## Miscelaneous files.
########################################
##
## Make the specified type usable as a cert file.
##
##
##
## Make the specified type usable for cert files.
## This will also make the type usable for files, making
## calls to files_type() redundant. Failure to use this interface
## for a temporary file may result in problems with
## cert management tools.
##
##
## Related interfaces:
##
##
##
## Example:
##
##
## type mycertfile_t;
## cert_type(mycertfile_t)
## allow mydomain_t mycertfile_t:file read_file_perms;
## files_search_etc(mydomain_t)
##
##
##
##
## Type to be used for files.
##
##
##
#
interface(`miscfiles_cert_type',`
gen_require(`
attribute cert_type;
')
typeattribute $1 cert_type;
files_type($1)
')
########################################
##
## Read all SSL certificates.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`miscfiles_read_all_certs',`
gen_require(`
attribute cert_type;
')
allow $1 cert_type:dir list_dir_perms;
read_files_pattern($1, cert_type, cert_type)
read_lnk_files_pattern($1, cert_type, cert_type)
')
########################################
##
## Read all SSL certificates.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`miscfiles_manage_all_certs',`
gen_require(`
attribute cert_type;
')
manage_dirs_pattern($1, cert_type, cert_type)
manage_files_pattern($1, cert_type, cert_type)
manage_lnk_files_pattern($1, cert_type, cert_type)
')
########################################
##
## Read generic SSL certificates.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`miscfiles_read_generic_certs',`
gen_require(`
type cert_t;
')
allow $1 cert_t:dir list_dir_perms;
read_files_pattern($1, cert_t, cert_t)
read_lnk_files_pattern($1, cert_t, cert_t)
')
########################################
##
## mmap generic SSL certificates.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`miscfiles_map_generic_certs',`
gen_require(`
type cert_t;
')
allow $1 cert_t:file map;
')
########################################
##
## Do not audit attempts to mmap generic SSL certificates.
##
##
##
## Domain to not audit.
##
##
##
#
interface(`miscfiles_dontaudit_map_generic_certs',`
gen_require(`
type cert_t;
')
dontaudit $1 cert_t:file map;
')
########################################
##
## Manage generic SSL certificates.
##
##
##
## Domain allowed access.
##
##
#
interface(`miscfiles_manage_generic_cert_dirs',`
gen_require(`
type cert_t;
')
manage_dirs_pattern($1, cert_t, cert_t)
')
########################################
##
## Watch generic SSL certificate dirs.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`miscfiles_watch_generic_cert_dirs',`
gen_require(`
type cert_t;
')
allow $1 cert_t:dir watch_dir_perms;
')
########################################
##
## Allow process to relabel cert_t
##
##
##
## Domain allowed access.
##
##
#
interface(`miscfiles_relabel_generic_cert',`
gen_require(`
type cert_t;
')
files_search_usr($1)
relabel_files_pattern($1, cert_t, cert_t)
relabel_dirs_pattern($1, cert_t, cert_t)
')
########################################
##
## Dontaudit attempts to write generic SSL certificates.
##
##
##
## Domain allowed access.
##
##
#
interface(`miscfiles_dontaudit_write_generic_cert_files',`
gen_require(`
type cert_t;
')
dontaudit $1 cert_t:file write;
')
########################################
##
## Manage generic SSL certificates.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`miscfiles_manage_generic_cert_files',`
gen_require(`
type cert_t;
')
manage_files_pattern($1, cert_t, cert_t)
manage_lnk_files_pattern($1, cert_t, cert_t)
')
########################################
##
## Read SSL certificates.
##
##
##
## Domain allowed access.
##
##
#
interface(`miscfiles_read_certs',`
miscfiles_read_generic_certs($1)
refpolicywarn(`$0() has been deprecated, please use miscfiles_read_generic_certs() instead.')
')
########################################
##
## Manage SSL certificates.
##
##
##
## Domain allowed access.
##
##
#
interface(`miscfiles_manage_cert_dirs',`
miscfiles_manage_generic_cert_dirs($1)
refpolicywarn(`$0() has been deprecated, please use miscfiles_manage_generic_cert_dirs() instead.')
