Oreon-Lime-R2/selinux-policy/selinux-policy-d9f4a2b/selinux-policy-d9f4a2bbeb91fd95d0c35a90936efb9ea99d2455/policy/modules/kernel/ubac.if

198 lines
3.7 KiB
Text
Raw Permalink Normal View History

## <summary>User-based access control policy</summary>
## <required val="true">
## Contains attributes used in UBAC policy.
## </required>
########################################
## <summary>
## Constrain by user-based access control (UBAC).
## </summary>
## <desc>
## <p>
## Constrain the specified type by user-based
## access control (UBAC). Typically, these are
## user processes or user files that need to be
## differentiated by SELinux user. Normally this
## does not include administrative or privileged
## programs. For the UBAC rules to be enforced,
## both the subject (source) type and the object
## (target) types must be UBAC constrained.
## </p>
## </desc>
## <param name="type">
## <summary>
## Type to be constrained by UBAC.
## </summary>
## </param>
## <infoflow type="none"/>
#
interface(`ubac_constrained',`
gen_require(`
attribute ubac_constrained_type;
')
typeattribute $1 ubac_constrained_type;
')
########################################
## <summary>
## Exempt user-based access control for files.
## </summary>
## <param name="domain">
## <summary>
## Domain to be exempted.
## </summary>
## </param>
#
interface(`ubac_file_exempt',`
gen_require(`
attribute ubacfile;
')
typeattribute $1 ubacfile;
')
########################################
## <summary>
## Exempt user-based access control for processes.
## </summary>
## <param name="domain">
## <summary>
## Domain to be exempted.
## </summary>
## </param>
#
interface(`ubac_process_exempt',`
gen_require(`
attribute ubacproc;
')
typeattribute $1 ubacproc;
')
########################################
## <summary>
## Exempt user-based access control for file descriptors.
## </summary>
## <param name="domain">
## <summary>
## Domain to be exempted.
## </summary>
## </param>
#
interface(`ubac_fd_exempt',`
gen_require(`
attribute ubacfd;
')
typeattribute $1 ubacfd;
')
########################################
## <summary>
## Exempt user-based access control for sockets.
## </summary>
## <param name="domain">
## <summary>
## Domain to be exempted.
## </summary>
## </param>
#
interface(`ubac_socket_exempt',`
gen_require(`
attribute ubacsock;
')
typeattribute $1 ubacsock;
')
########################################
## <summary>
## Exempt user-based access control for SysV IPC.
## </summary>
## <param name="domain">
## <summary>
## Domain to be exempted.
## </summary>
## </param>
#
interface(`ubac_sysvipc_exempt',`
gen_require(`
attribute ubacipc;
')
typeattribute $1 ubacipc;
')
########################################
## <summary>
## Exempt user-based access control for X Windows.
## </summary>
## <param name="domain">
## <summary>
## Domain to be exempted.
## </summary>
## </param>
#
interface(`ubac_xwin_exempt',`
gen_require(`
attribute ubacxwin;
')
typeattribute $1 ubacxwin;
')
########################################
## <summary>
## Exempt user-based access control for dbus.
## </summary>
## <param name="domain">
## <summary>
## Domain to be exempted.
## </summary>
## </param>
#
interface(`ubac_dbus_exempt',`
gen_require(`
attribute ubacdbus;
')
typeattribute $1 ubacdbus;
')
########################################
## <summary>
## Exempt user-based access control for keys.
## </summary>
## <param name="domain">
## <summary>
## Domain to be exempted.
## </summary>
## </param>
#
interface(`ubac_key_exempt',`
gen_require(`
attribute ubackey;
')
typeattribute $1 ubackey;
')
########################################
## <summary>
## Exempt user-based access control for databases.
## </summary>
## <param name="domain">
## <summary>
## Domain to be exempted.
## </summary>
## </param>
#
interface(`ubac_db_exempt',`
gen_require(`
attribute ubacdb;
')
typeattribute $1 ubacdb;
')