## Policy for SELinux policy and userland applications. ####################################### ## ## Execute checkpolicy in the checkpolicy domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`seutil_domtrans_checkpolicy',` gen_require(` type checkpolicy_t, checkpolicy_exec_t; ') files_search_usr($1) corecmd_search_bin($1) domtrans_pattern($1, checkpolicy_exec_t, checkpolicy_t) ') ######################################## ## ## Execute checkpolicy in the checkpolicy domain, and ## allow the specified role the checkpolicy domain, ## and use the caller's terminal. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # interface(`seutil_run_checkpolicy',` gen_require(` type checkpolicy_t; ') seutil_domtrans_checkpolicy($1) role $2 types checkpolicy_t; ') ######################################## ## ## Execute checkpolicy in the caller domain. ## ## ## ## Domain allowed access. ## ## ## # interface(`seutil_exec_checkpolicy',` gen_require(` type checkpolicy_exec_t; ') files_search_usr($1) corecmd_search_bin($1) can_exec($1, checkpolicy_exec_t) ') ####################################### ## ## Execute load_policy in the load_policy domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`seutil_domtrans_loadpolicy',` gen_require(` type load_policy_t, load_policy_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, load_policy_exec_t, load_policy_t) ') ######################################## ## ## Execute load_policy in the load_policy domain, and ## allow the specified role the load_policy domain, ## and use the caller's terminal. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # interface(`seutil_run_loadpolicy',` gen_require(` type load_policy_t; ') seutil_domtrans_loadpolicy($1) role $2 types load_policy_t; ') ######################################## ## ## Execute load_policy in the caller domain. ## ## ## ## Domain allowed access. ## ## # interface(`seutil_exec_loadpolicy',` gen_require(` type load_policy_exec_t; ') corecmd_search_bin($1) can_exec($1, load_policy_exec_t) ') ######################################## ## ## Allow access check on load_policy. ## ## ## ## Domain allowed access. ## ## # interface(`seutil_access_check_load_policy',` gen_require(` type load_policy_exec_t; ') allow $1 load_policy_exec_t:file execute; ') ######################################## ## ## Dontaudit access check on load_policy. ## ## ## ## Domain allowed access. ## ## # interface(`seutil_dontaudit_access_check_load_policy',` gen_require(` type load_policy_exec_t; ') dontaudit $1 load_policy_exec_t:file audit_access; ') ######################################## ## ## Read the load_policy program file. ## ## ## ## Domain allowed access. ## ## # interface(`seutil_read_loadpolicy',` gen_require(` type load_policy_exec_t; ') corecmd_search_bin($1) allow $1 load_policy_exec_t:file read_file_perms; ') ####################################### ## ## Execute newrole in the newole domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`seutil_domtrans_newrole',` gen_require(` type newrole_t, newrole_exec_t; ') files_search_usr($1) corecmd_search_bin($1) domtrans_pattern($1, newrole_exec_t, newrole_t) ') ######################################## ## ## Execute newrole in the newrole domain, and ## allow the specified role the newrole domain, ## and use the caller's terminal. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # interface(`seutil_run_newrole',` gen_require(` type newrole_t; #attribute_role newrole_roles; ') #seutil_domtrans_newrole($1) #roleattribute $2 newrole_roles; seutil_domtrans_newrole($1) role $2 types newrole_t; auth_run_upd_passwd(newrole_t, $2) optional_policy(` namespace_init_run(newrole_t, $2) ') ') ######################################## ## ## Execute newrole in the caller domain. ## ## ## ## Domain allowed access. ## ## # interface(`seutil_exec_newrole',` gen_require(` type newrole_t, newrole_exec_t; ') files_search_usr($1) corecmd_search_bin($1) can_exec($1, newrole_exec_t) ') ######################################## ## ## Do not audit the caller attempts to send ## a signal to newrole. ## ## ## ## Domain to not audit. ## ## # interface(`seutil_dontaudit_signal_newrole',` gen_require(` type newrole_t; ') dontaudit $1 newrole_t:process signal; ') ######################################## ## ## Send a SIGCHLD signal to newrole. ## ## ##