')
########################################
##
## Do not audit attempts to access check cert dirs/files.
##
##
##
## Domain to not audit.
##
##
#
interface(`miscfiles_dontaudit_access_check_cert',`
gen_require(`
type cert_t;
')
dontaudit $1 cert_t:file audit_access;
dontaudit $1 cert_t:dir audit_access;
')
########################################
##
## Manage SSL certificates.
##
##
##
## Domain allowed access.
##
##
#
interface(`miscfiles_manage_cert_files',`
miscfiles_manage_generic_cert_files($1)
refpolicywarn(`$0() has been deprecated, please use miscfiles_manage_generic_cert_files() instead.')
')
########################################
##
## Search generic SSL certificates dirs
##
##
##
## Domain allowed access.
##
##
#
interface(`miscfiles_search_generic_cert_dirs',`
gen_require(`
type cert_t;
')
files_search_etc($1)
allow $1 cert_t:dir search_dir_perms;
')
########################################
##
## Read fonts.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`miscfiles_read_fonts',`
gen_require(`
type fonts_t, fonts_cache_t;
')
# cjp: fonts can be in either of these dirs
files_search_usr($1)
libs_search_lib($1)
allow $1 fonts_t:dir list_dir_perms;
read_files_pattern($1, fonts_t, fonts_t)
allow $1 fonts_t:file map;
read_lnk_files_pattern($1, fonts_t, fonts_t)
allow $1 fonts_cache_t:dir list_dir_perms;
read_files_pattern($1, fonts_cache_t, fonts_cache_t)
read_lnk_files_pattern($1, fonts_cache_t, fonts_cache_t)
allow $1 fonts_cache_t:file map;
')
########################################
##
## Set the attributes on a fonts directory.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`miscfiles_setattr_fonts_dirs',`
gen_require(`
type fonts_t;
')
allow $1 fonts_t:dir setattr;
')
########################################
##
## Do not audit attempts to set the attributes
## on a fonts directory.
##
##
##
## Domain to not audit.
##
##
##
#
interface(`miscfiles_dontaudit_setattr_fonts_dirs',`
gen_require(`
type fonts_t;
')
dontaudit $1 fonts_t:dir setattr;
')
########################################
##
## Do not audit attempts to write fonts.
##
##
##
## Domain to not audit.
##
##
##
#
interface(`miscfiles_dontaudit_write_fonts',`
gen_require(`
type fonts_t;
')
dontaudit $1 fonts_t:dir { write setattr };
dontaudit $1 fonts_t:file write;
')
########################################
##
## Watch fonts directories.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`miscfiles_watch_fonts_dirs',`
gen_require(`
type fonts_t;
')
allow $1 fonts_t:dir watch_dir_perms;
')
########################################
##
## Create, read, write, and delete fonts.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`miscfiles_manage_fonts',`
gen_require(`
type fonts_t;
')
# cjp: fonts can be in either of these dirs
files_search_usr($1)
libs_search_lib($1)
manage_dirs_pattern($1, fonts_t, fonts_t)
manage_files_pattern($1, fonts_t, fonts_t)
manage_lnk_files_pattern($1, fonts_t, fonts_t)
')
########################################
##
## Set the attributes on a fonts cache directory.
##
##
##
## Domain allowed access.
##
##
#
interface(`miscfiles_setattr_fonts_cache_dirs',`
gen_require(`
type fonts_cache_t;
')
allow $1 fonts_cache_t:dir setattr;
')
########################################
##
## Do not audit attempts to set the attributes
## on a fonts cache directory.
##
##
##
## Domain to not audit.
##
##
#
interface(`miscfiles_dontaudit_setattr_fonts_cache_dirs',`
gen_require(`
type fonts_cache_t;
')
dontaudit $1 fonts_cache_t:dir setattr;
')
########################################
##
## Create, read, write, and delete fonts cache.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`miscfiles_manage_fonts_cache',`
gen_require(`
type fonts_cache_t;
')
files_search_var($1)
manage_dirs_pattern($1, fonts_cache_t, fonts_cache_t)
manage_files_pattern($1, fonts_cache_t, fonts_cache_t)
manage_lnk_files_pattern($1, fonts_cache_t, fonts_cache_t)
')
########################################
##
## Read hardware identification data.
##
##
##
## Domain allowed access.
##
##
#
interface(`miscfiles_read_hwdata',`
gen_require(`
type hwdata_t;
')
allow $1 hwdata_t:dir list_dir_perms;
read_files_pattern($1, hwdata_t, hwdata_t)
read_lnk_files_pattern($1, hwdata_t, hwdata_t)
')
