## ## Basic filesystem types and interfaces. ## ## ##

## This module contains basic filesystem types and interfaces. This ## includes: ##

##

##
## ## Contains the concept of a file. ## Comains the file initial SID. ## ##################################### ## ## files stub etc_t interface. No access allowed. ## ## ## ## Domain allowed access ## ## # interface(`files_stub_etc',` gen_require(` type etc_t; ') ') ##################################### ## ## files stub var_lock_t interface. No access allowed. ## ## ## ## Domain allowed access ## ## # interface(`files_stub_var_lock',` gen_require(` type var_lock_t; ') ') ##################################### ## ## files stub var_log_t interface. No access allowed. ## ## ## ## Domain allowed access ## ## # interface(`files_stub_var_log',` gen_require(` type var_log_t; ') ') ##################################### ## ## files stub var_lib_t interface. No access allowed. ## ## ## ## Domain allowed access ## ## # interface(`files_stub_var_lib',` gen_require(` type var_lib_t; ') ') ##################################### ## ## files stub var_run_t interface. No access allowed. ## ## ## ## Domain allowed access ## ## # interface(`files_stub_var_run',` gen_require(` type var_run_t; ') ') ##################################### ## ## files stub var_run_t interface. No access allowed. ## ## ## ## Domain allowed access ## ## # interface(`files_stub_var_spool',` gen_require(` type var_spool_t; ') ') ##################################### ## ## files stub var_run_t interface. No access allowed. ## ## ## ## Domain allowed access ## ## # interface(`files_stub_var',` gen_require(` type var_t; ') ') ##################################### ## ## files stub tmp_t interface. No access allowed. ## ## ## ## Domain allowed access ## ## # interface(`files_stub_tmp',` gen_require(` type tmp_t; ') ') ######################################## ## ## Make the specified type usable for files ## in a filesystem. ## ## ##

## Make the specified type usable for files ## in a filesystem. Types used for files that ## do not use this interface, or an interface that ## calls this one, will have unexpected behaviors ## while the system is running. If the type is used ## for device nodes (character or block files), then ## the dev_node() interface is more appropriate. ##

##

## Related interfaces: ##

## ##

## Example: ##

##

## type myfile_t; ## files_type(myfile_t) ## allow mydomain_t myfile_t:file read_file_perms; ##

##
## ## ## Type to be used for files. ## ## ## # interface(`files_type',` gen_require(` attribute file_type, non_security_file_type, non_auth_file_type; ') typeattribute $1 file_type, non_security_file_type, non_auth_file_type; ') ######################################## ## ## Mark the specified type as a file ## that is related to authentication. ## ## ## ## Type of the authentication-related ## file. ## ## # interface(`files_auth_file',` gen_require(` attribute file_type, security_file_type, auth_file_type; ') typeattribute $1 file_type, security_file_type, auth_file_type; ') ######################################## ## ## Make the specified type a file that ## should not be dontaudited from ## browsing from user domains. ## ## ## ## Type of the file to be used as a ## member directory. ## ## # interface(`files_security_file',` gen_require(` attribute file_type, security_file_type, non_auth_file_type; ') typeattribute $1 file_type, security_file_type, non_auth_file_type; ') ######################################## ## ## Make the specified type usable for ## filesystem mount points. ## ## ## ## Type to be used for mount points. ## ## # interface(`files_mountpoint',` gen_require(` attribute mountpoint; ') files_type($1) typeattribute $1 mountpoint; ') ######################################## ## ## Create a private type object in mountpoint dir ## with an automatic type transition ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the object to be created. ## ## ## ## ## The object class of the object being created. ## ## ## ## ## The name of the object being created. ## ## # interface(`files_mountpoint_filetrans',` gen_require(` attribute mountpoint; ') filetrans_pattern($1, mountpoint, $2, $3, $4) ') ######################################## ## ## Make the specified type usable for ## security file filesystem mount points. ## ## ## ## Type to be used for mount points. ## ## # interface(`files_security_mountpoint',` gen_require(` attribute mountpoint; ') files_security_file($1) typeattribute $1 mountpoint; ') ######################################## ## ## Make the specified type usable for ## lock files. ## ## ## ## Type to be used for lock files. ## ## # interface(`files_lock_file',` gen_require(` attribute lockfile; ') files_type($1) typeattribute $1 lockfile; ') ######################################## ## ## Make the specified type usable for ## runtime process ID files. ## ## ##

## Make the specified type usable for runtime process ID files, ## typically found in /var/run. ## This will also make the type usable for files, making ## calls to files_type() redundant. Failure to use this interface ## for a PID file type may result in problems with starting ## or stopping services. ##

##

## Related interfaces: ##

## ##

## Example usage with a domain that can create and ## write its PID file with a private PID file type in the ## /var/run directory: ##

##

## type mypidfile_t; ## files_pid_file(mypidfile_t) ## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms }; ## files_pid_filetrans(mydomain_t, mypidfile_t, file) ##

##
## ## ## Type to be used for PID files. ## ## ## # interface(`files_pid_file',` gen_require(` attribute pidfile; ') files_type($1) typeattribute $1 pidfile; ') ######################################## ## ## Make the specified type a ## configuration file. ## ## ##

## Make the specified type usable for configuration files. ## This will also make the type usable for files, making ## calls to files_type() redundant. Failure to use this interface ## for a temporary file may result in problems with ## configuration management tools. ##

##

## Example usage with a domain that can read ## its configuration file /etc: ##

##

## type myconffile_t; ## files_config_file(myconffile_t) ## allow mydomain_t myconffile_t:file read_file_perms; ## files_search_etc(mydomain_t) ##

##
## ## ## Type to be used as a configuration file. ## ## ## # interface(`files_config_file',` gen_require(` attribute configfile; ') files_type($1) typeattribute $1 configfile; ') ######################################## ## ## Make the specified type a ## polyinstantiated directory. ## ## ## ## Type of the file to be used as a ## polyinstantiated directory. ## ## # interface(`files_poly',` gen_require(` attribute polydir; ') files_type($1) typeattribute $1 polydir; ') ######################################## ## ## Make the specified type a parent ## of a polyinstantiated directory. ## ## ## ## Type of the file to be used as a ## parent directory. ## ## # interface(`files_poly_parent',` gen_require(` attribute polyparent; ') files_type($1) typeattribute $1 polyparent; ') ######################################## ## ## Make the specified type a ## polyinstantiation member directory. ## ## ## ## Type of the file to be used as a ## member directory. ## ## # interface(`files_poly_member',` gen_require(` attribute polymember; ') files_type($1) typeattribute $1 polymember; ') ######################################## ## ## Make the domain use the specified ## type of polyinstantiated directory. ## ## ## ## Domain using the polyinstantiated ## directory. ## ## ## ## ## Type of the file to be used as a ## member directory. ## ## # interface(`files_poly_member_tmp',` gen_require(` type tmp_t; ') type_member $1 tmp_t:dir $2; ') ######################################## ## ## Make the specified type a file ## used for temporary files. ## ## ##

## Make the specified type usable for temporary files. ## This will also make the type usable for files, making ## calls to files_type() redundant. Failure to use this interface ## for a temporary file may result in problems with ## purging temporary files. ##