## Allow the specified domain to send a SIGCHLD ## signal to newrole. This signal is automatically ## sent from a process that is terminating to ## its parent. This may be needed by domains ## that are executed from newrole. ##

##
## ## ## Domain allowed access. ## ## ## # interface(`seutil_sigchld_newrole',` gen_require(` type newrole_t; ') allow $1 newrole_t:process sigchld; ') ######################################## ## ## Inherit and use newrole file descriptors. ## ## ## ## Domain allowed access. ## ## # interface(`seutil_use_newrole_fds',` gen_require(` type newrole_t; ') allow $1 newrole_t:fd use; ') ######################################## ## ## Do not audit attempts to inherit and use ## newrole file descriptors. ## ## ## ## Domain to not audit. ## ## # interface(`seutil_dontaudit_use_newrole_fds',` gen_require(` type newrole_t; ') dontaudit $1 newrole_t:fd use; ') ####################################### ## ## Execute restorecon in the restorecon domain. (Deprecated) ## ## ## ## Domain allowed to transition. ## ## # interface(`seutil_domtrans_restorecon',` refpolicywarn(`$0($*) has been deprecated, please use seutil_domtrans_setfiles() instead.') seutil_domtrans_setfiles($1) ') ######################################## ## ## Execute restorecon in the restorecon domain, and ## allow the specified role the restorecon domain, ## and use the caller's terminal. (Deprecated) ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # interface(`seutil_run_restorecon',` refpolicywarn(`$0($*) has been deprecated, please use seutil_run_setfiles() instead.') seutil_run_setfiles($1,$2) ') ######################################## ## ## Execute restorecon in the caller domain. (Deprecated) ## ## ## ## Domain allowed access. ## ## ## # interface(`seutil_exec_restorecon',` refpolicywarn(`$0($*) has been deprecated, please use seutil_exec_setfiles() instead.') seutil_exec_setfiles($1) ') ######################################## ## ## Execute restorecond in the caller domain. ## ## ## ## Domain allowed access. ## ## ## # interface(`seutil_exec_restorecond',` gen_require(` type restorecond_exec_t; ') files_search_usr($1) corecmd_search_bin($1) can_exec($1, restorecond_exec_t) ') ######################################## ## ## Execute run_init in the run_init domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`seutil_domtrans_runinit',` gen_require(` type run_init_t, run_init_exec_t; ') files_search_usr($1) corecmd_search_bin($1) domtrans_pattern($1, run_init_exec_t, run_init_t) ') ######################################## ## ## Execute init scripts in the run_init domain. ## ## ##

## Execute init scripts in the run_init domain. ## This is used for the Gentoo integrated run_init. ##

##
## ## ## Domain allowed to transition. ## ## # interface(`seutil_init_script_domtrans_runinit',` gen_require(` type run_init_t; ') init_script_file_domtrans($1, run_init_t) allow run_init_t $1:fd use; allow run_init_t $1:fifo_file rw_file_perms; allow run_init_t $1:process sigchld; ') ######################################## ## ## Execute run_init in the run_init domain, and ## allow the specified role the run_init domain, ## and use the caller's terminal. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # interface(`seutil_run_runinit',` gen_require(` #attribute_role run_init_roles; type run_init_t; role system_r; ') #seutil_domtrans_runinit($1) #roleattribute $2 run_init_roles; auth_run_chk_passwd(run_init_t, $2) seutil_domtrans_runinit($1) role $2 types run_init_t; allow $2 system_r; ') ######################################## ## ## Execute init scripts in the run_init domain, and ## allow the specified role the run_init domain, ## and use the caller's terminal. ## ## ##

## Execute init scripts in the run_init domain, and ## allow the specified role the run_init domain, ## and use the caller's terminal. ##