########################################
##
## Allow process to setattr localization info
##
##
##
## Domain allowed access.
##
##
#
interface(`miscfiles_setattr_localization',`
gen_require(`
type locale_t;
')
files_search_usr($1)
allow $1 locale_t:dir list_dir_perms;
allow $1 locale_t:file setattr;
')
########################################
##
## Allow process to read localization information.
##
##
##
## Allow the specified domain to read the localization files.
## This is typically for time zone configuration files, such as
## /etc/localtime and files in /usr/share/zoneinfo.
## Typically, any domain which needs to know the GMT/UTC
## offset of the current timezone will need access
## to these files. Generally, it should be safe for any
## domain to read these files.
##
##
##
##
## Domain allowed access.
##
##
##
#
interface(`miscfiles_read_localization',`
gen_require(`
type locale_t;
')
files_read_etc_symlinks($1)
files_search_usr($1)
allow $1 locale_t:dir list_dir_perms;
read_files_pattern($1, locale_t, locale_t)
read_lnk_files_pattern($1, locale_t, locale_t)
allow $1 locale_t:file map;
')
########################################
##
## Allow process to watch localization directories.
##
##
##
## Allow the specified domain to watch localization directories
## (e.g. /usr/share/zoneinfo/) for changes.
##
##
##
##
## Domain allowed access.
##
##
#
interface(`miscfiles_watch_localization_dirs',`
gen_require(`
type locale_t;
')
watch_dirs_pattern($1, locale_t, locale_t)
')
########################################
##
## Allow process to watch localization files.
##
##
##
## Allow the specified domain to watch localization files
## (e.g. /usr/share/zoneinfo/UTC) for changes.
##
##
##
##
## Domain allowed access.
##
##
#
interface(`miscfiles_watch_localization_files',`
gen_require(`
type locale_t;
')
watch_files_pattern($1, locale_t, locale_t)
')
########################################
##
## Allow process to watch localization symlinks.
##
##
##
## Allow the specified domain to watch localization symlinks
## (e.g. /etc/localtime) for changes.
##
##
##
##
## Domain allowed access.
##
##
#
interface(`miscfiles_watch_localization_symlinks',`
gen_require(`
type locale_t;
')
watch_lnk_files_pattern($1, locale_t, locale_t)
')
########################################
##
## Allow process to write localization info
##
##
##
## Domain allowed access.
##
##
#
interface(`miscfiles_rw_localization',`
gen_require(`
type locale_t;
')
files_search_usr($1)
allow $1 locale_t:dir list_dir_perms;
rw_files_pattern($1, locale_t, locale_t)
manage_lnk_files_pattern($1, locale_t, locale_t)
')
########################################
##
## Allow process to relabel localization info
##
##
##
## Domain allowed access.
##
##
#
interface(`miscfiles_relabel_localization',`
gen_require(`
type locale_t;
')
files_search_usr($1)
relabel_files_pattern($1, locale_t, locale_t)
relabel_lnk_files_pattern($1, locale_t, locale_t)
')
########################################
##
## Allow process to read legacy time localization info
##
##
##
## Domain allowed access.
##
##
#
interface(`miscfiles_legacy_read_localization',`
gen_require(`
type locale_t;
')
allow $1 locale_t:file execute;
')
########################################
##
## Search man pages.
##
##
##
## Domain allowed access.
##
##
#
interface(`miscfiles_search_man_pages',`
gen_require(`
type man_t, man_cache_t;
')
allow $1 { man_cache_t man_t }:dir search_dir_perms;
files_search_usr($1)
')
########################################
##
## Do not audit attempts to search man pages.
##
##
##
## Domain to not audit.
##
##
#
interface(`miscfiles_dontaudit_search_man_pages',`
gen_require(`
type man_t, man_cache_t;
')
dontaudit $1 { man_cache_t man_t }:dir search_dir_perms;
')
########################################
##
## Read man pages
##
##
##
## Domain allowed access.
##
##
##
#
interface(`miscfiles_read_man_pages',`
gen_require(`
type man_t, man_cache_t;
')
files_search_usr($1)
allow $1 { man_cache_t man_t }:dir list_dir_perms;
read_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
read_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
optional_policy(`
mandb_read_cache_files($1)
')
')