##

## Related interfaces: ##

##
    ##
  • files_tmp_filetrans()
  • ##
##

## Example usage with a domain that can create and ## write its temporary file in the system temporary file ## directories (/tmp or /var/tmp): ##

##

## type mytmpfile_t; ## files_tmp_file(mytmpfile_t) ## allow mydomain_t mytmpfile_t:file { create_file_perms write_file_perms }; ## files_tmp_filetrans(mydomain_t, mytmpfile_t, file) ##

##
## ## ## Type of the file to be used as a ## temporary file. ## ## ## # interface(`files_tmp_file',` gen_require(` attribute tmpfile; type tmp_t; ') files_type($1) files_poly_member($1) typeattribute $1 tmpfile; ') ######################################## ## ## Transform the type into a file, for use on a ## virtual memory filesystem (tmpfs). ## ## ## ## The type to be transformed. ## ## # interface(`files_tmpfs_file',` gen_require(` attribute tmpfsfile; ') files_type($1) typeattribute $1 tmpfsfile; ') ######################################## ## ## Get the attributes of all directories. ## ## ## ## Domain allowed access. ## ## # interface(`files_getattr_all_dirs',` gen_require(` attribute file_type; ') getattr_dirs_pattern($1, file_type, file_type) ') ######################################## ## ## Do not audit attempts to get the attributes ## of all directories. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_getattr_all_dirs',` gen_require(` attribute file_type; ') dontaudit $1 file_type:dir getattr; ') ######################################## ## ## Get attributes of all non-security directories. ## ## ## ## Domain allowed access. ## ## # interface(`files_getattr_non_security_dirs',` gen_require(` attribute non_security_file_type; ') allow $1 non_security_file_type:dir getattr_dir_perms; ') ######################################## ## ## List all non-security directories. ## ## ## ## Domain allowed access. ## ## # interface(`files_list_non_security',` gen_require(` attribute non_security_file_type; ') list_dirs_pattern($1, non_security_file_type, non_security_file_type) ') ######################################## ## ## Watch all non-security directories. ## ## ## ## Domain allowed access. ## ## # interface(`files_watch_non_security_dirs',` gen_require(` attribute non_security_file_type; ') watch_dirs_pattern($1, non_security_file_type, non_security_file_type) ') ######################################## ## ## Watch all non-security files. ## ## ## ## Domain allowed access. ## ## # interface(`files_watch_non_security_files',` gen_require(` attribute non_security_file_type; ') watch_files_pattern($1, non_security_file_type, non_security_file_type) ') ######################################## ## ## Watch all non-security lnk_files. ## ## ## ## Domain allowed access. ## ## # interface(`files_watch_non_security_lnk_files',` gen_require(` attribute non_security_file_type; ') watch_lnk_files_pattern($1, non_security_file_type, non_security_file_type) ') ######################################## ## ## Do not audit attempts to list all ## non-security directories. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_list_non_security',` gen_require(` attribute non_security_file_type; ') dontaudit $1 non_security_file_type:dir list_dir_perms; ') ######################################## ## ## Mount a filesystem on all non-security ## directories and files. ## ## ## ## Domain allowed access. ## ## # interface(`files_mounton_non_security',` gen_require(` attribute non_security_file_type; ') allow $1 non_security_file_type:dir { write setattr mounton }; allow $1 non_security_file_type:file mounton; ') ######################################## ## ## Allow attempts to modify any directory ## ## ## ## Domain allowed access. ## ## # interface(`files_write_non_security_dirs',` gen_require(` attribute non_security_file_type; ') allow $1 non_security_file_type:dir write; ') ######################################## ## ## Allow attempts to setattr any directory ## ## ## ## Domain allowed access. ## ## # interface(`files_setattr_non_security_dirs',` gen_require(` attribute non_security_file_type; ') allow $1 non_security_file_type:dir { read setattr }; ') ######################################## ## ## Allow attempts to create non-security directories ## ## ## ## Domain allowed access. ## ## # interface(`files_create_non_security_dirs',` gen_require(` attribute non_security_file_type; ') allow $1 non_security_file_type:dir { create_dir_perms }; ') ######################################## ## ## Allow attempts to manage non-security directories ## ## ## ## Domain allowed access. ## ## # interface(`files_manage_non_security_dirs',` gen_require(` attribute non_security_file_type; ') allow $1 non_security_file_type:dir manage_dir_perms; ') ######################################## ## ## Allow attempts to search non-security directories ## ## ## ## Domain allowed access. ## ## # interface(`files_search_non_security_dirs',` gen_require(` attribute non_security_file_type; ') allow $1 non_security_file_type:dir search_dir_perms; ') ######################################## ## ## Get the attributes of all files. ## ## ## ## Domain allowed access. ## ## # interface(`files_getattr_all_files',` gen_require(` attribute file_type; ') getattr_files_pattern($1, file_type, file_type) getattr_lnk_files_pattern($1, file_type, file_type) ') ######################################## ## ## Get the attributes of all chr files. ## ## ## ## Domain allowed access. ## ## # interface(`files_getattr_all_chr_files',` gen_require(` attribute file_type; ') getattr_chr_files_pattern($1, file_type, file_type) ') ######################################## ## ## Get the attributes of all blk files. ## ## ## ## Domain allowed access. ## ## # interface(`files_getattr_all_blk_files',` gen_require(` attribute file_type; ') getattr_blk_files_pattern($1, file_type, file_type) ') ######################################## ## ## Do not audit attempts to get the attributes ## of all files. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_getattr_all_files',` gen_require(` attribute file_type; ') dontaudit $1 file_type:file getattr; ') ######################################## ## ## Do not audit attempts to get the attributes ## of non security files. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_getattr_non_security_files',` gen_require(` attribute non_security_file_type; ') dontaudit $1 non_security_file_type:file getattr; ') ######################################## ## ## Do not audit attempts to get the attributes ## of proc_type files. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_getattr_proc_type_files',` gen_require(` attribute proc_type; ') dontaudit $1 proc_type:file getattr; ') ######################################## ## ## Do not audit attempts to get the attributes ## of sysctl_type files. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_getattr_sysctl_type_files',` gen_require(` attribute sysctl_type; ') dontaudit $1 sysctl_type:file getattr; ') ######################################## ## ## Do not audit attempts to get the attributes ## of filesystem_type files. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_getattr_filesystem_type_files',` gen_require(` attribute filesystem_type; ') dontaudit $1 filesystem_type:file getattr; ') ######################################## ## ## Do not audit attempts to search ## non security dirs. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_search_non_security_dirs',` gen_require(` attribute non_security_file_type; ') dontaudit $1 non_security_file_type:dir search_dir_perms; ') ######################################## ## ## Do not audit attempts to set the attributes ## of non security files. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_setattr_non_security_files',` gen_require(` attribute non_security_file_type; ') dontaudit $1 non_security_file_type:file setattr; ') ######################################## ## ## Do not audit attempts to set the attributes ## of non security directories. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_setattr_non_security_dirs',` gen_require(` attribute non_security_file_type; ') dontaudit $1 non_security_file_type:dir setattr; ') ######################################## ## ## Read all files. ## ## ## ## Domain allowed access. ## ## # interface(`files_read_all_files',` gen_require(` attribute file_type; ') allow $1 file_type:dir list_dir_perms; read_files_pattern($1, file_type, file_type) optional_policy(` auth_read_shadow($1) ') ') ######################################## ## ## Mmap all files. ## ## ## ## Domain allowed access. ## ## # interface(`files_mmap_all_files',` gen_require(` attribute file_type; ') allow $1 file_type:file map; ') ######################################## ## ## Allow shared library text relocations in all files. ## ## ##