##

## This is used for the Gentoo integrated run_init. ##

##
## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## # interface(`seutil_init_script_run_runinit',` gen_require(` #attribute_role run_init_roles; type run_init_t; role system_r; ') #seutil_init_script_domtrans_runinit($1) #roleattribute $2 run_init_roles; auth_run_chk_passwd(run_init_t, $2) seutil_init_script_domtrans_runinit($1) role $2 types run_init_t; allow $2 system_r; ') ######################################## ## ## Inherit and use run_init file descriptors. ## ## ## ## Domain allowed access. ## ## # interface(`seutil_use_runinit_fds',` gen_require(` type run_init_t; ') allow $1 run_init_t:fd use; ') ######################################## ## ## Execute setfiles in the setfiles domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`seutil_domtrans_setfiles',` gen_require(` type setfiles_t, setfiles_exec_t; ') files_search_usr($1) corecmd_search_bin($1) domtrans_pattern($1, setfiles_exec_t, setfiles_t) ') ######################################## ## ## Execute setfiles in the setfiles domain, and ## allow the specified role the setfiles domain, ## and use the caller's terminal. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # interface(`seutil_run_setfiles',` gen_require(` type setfiles_t; ') seutil_domtrans_setfiles($1) role $2 types setfiles_t; ') ######################################## ## ## Execute setfiles in the setfiles domain. ## ## ## ## Domain allowed access. ## ## # interface(`seutil_domtrans_setfiles_mac',` gen_require(` type setfiles_mac_t, setfiles_exec_t; ') files_search_usr($1) corecmd_search_bin($1) domtrans_pattern($1, setfiles_exec_t, setfiles_mac_t) ') ######################################## ## ## Allow caller nnp_transition and nosuid_transition to setfiles_mac_t ## ## ## ## Domain allowed access. ## ## # interface(`seutil_nnp_domtrans_setfiles_mac',` gen_require(` type setfiles_mac_t; ') allow $1 setfiles_mac_t:process2 { nnp_transition nosuid_transition }; ') ######################################## ## ## Execute setfiles in the setfiles_mac domain, and ## allow the specified role the setfiles_mac domain, ## and use the caller's terminal. ## ## ## ## Domain allowed access. ## ## ## ## ## The role to be allowed the setfiles_mac domain. ## ## ## # interface(`seutil_run_setfiles_mac',` gen_require(` type setfiles_mac_t; ') seutil_domtrans_setfiles_mac($1) role $2 types setfiles_mac_t; ') ######################################## ## ## Execute setfiles in the caller domain. ## ## ## ## Domain allowed access. ## ## # interface(`seutil_exec_setfiles',` gen_require(` type setfiles_exec_t; ') files_search_usr($1) corecmd_search_bin($1) can_exec($1, setfiles_exec_t) ') ######################################## ## ## Allow access check on setfiles. ## ## ## ## Domain allowed access. ## ## # interface(`seutil_access_check_setfiles',` gen_require(` type setfiles_exec_t; ') allow $1 setfiles_exec_t:file execute; ') ######################################## ## ## Dontaudit access check on setfiles. ## ## ## ## Domain allowed access. ## ## # interface(`seutil_dontaudit_access_check_setfiles',` gen_require(` type setfiles_exec_t; ') dontaudit $1 setfiles_exec_t:file audit_access; ') ######################################## ## ## Do not audit attempts to search the SELinux ## configuration directory (/etc/selinux). ## ## ## ## Domain to not audit. ## ## # interface(`seutil_dontaudit_search_config',` gen_require(` type selinux_config_t; ') dontaudit $1 selinux_config_t:dir search_dir_perms; ') ######################################## ## ## Allow attempts to search the SELinux ## configuration directory (/etc/selinux). ## ## ## ## Domain allowed access. ## ## # interface(`seutil_search_config',` gen_require(` type selinux_config_t; ') allow $1 selinux_config_t:dir search_dir_perms; ') ######################################## ## ## Do not audit attempts to read the SELinux ## userland configuration (/etc/selinux). ## ## ## ## Domain to not audit. ## ## # interface(`seutil_dontaudit_read_config',` gen_require(` type selinux_config_t; ') dontaudit $1 selinux_config_t:dir search_dir_perms; dontaudit $1 selinux_config_t:file read_file_perms; ') ######################################## ## ## Read the general SELinux configuration files. ## ## ## ## Domain allowed access. ## ## ## # interface(`seutil_read_config',` gen_require(` type selinux_config_t; ') files_search_etc($1) allow $1 selinux_config_t:dir list_dir_perms; read_files_pattern($1, selinux_config_t, selinux_config_t) read_lnk_files_pattern($1, selinux_config_t, selinux_config_t) ') ######################################## ## ## Read and write the general SELinux configuration files. ## ## ## ## Domain allowed access. ## ## ## # interface(`seutil_rw_config',` gen_require(` type selinux_config_t; ') files_search_etc($1) allow $1 selinux_config_t:dir list_dir_perms; rw_files_pattern($1, selinux_config_t, selinux_config_t) ') ####################################### ## ## Create, read, write, and delete ## the general selinux configuration files. (Deprecated) ## ## ##