########################################
##
## Delete man pages
##
##
##
## Domain allowed access.
##
##
# cjp: added for tmpreaper
#
interface(`miscfiles_delete_man_pages',`
gen_require(`
type man_t, man_cache_t;
')
files_search_usr($1)
allow $1 { man_cache_t man_t }:dir { setattr_dir_perms list_dir_perms };
delete_dirs_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
delete_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
delete_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
optional_policy(`
mandb_setattr_cache_dirs($1)
mandb_delete_cache($1)
')
')
#######################################
##
## Create, read, write, and delete man pages
##
##
##
## Domain allowed access.
##
##
#
interface(`miscfiles_setattr_man_pages',`
gen_require(`
type man_t;
')
files_search_usr($1)
allow $1 man_t:dir setattr;
')
########################################
##
## Create, read, write, and delete man pages
##
##
##
## Domain allowed access.
##
##
#
interface(`miscfiles_manage_man_pages',`
gen_require(`
type man_t, man_cache_t;
')
files_search_usr($1)
manage_dirs_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
manage_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
read_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
')
########################################
##
## Read man cache content.
##
##
##
## Domain allowed access.
##
##
#
interface(`miscfiles_read_man_cache',`
gen_require(`
type man_cache_t;
')
files_search_var($1)
allow $1 man_cache_t:dir list_dir_perms;
allow $1 man_cache_t:file read_file_perms;
allow $1 man_cache_t:lnk_file read_lnk_file_perms;
')
########################################
##
## Create, read, write, and delete
## man cache content.
##
##
##
## Domain allowed access.
##
##
#
interface(`miscfiles_manage_man_cache',`
gen_require(`
type man_cache_t;
')
files_search_var($1)
allow $1 man_cache_t:dir manage_dir_perms;
allow $1 man_cache_t:file manage_file_perms;
allow $1 man_cache_t:lnk_file manage_lnk_file_perms;
')
########################################
##
## Allow process to relabel man_pages info
##
##
##
## Domain allowed access.
##
##
#
interface(`miscfiles_relabel_man_pages',`
gen_require(`
type man_t;
')
files_search_usr($1)
relabel_dirs_pattern($1, man_t, man_t)
relabel_files_pattern($1, man_t, man_t)
optional_policy(`
mandb_relabel_cache($1)
')
')
########################################
##
## Read public files used for file
## transfer services.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`miscfiles_read_public_files',`
gen_require(`
type public_content_t, public_content_rw_t;
')
allow $1 { public_content_t public_content_rw_t }:dir list_dir_perms;
allow $1 { public_content_t public_content_rw_t }:file map;
read_files_pattern($1, { public_content_t public_content_rw_t }, { public_content_t public_content_rw_t })
read_lnk_files_pattern($1, { public_content_t public_content_rw_t }, { public_content_t public_content_rw_t })
')
########################################
##
## Create, read, write, and delete public files
## and directories used for file transfer services.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`miscfiles_manage_public_files',`
gen_require(`
type public_content_rw_t;
')
manage_dirs_pattern($1, public_content_rw_t, public_content_rw_t)
manage_files_pattern($1, public_content_rw_t, public_content_rw_t)
manage_lnk_files_pattern($1, public_content_rw_t, public_content_rw_t)
')
########################################
##
## Append to public files used for file transfer services
##
##
##
## Domain allowed access.
##
##
##
#
interface(`miscfiles_append_public_files',`
gen_require(`
type public_content_rw_t;
')
append_files_pattern($1, public_content_rw_t, public_content_rw_t)
')
########################################
##
## Read TeX data
##
##
##
## Domain allowed access.
##
##
#
interface(`miscfiles_read_tetex_data',`
gen_require(`
type tetex_data_t;
')
files_search_var($1)
files_search_var_lib($1)
# cjp: TeX data can be in either of the above dirs
allow $1 tetex_data_t:dir list_dir_perms;
read_files_pattern($1, tetex_data_t, tetex_data_t)
read_lnk_files_pattern($1, tetex_data_t, tetex_data_t)
')
########################################
##
## Execute TeX data programs in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
interface(`miscfiles_exec_tetex_data',`
gen_require(`
type fonts_t;
type tetex_data_t;
')
files_search_var($1)
files_search_var_lib($1)
# cjp: TeX data can be in either of the above dirs
allow $1 tetex_data_t:dir list_dir_perms;
exec_files_pattern($1, tetex_data_t, tetex_data_t)
')