## Allow shared library text relocations in all files. ##

##

## This is added to support WINE policy. ##

##
## ## ## Domain allowed access. ## ## # interface(`files_execmod_all_files',` gen_require(` attribute file_type; ') allow $1 file_type:file execmod; ') ######################################## ## ## Read all non-security files. ## ## ## ## Domain allowed access. ## ## ## # interface(`files_read_non_security_files',` gen_require(` attribute non_security_file_type; ') list_dirs_pattern($1, non_security_file_type, non_security_file_type) read_files_pattern($1, non_security_file_type, non_security_file_type) read_lnk_files_pattern($1, non_security_file_type, non_security_file_type) ') ######################################## ## ## Read all non-security socket files. ## ## ## ## Domain allowed access. ## ## ## # interface(`files_read_non_security_sock_files',` gen_require(` attribute non_security_file_type; ') read_sock_files_pattern($1, non_security_file_type, non_security_file_type) ') ######################################## ## ## Map all non-security files. ## ## ## ## Domain allowed access. ## ## ## # interface(`files_map_non_security_files',` gen_require(` attribute non_security_file_type; ') allow $1 non_security_file_type:file map; ') ######################################## ## ## Read/Write all inherited non-security files. ## ## ## ## Domain allowed access. ## ## ## # interface(`files_rw_inherited_non_security_files',` gen_require(` attribute non_security_file_type; ') allow $1 non_security_file_type:file { read write }; ') ######################################## ## ## Allow Append to non-security files. ## ## ## ## Domain allowed access. ## ## ## # interface(`files_append_non_security_files',` gen_require(` attribute non_security_file_type; ') allow $1 non_security_file_type:file append_file_perms; ') ######################################## ## ## Manage all non-security files. ## ## ## ## Domain allowed access. ## ## ## # interface(`files_manage_non_security_files',` gen_require(` attribute non_security_file_type; ') manage_files_pattern($1, non_security_file_type, non_security_file_type) manage_lnk_files_pattern($1, non_security_file_type, non_security_file_type) ') ######################################## ## ## Relabel all non-security files. ## ## ## ## Domain allowed access. ## ## ## # interface(`files_relabel_non_security_files',` gen_require(` attribute non_security_file_type; ') relabel_files_pattern($1, non_security_file_type, non_security_file_type) allow $1 { non_security_file_type }:dir list_dir_perms; relabel_dirs_pattern($1, { non_security_file_type }, { non_security_file_type }) relabel_files_pattern($1, { non_security_file_type }, { non_security_file_type }) relabel_lnk_files_pattern($1, { non_security_file_type }, { non_security_file_type }) relabel_fifo_files_pattern($1, { non_security_file_type }, { non_security_file_type }) relabel_sock_files_pattern($1, { non_security_file_type }, { non_security_file_type }) relabel_blk_files_pattern($1, { non_security_file_type }, { non_security_file_type }) relabel_chr_files_pattern($1, { non_security_file_type }, { non_security_file_type }) # satisfy the assertions: seutil_relabelto_bin_policy($1) ') ######################################## ## ## Search all base file dirs. ## ## ## ## Domain allowed access. ## ## # interface(`files_search_base_file_types',` gen_require(` attribute base_file_type; ') allow $1 base_file_type:dir search_dir_perms; ') ######################################## ## ## Relabel all base file types. ## ## ## ## Domain allowed access. ## ## # interface(`files_relabel_base_file_types',` gen_require(` attribute base_file_type; ') allow $1 base_file_type:dir list_dir_perms; relabel_dirs_pattern($1, base_file_type , base_file_type ) relabel_files_pattern($1, base_file_type , base_file_type ) relabel_lnk_files_pattern($1, base_file_type , base_file_type ) relabel_fifo_files_pattern($1, base_file_type , base_file_type ) relabel_sock_files_pattern($1, base_file_type , base_file_type ) relabel_blk_files_pattern($1, base_file_type , base_file_type ) relabel_chr_files_pattern($1, base_file_type , base_file_type ) ') ######################################## ## ## Read all directories on the filesystem, except ## the listed exceptions. ## ## ## ## Domain allowed access. ## ## ## ## ## The types to be excluded. Each type or attribute ## must be negated by the caller. ## ## # interface(`files_read_all_dirs_except',` gen_require(` attribute file_type; ') allow $1 { file_type $2 }:dir list_dir_perms; ') ######################################## ## ## Read all files on the filesystem, except ## the listed exceptions. ## ## ## ## Domain allowed access. ## ## ## ## ## The types to be excluded. Each type or attribute ## must be negated by the caller. ## ## # interface(`files_read_all_files_except',` gen_require(` attribute file_type; ') read_files_pattern($1, { file_type $2 }, { file_type $2 }) ') ######################################## ## ## Read all symbolic links on the filesystem, except ## the listed exceptions. ## ## ## ## Domain allowed access. ## ## ## ## ## The types to be excluded. Each type or attribute ## must be negated by the caller. ## ## # interface(`files_read_all_symlinks_except',` gen_require(` attribute file_type; ') read_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) ') ######################################## ## ## Get the attributes of all symbolic links. ## ## ## ## Domain allowed access. ## ## # interface(`files_getattr_all_symlinks',` gen_require(` attribute file_type; ') getattr_lnk_files_pattern($1, file_type, file_type) ') ######################################## ## ## Do not audit attempts to get the attributes ## of all symbolic links. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_getattr_all_symlinks',` gen_require(` attribute file_type; ') dontaudit $1 file_type:lnk_file getattr; ') ######################################## ## ## Do not audit attempts to read all symbolic links. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_read_all_symlinks',` gen_require(` attribute file_type; ') dontaudit $1 file_type:lnk_file read; ') ######################################## ## ## Do not audit attempts to get the attributes ## of non security symbolic links. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_getattr_non_security_symlinks',` gen_require(` attribute non_security_file_type; ') dontaudit $1 non_security_file_type:lnk_file getattr; ') ######################################## ## ## Do not audit attempts to get the attributes ## of non security block devices. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_getattr_non_security_blk_files',` gen_require(` attribute non_security_file_type; ') dontaudit $1 non_security_file_type:blk_file getattr; ') ######################################## ## ## Do not audit attempts to get the attributes ## of non security character devices. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_getattr_non_security_chr_files',` gen_require(` attribute non_security_file_type; ') dontaudit $1 non_security_file_type:chr_file getattr; ') ######################################## ## ## Read all symbolic links. ## ## ## ## Domain allowed access. ## ## ## # interface(`files_read_all_symlinks',` gen_require(` attribute file_type; ') allow $1 file_type:dir list_dir_perms; read_lnk_files_pattern($1, file_type, file_type) ') ######################################## ## ## Get the attributes of all named pipes. ## ## ## ## Domain allowed access. ## ## # interface(`files_getattr_all_pipes',` gen_require(` attribute file_type; ') allow $1 file_type:dir list_dir_perms; getattr_fifo_files_pattern($1, file_type, file_type) ') ######################################## ## ## Do not audit attempts to get the attributes ## of all named pipes. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_getattr_all_pipes',` gen_require(` attribute file_type; ') dontaudit $1 file_type:fifo_file getattr; ') ######################################## ## ## Do not audit attempts to get the attributes ## of non security named pipes. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_getattr_non_security_pipes',` gen_require(` attribute non_security_file_type; ') dontaudit $1 non_security_file_type:fifo_file getattr; ') ######################################## ## ## Do not audit attempts to read/write ## of non security named pipes. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_rw_inherited_pipes',` gen_require(` attribute non_security_file_type; ') dontaudit $1 non_security_file_type:fifo_file rw_inherited_fifo_file_perms; ') ######################################## ## ## Get the attributes of all named sockets. ## ## ## ## Domain allowed access. ## ## # interface(`files_getattr_all_sockets',` gen_require(` attribute file_type; ') allow $1 file_type:dir list_dir_perms; getattr_sock_files_pattern($1, file_type, file_type) ') ######################################## ## ## Do not audit attempts to get the attributes ## of all named sockets. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_getattr_all_sockets',` gen_require(` attribute file_type; ') dontaudit $1 file_type:sock_file getattr; ') ######################################## ## ## Do not audit attempts to read ## of all named sockets. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_read_all_sockets',` gen_require(` attribute file_type; ') dontaudit $1 file_type:sock_file read; ') ######################################## ## ## Do not audit attempts to execute ## any named socket. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_execute_all_sockets',` gen_require(` attribute file_type; ') dontaudit $1 file_type:sock_file execute; ') ######################################## ## ## Do not audit attempts to read ## of all security file types. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_read_all_non_security_files',` gen_require(` attribute non_security_file_type; ') dontaudit $1 non_security_file_type:file read_file_perms; ') ######################################## ## ## Do not audit attempts to get the attributes ## of non security named sockets. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_getattr_non_security_sockets',` gen_require(` attribute non_security_file_type; ') dontaudit $1 non_security_file_type:sock_file getattr; ') ######################################## ## ## Read all block nodes with file types. ## ## ## ## Domain allowed access. ## ## # interface(`files_read_all_blk_files',` gen_require(` attribute file_type; ') read_blk_files_pattern($1, file_type, file_type) ') ######################################## ## ## Read all character nodes with file types. ## ## ## ## Domain allowed access. ## ## # interface(`files_read_all_chr_files',` gen_require(` attribute file_type; ') read_chr_files_pattern($1, file_type, file_type) ') ######################################## ## ## Relabel all files on the filesystem, except ## the listed exceptions. ## ## ## ## Domain allowed access. ## ## ## ## ## The types to be excluded. Each type or attribute ## must be negated by the caller. ## ## ## # interface(`files_relabel_all_files',` gen_require(` attribute file_type; ') allow $1 { file_type $2 }:dir list_dir_perms; relabel_dirs_pattern($1, { file_type $2 }, { file_type $2 }) relabel_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_blk_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_chr_files_pattern($1, { file_type $2 }, { file_type $2 }) # satisfy the assertions: optional_policy(` seutil_relabelto_bin_policy($1) ') optional_policy(` auth_relabelto_shadow($1) ') ') ######################################## ## ## rw all files on the filesystem, except ## the listed exceptions. ## ## ## ## Domain allowed access. ## ## ## ## ## The types to be excluded. Each type or attribute ## must be negated by the caller. ## ## ## # interface(`files_rw_all_files',` gen_require(` attribute file_type; ') rw_files_pattern($1, { file_type $2 }, { file_type $2 }) ') ######################################## ## ## Manage all files on the filesystem, except ## the listed exceptions. ## ## ## ## Domain allowed access. ## ## ## ## ## The types to be excluded. Each type or attribute ## must be negated by the caller. ## ## ## # interface(`files_manage_all_files',` gen_require(` attribute file_type; ') manage_dirs_pattern($1, { file_type $2 }, { file_type $2 }) manage_files_pattern($1, { file_type $2 }, { file_type $2 }) manage_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) manage_fifo_files_pattern($1, { file_type $2 }, { file_type $2 }) manage_sock_files_pattern($1, { file_type $2 }, { file_type $2 }) # satisfy the assertions: files_manage_kernel_modules($1) optional_policy(` seutil_create_bin_policy($1) ') optional_policy(` auth_reader_shadow($1) auth_writer_shadow($1) ') ') ######################################## ## ## Manage all block device files on the filesystem. ## ## ## ## Domain allowed access. ## ## ## # interface(`files_manage_all_blk_files',` gen_require(` attribute file_type; ') manage_blk_files_pattern($1, file_type, file_type) ') ######################################## ## ## Manage all character device files on the filesystem. ## ## ## ## Domain allowed access. ## ## ## # interface(`files_manage_all_chr_files',` gen_require(` attribute file_type; ') manage_chr_files_pattern($1, file_type, file_type) ') ######################################## ## ## Grant execute access to all files on the filesystem, ## except the listed exceptions. ## ## ## ## Domain allowed access. ## ## ## ## ## The types to be excluded. Each type or attribute ## must be negated by the caller. ## ## ## # interface(`files_mmap_exec_all_files',` gen_require(` attribute file_type; ') mmap_exec_files_pattern($1, { file_type $2 }, { file_type $2 }) ') ######################################## ## ## Search the contents of all directories on ## extended attribute filesystems. ## ## ## ## Domain allowed access. ## ## # interface(`files_search_all',` gen_require(` attribute file_type; ') allow $1 file_type:dir search_dir_perms; ') ######################################## ## ## List the contents of all directories on ## extended attribute filesystems. ## ## ## ## Domain allowed access. ## ## # interface(`files_list_all',` gen_require(` attribute file_type; ') allow $1 file_type:dir list_dir_perms; ') ######################################## ## ## Do not audit attempts to search the ## contents of any directories on extended ## attribute filesystems. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_search_all_dirs',` gen_require(` attribute file_type; ') dontaudit $1 file_type:dir search_dir_perms; ') ######################################## ## ## Do not audit attempts to map ## file_type directories. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_map_all_dirs',` gen_require(` attribute file_type; ') dontaudit $1 file_type:dir map; ') ######################################## ## ## Read all lnk_files. ## ## ## ## Domain allowed access. ## ## # interface(`files_read_all_lnk_files',` gen_require(` attribute file_type; ') allow $1 file_type:lnk_file read_lnk_file_perms; ') ######################################## ## ## Get the attributes of all filesystems ## with the type of a file. ## ## ## ## Domain allowed access. ## ## # # dwalsh: This interface is to allow quotacheck to work on a # a filesystem mounted with the --context switch # https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=212957 # interface(`files_getattr_all_file_type_fs',` gen_require(` attribute file_type; ') allow $1 file_type:filesystem getattr; ') ######################################## ## ## Relabel a filesystem to the type of a file. ## ## ## ## Domain allowed access. ## ## # interface(`files_relabelto_all_file_type_fs',` gen_require(` attribute file_type; ') allow $1 file_type:filesystem relabelto; ') ######################################## ## ## Relabel a filesystem to the type of a file. ## ## ## ## Domain allowed access. ## ## # interface(`files_relabel_all_file_type_fs',` gen_require(` attribute file_type; ') allow $1 file_type:filesystem { relabelfrom relabelto }; ') ######################################## ## ## Mount all filesystems with the type of a file. ## ## ## ## Domain allowed access. ## ## # interface(`files_mount_all_file_type_fs',` gen_require(` attribute file_type; ') allow $1 file_type:filesystem mount; ') ######################################## ## ## Unmount all filesystems with the type of a file. ## ## ## ## Domain allowed access. ## ## # interface(`files_unmount_all_file_type_fs',` gen_require(` attribute file_type; ') allow $1 file_type:filesystem unmount; ') ######################################## ## ## Remount all filesystems with the type of a file. ## ## ## ## Domain allowed access. ## ## # interface(`files_remount_all_file_type_fs',` gen_require(` attribute file_type; ') allow $1 file_type:filesystem remount; ') ######################################## ## ## Get attributes of all non-authentication related ## directories. ## ## ## ## Domain allowed access. ## ## # interface(`files_getattr_non_auth_dirs',` gen_require(` attribute non_auth_file_type; ') allow $1 non_auth_file_type:dir getattr_dir_perms; ') ######################################## ## ## Read all non-authentication related ## directories. ## ## ## ## Domain allowed access. ## ## # interface(`files_list_non_auth_dirs',` gen_require(` attribute non_auth_file_type; ') allow $1 non_auth_file_type:dir list_dir_perms; ') ######################################## ## ## Watch non-authentication related directories. ## ## ## ## Domain allowed access. ## ## # interface(`files_watch_non_auth_dirs',` gen_require(` attribute