## Create, read, write, and delete ## the general selinux configuration files. ##

##

## This interface has been deprecated, please ## use the seutil_manage_config() interface instead. ##

##
## ## ## Domain allowed access. ## ## ## # interface(`seutil_manage_selinux_config',` refpolicywarn(`$0($*) has been deprecated. Please use seutil_manage_config() instead.') seutil_manage_config($1) ') ####################################### ## ## Create, read, write, and delete ## the general selinux configuration files. ## ## ## ## Domain allowed access. ## ## ## # interface(`seutil_manage_config',` gen_require(` type selinux_config_t; ') files_search_etc($1) manage_dirs_pattern($1, selinux_config_t, selinux_config_t) manage_files_pattern($1, selinux_config_t, selinux_config_t) read_lnk_files_pattern($1, selinux_config_t, selinux_config_t) ') ###################################### ## ## Create, read, write, and delete ## the general selinux configuration files. ## ## ## ## Domain allowed access. ## ## ## # interface(`seutil_manage_config_dirs',` gen_require(` type selinux_config_t; ') files_search_etc($1) allow $1 selinux_config_t:dir manage_dir_perms; ') ######################################## ## ## Do not audit attempts to search the SELinux ## login configuration directory. ## ## ## ## Domain to not audit. ## ## # interface(`seutil_dontaudit_search_login_config',` gen_require(` type selinux_login_config_t; ') dontaudit $1 selinux_login_config_t:dir search_dir_perms; ') ######################################## ## ## Do not audit attempts to read the SELinux ## login configuration. ## ## ## ## Domain to not audit. ## ## # interface(`seutil_dontaudit_read_login_config',` gen_require(` type selinux_login_config_t; ') dontaudit $1 selinux_login_config_t:dir search_dir_perms; dontaudit $1 selinux_login_config_t:file read_file_perms; ') ######################################## ## ## Read the SELinux login configuration files. ## ## ## ## Domain allowed access. ## ## # interface(`seutil_read_login_config',` gen_require(` type selinux_config_t; type selinux_login_config_t; ') files_search_etc($1) allow $1 selinux_config_t:dir search_dir_perms; allow $1 selinux_login_config_t:dir list_dir_perms; read_files_pattern($1, selinux_login_config_t, selinux_login_config_t) read_lnk_files_pattern($1, selinux_login_config_t, selinux_login_config_t) ') ######################################## ## ## Read and write the SELinux login configuration files. ## ## ## ## Domain allowed access. ## ## # interface(`seutil_rw_login_config',` gen_require(` type selinux_config_t; type selinux_login_config_t; ') files_search_etc($1) allow $1 selinux_config_t:dir search_dir_perms; allow $1 selinux_login_config_t:dir list_dir_perms; rw_files_pattern($1, selinux_login_config_t, selinux_login_config_t) ') ####################################### ## ## Create, read, write, and delete ## the general selinux configuration files. ## ## ## ## Domain allowed access. ## ## # interface(`seutil_rw_login_config_dirs',` gen_require(` type selinux_config_t; type selinux_login_config_t; ') files_search_etc($1) allow $1 selinux_config_t:dir search_dir_perms; allow $1 selinux_login_config_t:dir rw_dir_perms; ') ###################################### ## ## Create, read, write, and delete ## the general selinux configuration files. ## ## ## ## Domain allowed access. ## ## # interface(`seutil_manage_login_config',` gen_require(` type selinux_config_t; type selinux_login_config_t; ') files_search_etc($1) allow $1 selinux_config_t:dir search_dir_perms; manage_dirs_pattern($1, selinux_login_config_t, selinux_login_config_t) manage_files_pattern($1, selinux_login_config_t, selinux_login_config_t) read_lnk_files_pattern($1, selinux_login_config_t, selinux_login_config_t) ') ###################################### ## ## manage