########################################
##
## Let test files be an entry point for
## a specified domain.
##
##
##
## Domain allowed access.
##
##
#
interface(`miscfiles_domain_entry_test_files',`
gen_require(`
type test_file_t;
')
domain_entry_file($1, test_file_t)
')
########################################
##
## Read test files and directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`miscfiles_read_test_files',`
gen_require(`
type test_file_t;
')
read_files_pattern($1, test_file_t, test_file_t)
read_lnk_files_pattern($1, test_file_t, test_file_t)
')
########################################
##
## Execute test files.
##
##
##
## Domain allowed access.
##
##
#
interface(`miscfiles_exec_test_files',`
gen_require(`
type test_file_t;
')
exec_files_pattern($1, test_file_t, test_file_t)
read_lnk_files_pattern($1, test_file_t, test_file_t)
')
########################################
##
## Execute test files.
##
##
##
## Domain allowed access.
##
##
#
interface(`miscfiles_etc_filetrans_localization',`
gen_require(`
type locale_t;
')
files_etc_filetrans($1, locale_t, { file lnk_file })
files_etc_filetrans($1, locale_t, {lnk_file file}, "localtime" )
files_etc_filetrans($1, locale_t, file, "locale.conf" )
files_etc_filetrans($1, locale_t, file, "timezone" )
files_etc_filetrans($1, locale_t, file, "vconsole.conf" )
')
########################################
##
## Create, read, write, and delete localization
##
##
##
## Domain allowed access.
##
##
##
#
interface(`miscfiles_manage_localization',`
gen_require(`
type locale_t;
')
manage_dirs_pattern($1, locale_t, locale_t)
manage_files_pattern($1, locale_t, locale_t)
manage_lnk_files_pattern($1, locale_t, locale_t)
')
########################################
##
## Transition to miscfiles locale named content
##
##
##
## Domain allowed access.
##
##
#
interface(`miscfiles_filetrans_locale_named_content',`
gen_require(`
type locale_t;
')
files_etc_filetrans($1, locale_t, { lnk_file file }, "localtime")
files_etc_filetrans($1, locale_t, file, "locale.conf")
files_etc_filetrans($1, locale_t, file, "vconsole.conf")
files_etc_filetrans($1, locale_t, file, "locale.conf.new")
files_etc_filetrans($1, locale_t, file, "timezone")
files_etc_filetrans($1, locale_t, file, "clock")
files_usr_filetrans($1, locale_t, dir, "locale")
files_usr_filetrans($1, locale_t, dir, "zoneinfo")
')
########################################
##
## Transition to miscfiles named content
##
##
##
## Domain allowed access.
##
##
#
interface(`miscfiles_filetrans_named_content',`
gen_require(`
type man_t;
type cert_t;
type fonts_t;
type fonts_cache_t;
type hwdata_t;
type tetex_data_t;
type public_content_t;
')
miscfiles_filetrans_locale_named_content($1)
files_var_filetrans($1, man_t, dir, "man")
files_etc_filetrans($1, cert_t, dir, "pki")
files_usr_filetrans($1, cert_t, dir, "certs")
files_var_lib_filetrans($1, cert_t, dir, "letsencrypt")
files_usr_filetrans($1, fonts_t, dir, "fonts")
files_usr_filetrans($1, hwdata_t, dir, "hwdata")
files_var_filetrans($1, fonts_cache_t, dir, "fontconfig")
files_var_filetrans($1, tetex_data_t, dir, "fonts")
files_spool_filetrans($1, tetex_data_t, dir, "texmf")
files_var_lib_filetrans($1, tetex_data_t, dir, "texmf")
files_var_filetrans($1, public_content_t, dir, "ftp")
')
########################################
##
## Transition to miscfiles named content
##
##
##
## Domain allowed access.
##
##
#
interface(`miscfiles_filetrans_named_content_letsencrypt',`
gen_require(`
type cert_t;
')
files_var_lib_filetrans($1, cert_t, dir, "letsencrypt")
')
########################################
##
## Read all pkcs11 modules configurations.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`miscfiles_read_pkcs11_modules',`
gen_require(`
type pkcs11_modules_conf_t;
')
allow $1 pkcs11_modules_conf_t:dir list_dir_perms;
read_files_pattern($1, pkcs11_modules_conf_t, pkcs11_modules_conf_t)
allow $1 pkcs11_modules_conf_t:file map;
')