
##
## Do not audit attempts to search generic
## spool directories.
##
##
##
## Domain to not audit.
##
##
#
interface(`files_dontaudit_search_spool',`
gen_require(`
type var_spool_t;
')
dontaudit $1 var_spool_t:dir search_dir_perms;
')
########################################
##
## List the contents of generic spool
## (/var/spool) directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_list_spool',`
gen_require(`
type var_t, var_spool_t;
')
list_dirs_pattern($1, var_t, var_spool_t)
')
########################################
##
## Create, read, write, and delete generic
## spool directories (/var/spool).
##
##
##
## Domain allowed access.
##
##
#
interface(`files_manage_generic_spool_dirs',`
gen_require(`
type var_t, var_spool_t;
')
allow $1 var_t:dir search_dir_perms;
manage_dirs_pattern($1, var_spool_t, var_spool_t)
')
########################################
##
## Read generic spool files.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_read_generic_spool',`
gen_require(`
type var_t, var_spool_t;
')
list_dirs_pattern($1, var_t, var_spool_t)
read_files_pattern($1, var_spool_t, var_spool_t)
')
########################################
##
## Create, read, write, and delete generic
## spool files.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_manage_generic_spool',`
gen_require(`
type var_t, var_spool_t;
')
allow $1 var_t:dir search_dir_perms;
manage_files_pattern($1, var_spool_t, var_spool_t)
')
########################################
##
## Create objects in the spool directory
## with a private type with a type transition.
##
##
##
## Domain allowed access.
##
##
##
##
## Type to which the created node will be transitioned.
##
##
##
##
## Object class(es) (single or set including {}) for which this
## the transition will occur.
##
##
##
##
## The name of the object being created.
##
##
#
interface(`files_spool_filetrans',`
gen_require(`
type var_t, var_spool_t;
')
allow $1 var_t:dir search_dir_perms;
filetrans_pattern($1, var_spool_t, $2, $3, $4)
')
########################################
##
## Allow access to manage all polyinstantiated
## directories on the system.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_polyinstantiate_all',`
gen_require(`
attribute polydir, polymember, polyparent;
type poly_t;
')
# Need to give access to /selinux/member
selinux_compute_member($1)
# Need sys_admin capability for mounting
allow $1 self:capability { chown fowner fsetid sys_admin };
# Need to give access to the directories to be polyinstantiated
allow $1 polydir:dir { add_entry_dir_perms create mounton rmdir setattr };
# Need to give access to the polyinstantiated subdirectories
allow $1 polymember:dir search_dir_perms;
# Need to give access to parent directories where original
# is remounted for polyinstantiation aware programs (like gdm)
allow $1 polyparent:dir mounton_dir_perms;
# Need to give permission to create directories where applicable
allow $1 self:process setfscreate;
allow $1 polymember: dir { create relabelto setattr };
allow $1 polydir: dir { add_name open write };
allow $1 polyparent:dir { relabel_dir_perms rw_dir_perms };
# Default type for mountpoints
allow $1 poly_t:dir { create mounton };
fs_unmount_xattr_fs($1)
fs_mount_tmpfs($1)
fs_unmount_tmpfs($1)
ifdef(`distro_redhat',`
# namespace.init
files_search_tmp($1)
files_search_home($1)
corecmd_exec_bin($1)
seutil_domtrans_setfiles($1)
')
')
########################################
##
## Unconfined access to files.
##
##
##
## Domain allowed access.
##
##
#
interface(`files_unconfined',`
gen_require(`
attribute files_unconfined_type;
')
typeattribute $1 files_unconfined_type;
')
# should be in an ifdef distro_gentoo but cannot do so for interfaces
########################################
##
## Create, read, write, and delete symbolic links in
## /etc that are dynamically created on boot.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`files_manage_etc_runtime_lnk_files',`
gen_require(`
type etc_t, etc_runtime_t;
')
manage_lnk_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
')
########################################
##
## Do not audit attempts to read etc_runtime resources
##
##
##
## Domain allowed access.
##
##
#
interface(`files_dontaudit_read_etc_runtime',`
gen_require(`
type etc_runtime_t;
')
dontaudit $1 etc_runtime_t:file read_file_perms;
')
#########################################
##
## List usr/src files
##
##
##
## Domain allowed access
##
##
#
interface(`files_list_src',`
gen_require(`
type src_t;
')
list_dirs_pattern($1, src_t, src_t)
')
#########################################
##
## Read usr/src files
##
##
##
## Domain allowed access
##
##
#
interface(`files_read_src_files',`
gen_require(`
type src_t;
')
read_files_pattern($1, src_t, src_t)
')
#########################################
##
## Manage /usr/src files
##
##
##
## Domain allowed access
##
##
#
interface(`files_manage_src_files',`
gen_require(`
type src_t;
')
manage_files_pattern($1, src_t, src_t)
')
##########################################
##
## Create a resource in the generic lib location
## with an automatic type transition towards the kernel modules
## type
##
##
##
## Domain allowed access
##
##
##
##
## Class of the created resource for which a type transition should occur
##
##
##
##
## Optional name of the resource
##
##
#
interface(`files_lib_filetrans_kernel_modules',`
gen_require(`
type modules_object_t;
')
libs_lib_filetrans($1, modules_object_t, $2, $3)
')
#########################################
##
## Read etc runtime resources
##
##
##
## Domain allowed access
##
##
#
interface(`files_read_etc_runtime',`
gen_require(`
type etc_runtime_t;
type etc_t;
')
list_dirs_pattern($1, etc_t, etc_runtime_t)
read_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
read_lnk_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
')
########################################
##
## Allow relabel from and to non-security types
##
##
##
## Domain allowed access.
##
##
##
#
interface(`files_relabel_all_non_security_file_types',`
gen_require(`
attribute non_security_file_type;
')
allow $1 non_security_file_type:dir list_dir_perms;
relabel_dirs_pattern($1, non_security_file_type, non_security_file_type)
relabel_files_pattern($1, non_security_file_type, non_security_file_type)
relabel_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
relabel_fifo_files_pattern($1, non_security_file_type, non_security_file_type)
relabel_sock_files_pattern($1, non_security_file_type, non_security_file_type)
# this is only relabelfrom since there should be no
# device nodes with file types.
relabelfrom_blk_files_pattern($1, non_security_file_type, non_security_file_type)
relabelfrom_chr_files_pattern($1, non_security_file_type, non_security_file_type)
')
########################################
##
## Manage non-security-sensitive resource types
##
##
##
## Domain allowed access.
##
##
##
#
interface(`files_manage_all_non_security_file_types',`
gen_require(`
attribute non_security_file_type;
')
manage_dirs_pattern($1, non_security_file_type, non_security_file_type)
manage_files_pattern($1, non_security_file_type, non_security_file_type)
manage_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
manage_fifo_files_pattern($1, non_security_file_type, non_security_file_type)
manage_sock_files_pattern($1, non_security_file_type, non_security_file_type)
')
#########################################
##
## Allow relabeling from and to any pidfile associated type
##
##
##
## Domain allowed access.
##
##
#
interface(`files_relabel_all_pidfiles',`
gen_require(`
attribute pidfile;
')
allow $1 pidfile:dir list_dir_perms;
relabel_dirs_pattern($1, pidfile, pidfile)
relabel_files_pattern($1, pidfile, pidfile)
relabel_lnk_files_pattern($1, pidfile, pidfile)
')