the login selinux configuration files. ## ## ## ## Domain allowed access. ## ## # interface(`seutil_manage_login_config_files',` gen_require(` type selinux_config_t; type selinux_login_config_t; ') files_search_etc($1) allow $1 selinux_config_t:dir search_dir_perms; manage_files_pattern($1, selinux_login_config_t, selinux_login_config_t) read_lnk_files_pattern($1, selinux_login_config_t, selinux_login_config_t) ') ######################################## ## ## Search the policy directory with default_context files. ## ## ## ## Domain allowed access. ## ## # interface(`seutil_search_default_contexts',` gen_require(` type selinux_config_t, default_context_t; ') files_search_etc($1) search_dirs_pattern($1, selinux_config_t, default_context_t) ') ######################################## ## ## Read the default_contexts files. ## ## ## ## Domain allowed access. ## ## ## # interface(`seutil_read_default_contexts',` gen_require(` type selinux_config_t, default_context_t; ') files_search_etc($1) allow $1 selinux_config_t:dir search_dir_perms; allow $1 default_context_t:dir list_dir_perms; read_files_pattern($1, default_context_t, default_context_t) ') ####################################### ## ## Read and write the default_contexts files. ## ## ## ## Domain allowed access. ## ## ## # interface(`seutil_rw_default_contexts',` gen_require(` type default_context_t; type selinux_config_t; ') files_search_etc($1) allow $1 selinux_config_t:dir list_dir_perms; allow $1 default_context_t:dir list_dir_perms; rw_files_pattern($1, default_context_t, default_context_t) ') ######################################## ## ## Create, read, write, and delete the default_contexts files. ## ## ## ## Domain allowed access. ## ## # interface(`seutil_manage_default_contexts',` gen_require(` type selinux_config_t, default_context_t; ') files_search_etc($1) allow $1 selinux_config_t:dir search_dir_perms; manage_files_pattern($1, default_context_t, default_context_t) ') ######################################## ## ## Read the file_contexts files. ## ## ## ## Domain allowed access. ## ## ## # interface(`seutil_read_file_contexts',` gen_require(` type selinux_config_t, default_context_t, file_context_t; ') files_search_etc($1) allow $1 { selinux_config_t default_context_t }:dir search_dir_perms; list_dirs_pattern($1, file_context_t, file_context_t) read_files_pattern($1, file_context_t, file_context_t) read_lnk_files_pattern($1, file_context_t, file_context_t) allow $1 file_context_t:file map; ') ######################################## ## ## Do not audit attempts to read the file_contexts files. ## ## ## ## Domain to not audit. ## ## ## # interface(`seutil_dontaudit_read_file_contexts',` gen_require(` type selinux_config_t, default_context_t, file_context_t; ') dontaudit $1 { selinux_config_t default_context_t file_context_t }:dir search_dir_perms; dontaudit $1 file_context_t:file read_file_perms; dontaudit $1 file_context_t:file map; ') ######################################## ## ## Read and write the file_contexts files. ## ## ## ## Domain allowed access. ## ## # interface(`seutil_rw_file_contexts',` gen_require(` type selinux_config_t, file_context_t, default_context_t; ') files_search_etc($1) allow $1 { selinux_config_t default_context_t }:dir search_dir_perms; rw_files_pattern($1, file_context_t, file_context_t) allow $1 file_context_t:file map; ') ######################################## ## ## Create, read, write, and delete the file_contexts files. ## ## ## ## Domain allowed access. ## ## ## # interface(`seutil_manage_file_contexts',` gen_require(` type selinux_config_t, file_context_t, default_context_t; ') files_search_etc($1) allow $1 { selinux_config_t default_context_t }:dir search_dir_perms; manage_files_pattern($1, file_context_t, file_context_t) manage_dirs_pattern($1, file_context_t, file_context_t) allow $1 file_context_t:file map; ') ######################################## ## ## Read the SELinux binary policy. ## ## ## ## Domain allowed access. ## ## # interface(`seutil_read_bin_policy',` gen_require(` type selinux_config_t, policy_config_t; ') files_search_etc($1) allow $1 selinux_config_t:dir search_dir_perms; read_files_pattern($1, policy_config_t, policy_config_t) allow $1 policy_config_t:file map; ') ######################################## ## ## Create the SELinux binary policy. ## ## ## ## Domain allowed access. ## ## # interface(`seutil_create_bin_policy',` gen_require(` # attribute can_write_binary_policy; type selinux_config_t, policy_config_t; ') files_search_etc($1) allow $1 selinux_config_t:dir search_dir_perms; create_files_pattern($1, policy_config_t, policy_config_t) write_files_pattern($1, policy_config_t, policy_config_t) # typeattribute $1 can_write_binary_policy; ') ######################################## ## ## Allow the caller to relabel a file to the binary policy type. ## ## ## ## Domain allowed access. ## ## # interface(`seutil_relabelto_bin_policy',` gen_require(` attribute can_relabelto_binary_policy; type policy_config_t; ') allow $1 policy_config_t:file relabelto; typeattribute $1 can_relabelto_binary_policy; ') ######################################## ## ## Create, read, write, and delete the SELinux ## binary policy. ## ## ## ## Domain allowed access. ## ## # interface(`seutil_manage_bin_policy',` gen_require(` attribute can_write_binary_policy; type selinux_config_t, policy_config_t; ') files_search_etc($1) allow $1 selinux_config_t:dir search_dir_perms; manage_files_pattern($1, policy_config_t, policy_config_t) typeattribute $1 can_write_binary_policy; ') ######################################## ## ## Read SELinux policy source files. ## ## ## ## Domain allowed access. ## ## # interface(`seutil_read_src_policy',` gen_require(` type selinux_config_t, policy_src_t; ') files_search_etc($1) list_dirs_pattern($1, selinux_config_t, policy_src_t) read_files_pattern($1, policy_src_t, policy_src_t) ') ######################################## ## ## Create, read, write, and delete SELinux ## policy source files. ## ## ## ## Domain allowed access. ## ## ## # interface(`seutil_manage_src_policy',` gen_require(` type selinux_config_t, policy_src_t; ') files_search_etc($1) allow $1 selinux_config_t:dir search_dir_perms; manage_dirs_pattern($1, policy_src_t, policy_src_t) manage_files_pattern($1, policy_src_t, policy_src_t) ') ######################################## ## ## Execute a domain transition to run semanage. ## ## ## ## Domain allowed to transition. ## ## # interface(`seutil_domtrans_semanage',` gen_require(` type semanage_t, semanage_exec_t; ') files_search_usr($1) corecmd_search_bin($1) domtrans_pattern($1, semanage_exec_t, semanage_t) ') ######################################## ## ## Execute a domain transition to run setsebool. ## ## ## ## Domain allowed to transition. ## ## # interface(`seutil_domtrans_setsebool',` gen_require(` type setsebool_t, setsebool_exec_t; ') files_search_usr($1) corecmd_search_bin($1) domtrans_pattern($1, setsebool_exec_t, setsebool_t) ') ######################################## ## ## Execute semanage in the semanage domain, and ## allow the specified role the semanage domain, ## and use the caller's terminal. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # interface(`seutil_run_semanage',` gen_require(` #attribute_role semanage_roles; type semanage_t; ') #seutil_domtrans_semanage($1) #roleattribute $2 semanage_roles; seutil_domtrans_semanage($1) seutil_run_setfiles(semanage_t, $2) seutil_run_loadpolicy(semanage_t, $2) role $2 types semanage_t; ') ######################################## ## ## Execute setsebool in the semanage domain, and ## allow the specified role the semanage domain, ## and use the caller's terminal. ## ## ## ## Domain allowed access. ## ## ## ## ## The role to be allowed the setsebool domain. ## ## ## # interface(`seutil_run_setsebool',` gen_require(` type semanage_t; ') seutil_domtrans_setsebool($1) role $2 types setsebool_t; ') ######################################## ## ## List of the semanage ## module store. ## ## ## ## Domain allowed access. ## ## # interface(`seutil_access_check_module_store',` gen_require(` type semanage_store_t; ') files_search_etc($1) allow $1 semanage_store_t:dir_file_class_set audit_access; ') ######################################## ## ## Full management of the semanage ## module store. ## ## ## ## Domain allowed access. ## ## # interface(`seutil_read_module_store',` gen_require(` type selinux_config_t, semanage_store_t; ') files_search_etc($1) list_dirs_pattern($1, selinux_config_t, semanage_store_t) read_files_pattern($1, semanage_store_t, semanage_store_t) read_lnk_files_pattern($1, semanage_store_t, semanage_store_t) ') ######################################## ## ## Dontaudit read selinux module store ## module store. ## ## ## ## Domain allowed access. ## ## # interface(`seutil_dontaudit_read_module_store',` gen_require(` type semanage_store_t; ') dontaudit $1 semanage_store_t:dir list_dir_perms; dontaudit $1 semanage_store_t:file read_file_perms; ') ####################################### ## ## Dontaudit access check on module store ## ## ## ## Domain allowed access. ## ## # interface(`seutil_dontaudit_access_check_semanage_module_store',` gen_require(` type semanage_store_t; ') dontaudit $1 semanage_store_t:dir_file_class_set audit_access; ') ######################################## ## ## Full management of the semanage ## module store. ## ## ## ## Domain allowed access. ## ## # interface(`seutil_manage_module_store',` gen_require(` type selinux_config_t, semanage_store_t; ') files_search_etc($1) files_search_var($1) manage_dirs_pattern($1, selinux_config_t, semanage_store_t) manage_dirs_pattern($1, semanage_store_t, semanage_store_t) manage_files_pattern($1, semanage_store_t, semanage_store_t) manage_lnk_files_pattern($1, semanage_store_t, semanage_store_t) filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "modules") filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "active") filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "previous") filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "tmp") ') ####################################### ## ## Get read lock on module store ## ## ## ## Domain allowed access. ## ## # interface(`seutil_get_semanage_read_lock',` gen_require(` type selinux_config_t, semanage_read_lock_t; ') files_search_etc($1) rw_files_pattern($1, selinux_config_t, semanage_read_lock_t) ') ####################################### ## ## Dontaudit access check on module store ## ## ## ## Domain allowed access. ## ## # interface(`seutil_dontaudit_access_check_semanage_read_lock',` gen_require(` type semanage_read_lock_t; ') dontaudit $1 semanage_read_lock_t:dir_file_class_set audit_access; ') ####################################### ## ## Get trans lock on module store ## ## ## ## Domain allowed access. ## ## # interface(`seutil_get_semanage_trans_lock',` gen_require(` type selinux_config_t, semanage_trans_lock_t; ') files_search_etc($1) rw_files_pattern($1, selinux_config_t, semanage_trans_lock_t) ') ######################################## ## ## SELinux-enabled program access for ## libselinux-linked programs. ## ## ##