non_auth_file_type; ') watch_dirs_pattern($1, non_auth_file_type, non_auth_file_type) ') ######################################## ## ## Read all non-authentication related ## files. ## ## ## ## Domain allowed access. ## ## # interface(`files_read_non_auth_files',` gen_require(` attribute non_auth_file_type; ') read_files_pattern($1, non_auth_file_type, non_auth_file_type) ') ######################################## ## ## Read all non-authentication related ## symbolic links. ## ## ## ## Domain allowed access. ## ## # interface(`files_read_non_auth_symlinks',` gen_require(` attribute non_auth_file_type; ') read_lnk_files_pattern($1, non_auth_file_type, non_auth_file_type) ') ######################################## ## ## rw non-authentication related files. ## ## ## ## Domain allowed access. ## ## # interface(`files_rw_non_auth_files',` gen_require(` attribute non_auth_file_type; ') rw_files_pattern($1, non_auth_file_type, non_auth_file_type) ') ######################################## ## ## Manage non-authentication related ## files. ## ## ## ## Domain allowed access. ## ## ## # interface(`files_manage_non_auth_files',` gen_require(` attribute non_auth_file_type; ') manage_dirs_pattern($1, non_auth_file_type, non_auth_file_type) manage_files_pattern($1, non_auth_file_type, non_auth_file_type) manage_lnk_files_pattern($1, non_auth_file_type, non_auth_file_type) manage_fifo_files_pattern($1, non_auth_file_type, non_auth_file_type) manage_sock_files_pattern($1, non_auth_file_type, non_auth_file_type) # satisfy the assertions: seutil_create_bin_policy($1) files_manage_kernel_modules($1) ') ######################################## ## ## Relabel all non-authentication related ## files. ## ## ## ## Domain allowed access. ## ## ## # interface(`files_relabel_non_auth_files',` gen_require(` attribute non_auth_file_type; ') allow $1 non_auth_file_type:dir list_dir_perms; relabel_dirs_pattern($1, non_auth_file_type, non_auth_file_type) relabel_files_pattern($1, non_auth_file_type, non_auth_file_type) relabel_lnk_files_pattern($1, non_auth_file_type, non_auth_file_type) relabel_fifo_files_pattern($1, non_auth_file_type, non_auth_file_type) relabel_sock_files_pattern($1, non_auth_file_type, non_auth_file_type) # this is only relabelfrom since there should be no # device nodes with file types. relabelfrom_blk_files_pattern($1, non_auth_file_type, non_auth_file_type) relabelfrom_chr_files_pattern($1, non_auth_file_type, non_auth_file_type) # satisfy the assertions: seutil_relabelto_bin_policy($1) ') ############################################# ## ## Manage all configuration directories on filesystem ## ## ## ## Domain allowed access. ## ## ## # interface(`files_manage_config_dirs',` gen_require(` attribute configfile; ') manage_dirs_pattern($1, configfile, configfile) ') ######################################### ## ## Relabel configuration directories ## ## ## ## Domain allowed access. ## ## ## # interface(`files_relabel_config_dirs',` gen_require(` attribute configfile; ') relabel_dirs_pattern($1, configfile, configfile) ') ######################################## ## ## Read config files in /etc. ## ## ## ## Domain allowed access. ## ## # interface(`files_read_config_files',` gen_require(` attribute configfile; ') allow $1 configfile:dir list_dir_perms; read_files_pattern($1, configfile, configfile) read_lnk_files_pattern($1, configfile, configfile) ') ########################################### ## ## Manage all configuration files on filesystem ## ## ## ## Domain allowed access. ## ## ## # interface(`files_manage_config_files',` gen_require(` attribute configfile; ') manage_files_pattern($1, configfile, configfile) ') ####################################### ## ## Relabel configuration files ## ## ## ## Domain allowed access. ## ## ## # interface(`files_relabel_config_files',` gen_require(` attribute configfile; ') relabel_files_pattern($1, configfile, configfile) ') ######################################## ## ## Mount a filesystem on all mount points. ## ## ## ## Domain allowed access. ## ## # interface(`files_mounton_all_mountpoints',` gen_require(` attribute mountpoint; ') allow $1 mountpoint:dir { search_dir_perms mounton }; allow $1 mountpoint:file { getattr mounton }; ') ######################################## ## ## Get the attributes of all mount points. ## ## ## ## Domain allowed access. ## ## # interface(`files_getattr_all_mountpoints',` gen_require(` attribute mountpoint; ') allow $1 mountpoint:dir getattr; ') ######################################## ## ## Set the attributes of all mount points. ## ## ## ## Domain allowed access. ## ## # interface(`files_setattr_all_mountpoints',` gen_require(` attribute mountpoint; ') allow $1 mountpoint:dir setattr; ') ######################################## ## ## Set the attributes of all mount points. ## ## ## ## Domain allowed access. ## ## # interface(`files_relabelto_all_mountpoints',` gen_require(` attribute mountpoint; ') allow $1 mountpoint:dir relabelto; ') ######################################## ## ## Do not audit attempts to set the attributes on all mount points. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_setattr_all_mountpoints',` gen_require(` attribute mountpoint; ') dontaudit $1 mountpoint:dir setattr; ') ######################################## ## ## Search all mount points. ## ## ## ## Domain allowed access. ## ## # interface(`files_search_all_mountpoints',` gen_require(` attribute mountpoint; ') allow $1 mountpoint:dir search_dir_perms; ') ######################################## ## ## Do not audit searching of all mount points. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_search_all_mountpoints',` gen_require(` attribute mountpoint; ') dontaudit $1 mountpoint:dir search_dir_perms; ') ######################################## ## ## List all mount points. ## ## ## ## Domain allowed access. ## ## # interface(`files_list_all_mountpoints',` gen_require(` attribute mountpoint; ') allow $1 mountpoint:dir list_dir_perms; ') ######################################## ## ## Do not audit listing of all mount points. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_list_all_mountpoints',` gen_require(` attribute mountpoint; ') dontaudit $1 mountpoint:dir list_dir_perms; ') ######################################## ## ## Write all mount points. ## ## ## ## Domain allowed access. ## ## # interface(`files_write_all_mountpoints',` gen_require(` attribute mountpoint; ') allow $1 mountpoint:dir write; ') ######################################## ## ## Do not audit attempts to write to mount points. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_write_all_mountpoints',` gen_require(` attribute mountpoint; ') dontaudit $1 self:capability { dac_read_search }; dontaudit $1 mountpoint:dir write; ') ######################################## ## ## Watch_sb all mount points ## ## ## ## Domain allowed access. ## ## # interface(`files_watch_sb_all_mountpoints', ` gen_require(` attribute mountpoint; ') watch_sb_dirs_pattern($1, mountpoint, mountpoint) ') ######################################## ## ## Do not audit attempts to unmount all mount points. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_unmount_all_mountpoints',` gen_require(` attribute mountpoint; ') dontaudit $1 mountpoint:filesystem unmount; ') ######################################## ## ## Read all mountpoint symbolic links. ## ## ## ## Domain allowed access. ## ## # interface(`files_read_all_mountpoint_symlinks',` gen_require(` attribute mountpoint; ') allow $1 mountpoint:lnk_file read_lnk_file_perms; ') ######################################## ## ## Make all mountpoint as entrypoint. ## ## ## ## Domain allowed access. ## ## # interface(`files_entrypoint_all_mountpoint',` gen_require(` attribute mountpoint; ') allow $1 mountpoint:file entrypoint; ') ######################################## ## ## Remove all file type directories. ## ## ## ## Domain allowed access. ## ## # interface(`files_rmdir_all_dirs',` gen_require(` attribute file_type; ') allow $1 file_type:dir rmdir; ') ######################################## ## ## Watch_sb all file type directories. ## ## ## ## Domain allowed access. ## ## # interface(`files_watch_sb_all_dirs', ` gen_require(` attribute file_type; ') watch_sb_dirs_pattern($1, file_type, file_type) ') ######################################## ## ## Write all file type directories. ## ## ## ## Domain allowed access. ## ## # interface(`files_write_all_dirs',` gen_require(` attribute file_type; ') allow $1 file_type:dir write; ') ######################################## ## ## List the contents of the root directory. ## ## ## ## Domain allowed access. ## ## # interface(`files_list_root',` gen_require(` type root_t; ') allow $1 root_t:dir list_dir_perms; allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock }; ') ######################################## ## ## Do not audit attempts to write to / dirs. ## ## ## ## Domain to not audit. ## ## # interface(`files_write_root_dirs',` gen_require(` type root_t; ') allow $1 root_t:dir write; ') ######################################## ## ## Watch_sb root directories. ## ## ## ## Domain allowed access. ## ## # interface(`files_watch_sb_root_dirs', ` gen_require(` type root_t; ') watch_sb_dirs_pattern($1, root_t, root_t) ') ######################################## ## ## Do not audit attempts to write to / dirs. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_write_root_dirs',` gen_require(` type root_t; ') dontaudit $1 root_t:dir write; ') ################### ## ## Do not audit attempts to write ## files in the root directory. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_rw_root_dir',` gen_require(` type root_t; ') dontaudit $1 root_t:dir rw_dir_perms; ') ######################################## ## ## Do not audit attempts to check the ## access on root directory. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_access_check_root',` gen_require(` type root_t; ') dontaudit $1 root_t:dir_file_class_set audit_access; ') ######################################## ## ## Create an object in the root directory, with a private ## type using a type transition. ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the object to be created. ## ## ## ## ## The object class of the object being created. ## ## ## ## ## The name of the object being created. ## ## # interface(`files_root_filetrans',` gen_require(` type root_t; ') filetrans_pattern($1, root_t, $2, $3, $4) ') ######################################## ## ## Do not audit attempts to read files in ## the root directory. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_read_root_files',` gen_require(` type root_t; ') dontaudit $1 root_t:file { getattr read }; ') ######################################## ## ## Do not audit attempts to read or write ## files in the root directory. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_rw_root_files',` gen_require(` type root_t; ') dontaudit $1 root_t:file { read write }; ') ######################################## ## ## Do not audit attempts to read or write ## character device nodes in the root directory. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_rw_root_chr_files',` gen_require(` type root_t; ') dontaudit $1 root_t:chr_file { read write }; ') ######################################## ## ## Delete files in the root directory. ## ## ## ## Domain allowed access. ## ## # interface(`files_delete_root_files',` gen_require(` type root_t; ') allow $1 root_t:file unlink; ') ######################################## ## ## Remove entries from the root directory. ## ## ## ## Domain allowed access. ## ## # interface(`files_delete_root_dir_entry',` gen_require(` type root_t; ') allow $1 root_t:dir rw_dir_perms; ') ######################################## ## ## Set attributes of the root directory. ## ## ## ## Domain allowed access. ## ## # interface(`files_setattr_root_dirs',` gen_require(` type root_t; ') allow $1 root_t:dir setattr_dir_perms; ') ########################################## ## ## Watch the root directory. ## ## ## ## Domain allowed access ## ## # interface(`files_watch_root_dirs',` gen_require(` type root_t; ') allow $1 root_t:dir watch_dir_perms; ') ########################################## ## ## Watch_mount the root directory. ## ## ## ## Domain allowed access ## ## # interface(`files_watch_mount_root_dirs',` gen_require(` type root_t; ') allow $1 root_t:dir watch_mount_dir_perms; ') ########################################## ## ## Watch_with_perm the root directory. ## ## ## ## Domain allowed access ## ## # interface(`files_watch_with_perm_root_dirs',` gen_require(` type root_t; ') allow $1 root_t:dir watch_with_perm_dir_perms; ') ######################################## ## ## Relabel a rootfs filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`files_relabel_rootfs',` gen_require(` type root_t; ') allow $1 root_t:filesystem relabel_file_perms; ') ######################################## ## ## Unmount a rootfs filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`files_unmount_rootfs',` gen_require(` type root_t; ') allow $1 root_t:filesystem unmount; ') ######################################## ## ## Mount a filesystem on the root file system ## ## ## ## Domain allowed access. ## ## # interface(`files_mounton_rootfs',` gen_require(` type root_t; ') allow $1 root_t:dir { search_dir_perms mounton }; ') ######################################## ## ## Remount a filesystem on the root file system ## ## ## ## Domain allowed access. ## ## # interface(`files_remount_rootfs',` gen_require(` type root_t; ') allow $1 root_t:filesystem { remount }; ') ######################################## ## ## Mount a filesystem on the root file system ## ## ## ## Domain allowed access. ## ## # interface(`files_dontaudit_mounton_rootfs',` gen_require(` type root_t; ') dontaudit $1 root_t:dir mounton; ') ######################################## ## ## Get attributes of the /boot directory. ## ## ## ## Domain allowed access. ## ## # interface(`files_getattr_boot_dirs',` gen_require(` type boot_t; ') allow $1 boot_t:dir getattr; ') ######################################## ## ## Do not audit attempts to get attributes ## of the /boot directory. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_getattr_boot_dirs',` gen_require(` type boot_t; ') dontaudit $1 boot_t:dir getattr; ') ######################################## ## ## Search the /boot directory. ## ## ## ## Domain allowed access. ## ## # interface(`files_search_boot',` gen_require(` type boot_t; ') allow $1 boot_t:dir search_dir_perms; ') ######################################## ## ## Do not audit attempts to search the /boot directory. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_search_boot',` gen_require(` type boot_t; ') dontaudit $1 boot_t:dir search_dir_perms; ') ######################################## ## ## List the /boot directory. ## ## ## ## Domain allowed access. ## ## # interface(`files_list_boot',` gen_require(` type boot_t; ') allow $1 boot_t:dir list_dir_perms; ') ####################################### ## ## Do not audit attempts to list the /boot directory. ## ## ## ## Domain allowed access. ## ## # interface(`files_dontaudit_list_boot',` gen_require(` type boot_t; ') dontaudit $1 boot_t:dir list_dir_perms; ') ######################################## ## ## Create directories in /boot ## ## ## ## Domain allowed access. ## ## # interface(`files_create_boot_dirs',` gen_require(` type boot_t; ') allow $1 boot_t:dir { create rw_dir_perms }; ') ######################################## ## ## Create, read, write, and delete ## directories in /boot. ## ## ## ## Domain allowed access. ## ## # interface(`files_manage_boot_dirs',` gen_require(` type boot_t; ') allow $1 boot_t:dir manage_dir_perms; ') ######################################## ## ## Do not audit attempts to manage entries ## in the /boot directory. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_manage_boot_dirs',` gen_require(` type boot_t; ') dontaudit $1 boot_t:dir manage_dir_perms; ') ######################################## ## ## Watch directories in /boot. ## ## ## ## Domain allowed access. ## ## # interface(`files_watch_boot_dirs',` gen_require(` type boot_t; ') allow $1 boot_t:dir watch_dir_perms; ') ######################################## ## ## Watch_sb boot directories. ## ## ## ## Domain allowed access. ## ## # interface(`files_watch_sb_boot_dirs', ` gen_require(` type boot_t; ') watch_sb_dirs_pattern($1, boot_t, boot_t) ') ######################################## ## ## Watch_mount directories in /boot. ## ## ## ## Domain allowed access. ## ## # interface(`files_watch_mount_boot_dirs',` gen_require(` type boot_t; ') allow $1 boot_t:dir watch_mount_dir_perms; ') ######################################## ## ## Watch_with_perm directories in /boot. ## ## ## ## Domain allowed access. ## ## # interface(`files_watch_with_perm_boot_dirs',` gen_require(` type boot_t; ') allow $1 boot_t:dir watch_with_perm_dir_perms; ') ######################################## ## ## Create a private type object in boot ## with an automatic type transition ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the object to be created. ## ## ## ## ## The object class of the object being created. ## ## ## ## ## The name of the object being created. ## ## # interface(`files_boot_filetrans',` gen_require(` type boot_t; ') filetrans_pattern($1, boot_t, $2, $3, $4) ') ######################################## ## ## read files in the /boot directory. ## ## ## ## Domain allowed access. ## ## ## # interface(`files_read_boot_files',` gen_require(` type boot_t; ') read_files_pattern($1, boot_t, boot_t) ') ###################################### ## ## Map