## SELinux-enabled programs are typically ## linked to the libselinux library. This ## interface will allow access required for ## the libselinux constructor to function. ##

##
## ## ## Domain allowed access. ## ## # interface(`seutil_libselinux_linked',` selinux_get_fs_mount($1) seutil_read_config($1) ') ######################################## ## ## Do not audit SELinux-enabled program access for ## libselinux-linked programs. ## ## ##

## SELinux-enabled programs are typically ## linked to the libselinux library. This ## interface will dontaudit access required for ## the libselinux constructor to function. ##

##

## Generally this should not be used on anything ## but simple SELinux-enabled programs that do not ## rely on data initialized by the libselinux ## constructor. ##

##
## ## ## Domain to not audit. ## ## # interface(`seutil_dontaudit_libselinux_linked',` selinux_dontaudit_get_fs_mount($1) seutil_dontaudit_read_config($1) ') ####################################### ## ## All rules necessary to run semanage command ## ## ## ## Domain allowed access. ## ## # interface(`seutil_semanage_policy',` gen_require(` type semanage_tmp_t; type policy_config_t; attribute policy_manager_domain; ') typeattribute $1 policy_manager_domain; kernel_read_system_state($1) # Running genhomedircon requires this for finding all users auth_use_nsswitch($1) mls_file_write_all_levels($1) mls_file_read_all_levels($1) selinux_get_enforce_mode($1) seutil_manage_bin_policy($1) logging_send_syslog_msg($1) ') ####################################### ## ## All rules necessary to run setfiles command ## ## ## ## Domain allowed access. ## ## # interface(`seutil_setfiles',` gen_require(` attribute setfiles_domain; ') typeattribute $1 setfiles_domain; kernel_read_system_state($1) seutil_libselinux_linked($1) files_relabel_all_files($1) mls_file_read_all_levels($1) mls_file_write_all_levels($1) mls_file_upgrade($1) mls_file_downgrade($1) # this is to satisfy the assertion: auth_relabelto_shadow($1) logging_send_syslog_msg($1) ') ##################################### ## ## File name transition for selinux utility content ## ## ## ## Domain allowed access. ## ## # interface(`seutil_filetrans_named_content',` gen_require(` type default_context_t, semanage_store_t; type selinux_config_t, semanage_trans_lock_t; type file_context_t, selinux_login_config_t; ') filetrans_pattern($1, selinux_config_t, default_context_t, dir, "contexts") filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "policy") filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "active") filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "tmp") filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "previous") filetrans_pattern($1, selinux_config_t, semanage_trans_lock_t, file, "semanage.read.LOCK") filetrans_pattern($1, selinux_config_t, semanage_trans_lock_t, file, "semanage.trans.LOCK") filetrans_pattern($1, selinux_config_t, selinux_login_config_t, dir, "logins") filetrans_pattern($1, default_context_t, file_context_t, dir, "files") userdom_admin_home_dir_filetrans($1, default_context_t, file, ".default_context") ') ######################################## ## ## Send and receive messages from ## semanage dbus server over dbus. ## ## ## ## Domain allowed access. ## ## # interface(`seutil_dbus_chat_semanage',` gen_require(` type semanage_t; class dbus send_msg; ') ps_process_pattern(semanage_t, $1) allow $1 semanage_t:dbus send_msg; allow semanage_t $1:dbus send_msg; ')