files in the /boot. ## ## ## ## Domain allowed access. ## ## # interface(`files_map_boot_files',` gen_require(` type boot_t; ') allow $1 boot_t:file map; ') ######################################## ## ## Create, read, write, and delete files ## in the /boot directory. ## ## ## ## Domain allowed access. ## ## ## # interface(`files_manage_boot_files',` gen_require(` type boot_t; ') manage_files_pattern($1, boot_t, boot_t) ') ######################################## ## ## Dontaudit Create, read, write, and delete files ## in the boot files. ## ## ## ## Domain allowed access. ## ## ## # interface(`files_dontaudit_manage_boot_files',` gen_require(` type boot_t; ') dontaudit $1 boot_t:file manage_file_perms; ') ######################################## ## ## Relabel from files in the /boot directory. ## ## ## ## Domain allowed access. ## ## # interface(`files_relabelfrom_boot_files',` gen_require(` type boot_t; ') relabelfrom_files_pattern($1, boot_t, boot_t) ') ######################################## ## ## Relabel to files in the /boot directory. ## ## ## ## Domain allowed access. ## ## # interface(`files_relabelto_boot_files',` gen_require(` type boot_t; ') relabelto_files_pattern($1, boot_t, boot_t) ') ###################################### ## ## Read symbolic links in the /boot directory. ## ## ## ## Domain allowed access. ## ## # interface(`files_read_boot_symlinks',` gen_require(` type boot_t; ') read_lnk_files_pattern($1, boot_t, boot_t) ') ######################################## ## ## Read and write symbolic links ## in the /boot directory. ## ## ## ## Domain allowed access. ## ## # interface(`files_rw_boot_symlinks',` gen_require(` type boot_t; ') allow $1 boot_t:dir list_dir_perms; rw_lnk_files_pattern($1, boot_t, boot_t) ') ######################################## ## ## Create, read, write, and delete symbolic links ## in the /boot directory. ## ## ## ## Domain allowed access. ## ## # interface(`files_manage_boot_symlinks',` gen_require(` type boot_t; ') manage_lnk_files_pattern($1, boot_t, boot_t) ') ######################################## ## ## Read kernel files in the /boot directory. ## ## ## ## Domain allowed access. ## ## # interface(`files_read_kernel_img',` gen_require(` type boot_t; ') allow $1 boot_t:dir list_dir_perms; read_files_pattern($1, boot_t, boot_t) read_lnk_files_pattern($1, boot_t, boot_t) ') ######################################## ## ## Install a kernel into the /boot directory. ## ## ## ## Domain allowed access. ## ## ## # interface(`files_create_kernel_img',` gen_require(` type boot_t; ') allow $1 boot_t:file { create_file_perms rw_file_perms }; manage_lnk_files_pattern($1, boot_t, boot_t) ') ######################################## ## ## Delete a kernel from /boot. ## ## ## ## Domain allowed access. ## ## ## # interface(`files_delete_kernel',` gen_require(` type boot_t; ') delete_files_pattern($1, boot_t, boot_t) ') ######################################## ## ## Getattr of directories with the default file type. ## ## ## ## Domain allowed access. ## ## # interface(`files_getattr_default_dirs',` gen_require(` type default_t; ') allow $1 default_t:dir getattr; ') ######################################## ## ## Do not audit attempts to get the attributes of ## directories with the default file type. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_getattr_default_dirs',` gen_require(` type default_t; ') dontaudit $1 default_t:dir getattr; ') ######################################## ## ## Search the contents of directories with the default file type. ## ## ## ## Domain allowed access. ## ## # interface(`files_search_default',` gen_require(` type default_t; ') allow $1 default_t:dir search_dir_perms; ') ######################################## ## ## List contents of directories with the default file type. ## ## ## ## Domain allowed access. ## ## # interface(`files_list_default',` gen_require(` type default_t; ') allow $1 default_t:dir list_dir_perms; ') ######################################## ## ## Do not audit attempts to list contents of ## directories with the default file type. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_list_default',` gen_require(` type default_t; ') dontaudit $1 default_t:dir list_dir_perms; ') ######################################## ## ## Create, read, write, and delete directories with ## the default file type. ## ## ## ## Domain allowed access. ## ## # interface(`files_manage_default_dirs',` gen_require(` type default_t; ') manage_dirs_pattern($1, default_t, default_t) ') ######################################## ## ## Mount a filesystem on a directory with the default file type. ## ## ## ## Domain allowed access. ## ## # interface(`files_mounton_default',` gen_require(` type default_t; ') allow $1 default_t:dir { search_dir_perms mounton }; ') ######################################## ## ## Do not audit attempts to get the attributes of ## files with the default file type. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_getattr_default_files',` gen_require(` type default_t; ') dontaudit $1 default_t:file getattr; ') ######################################## ## ## Read files with the default file type. ## ## ## ## Domain allowed access. ## ## # interface(`files_read_default_files',` gen_require(` type default_t; ') allow $1 default_t:file read_file_perms; ') ######################################## ## ## Do not audit attempts to read files ## with the default file type. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_read_default_files',` gen_require(` type default_t; ') dontaudit $1 default_t:file read_file_perms; ') ######################################## ## ## Create, read, write, and delete files with ## the default file type. ## ## ## ## Domain allowed access. ## ## # interface(`files_manage_default_files',` gen_require(` type default_t; ') manage_files_pattern($1, default_t, default_t) ') ######################################## ## ## Read symbolic links with the default file type. ## ## ## ## Domain allowed access. ## ## # interface(`files_read_default_symlinks',` gen_require(` type default_t; ') allow $1 default_t:lnk_file read_lnk_file_perms; ') ######################################## ## ## Read sockets with the default file type. ## ## ## ## Domain allowed access. ## ## # interface(`files_read_default_sockets',` gen_require(` type default_t; ') allow $1 default_t:sock_file read_sock_file_perms; ') ######################################## ## ## Read named pipes with the default file type. ## ## ## ## Domain allowed access. ## ## # interface(`files_read_default_pipes',` gen_require(` type default_t; ') allow $1 default_t:fifo_file read_fifo_file_perms; ') ######################################## ## ## Mounton directories on filesystem /etc. ## ## ## ## Domain allowed access. ## ## # interface(`files_mounton_etc',` gen_require(` type etc_t; ') allow $1 etc_t:dir mounton; ') ######################################## ## ## Mounton directories on the /usr filesystem ## ## ## ## Domain allowed access. ## ## # interface(`files_mounton_usr',` gen_require(` type usr_t; ') allow $1 usr_t:dir mounton; ') ######################################## ## ## Search the contents of /etc directories. ## ## ## ## Domain allowed access. ## ## # interface(`files_search_etc',` gen_require(` type etc_t; ') allow $1 etc_t:dir search_dir_perms; ') ######################################## ## ## Set the attributes of the /etc directories. ## ## ## ## Domain allowed access. ## ## # interface(`files_setattr_etc_dirs',` gen_require(` type etc_t; ') allow $1 etc_t:dir setattr; ') ######################################## ## ## List the contents of /etc directories. ## ## ## ## Domain allowed access. ## ## # interface(`files_list_etc',` gen_require(` type etc_t; ') allow $1 etc_t:dir list_dir_perms; ') ######################################## ## ## Do not audit attempts to write to /etc dirs. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_write_etc_dirs',` gen_require(` type etc_t; ') dontaudit $1 etc_t:dir write; ') ######################################## ## ## Add and remove entries from /etc directories. ## ## ## ## Domain allowed access. ## ## # interface(`files_rw_etc_dirs',` gen_require(` type etc_t; ') allow $1 etc_t:dir rw_dir_perms; ') ####################################### ## ## Dontaudit remove dir /etc directories. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_remove_etc_dir',` gen_require(` type etc_t; ') dontaudit $1 etc_t:dir rmdir; ') ########################################## ## ## Manage generic directories in /etc ## ## ## ## Domain allowed access ## ## ## # interface(`files_manage_etc_dirs',` gen_require(` type etc_t; ') manage_dirs_pattern($1, etc_t, etc_t) ') ######################################## ## ## Read generic files in /etc. ## ## ##

## Allow the specified domain to read generic ## files in /etc. These files are typically ## general system configuration files that do ## not have more specific SELinux types. Some ## examples of these files are: ##

##
    ##
  • /etc/fstab
  • ##
  • /etc/passwd
  • ##
  • /etc/services
  • ##
  • /etc/shells
  • ##
##

## This interface does not include access to /etc/shadow. ##

##

## Generally, it is safe for many domains to have ## this access. However, since this interface provides ## access to the /etc/passwd file, caution must be ## exercised, as user account names can be leaked ## through this access. ##

##

## Related interfaces: ##

##
    ##
  • auth_read_shadow()
  • ##
  • files_read_etc_runtime_files()
  • ##
  • seutil_read_config()
  • ##
##
## ## ## Domain allowed access. ## ## ## # interface(`files_read_etc_files',` gen_require(` type etc_t; ') allow $1 etc_t:dir list_dir_perms; read_files_pattern($1, etc_t, etc_t) read_lnk_files_pattern($1, etc_t, etc_t) files_read_etc_runtime_files($1) ') ######################################## ## ## Map generic files in /etc. ## ## ## ## Domain allowed access ## ## # interface(`files_map_etc_files',` gen_require(` type etc_t; ') allow $1 etc_t:file map; ') ######################################## ## ## Do not audit attempts to write generic files in /etc. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_write_etc_files',` gen_require(` type etc_t; ') dontaudit $1 etc_t:file write; ') ######################################## ## ## Read and write generic files in /etc. ## ## ## ## Domain allowed access. ## ## ## # interface(`files_rw_etc_files',` gen_require(` type etc_t; ') allow $1 etc_t:dir list_dir_perms; rw_files_pattern($1, etc_t, etc_t) read_lnk_files_pattern($1, etc_t, etc_t) ') ######################################## ## ## Create generic files in /etc. ## ## ## ## Domain allowed access. ## ## # interface(`files_create_etc_files',` gen_require(` type etc_t; ') create_files_pattern($1, etc_t, etc_t) ') ######################################## ## ## Map and read generic files in /etc. ## ## ## ## Domain allowed access. ## ## # interface(`files_map_read_etc_files',` gen_require(` type etc_t; ') mmap_read_files_pattern($1, etc_t, etc_t) ') ######################################## ## ## Create, read, write, and delete generic ## files in /etc. ## ## ## ## Domain allowed access. ## ## ## # interface(`files_manage_etc_files',` gen_require(` type etc_t; ') manage_files_pattern($1, etc_t, etc_t) read_lnk_files_pattern($1, etc_t, etc_t) ') ######################################## ## ## Do not audit attempts to check the ## access on etc files ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_access_check_etc',` gen_require(` type etc_t; ') dontaudit $1 etc_t:dir_file_class_set audit_access; ') ######################################## ## ## Delete system configuration files in /etc. ## ## ## ## Domain allowed access. ## ## # interface(`files_delete_etc_files',` gen_require(` type etc_t; ') delete_files_pattern($1, etc_t, etc_t) ') ######################################## ## ## Remove entries from the etc directory. ## ## ## ## Domain allowed access. ## ## # interface(`files_delete_etc_dir_entry',` gen_require(` type etc_t; ') allow $1 etc_t:dir del_entry_dir_perms; ') ######################################## ## ## Execute generic files in /etc. ## ## ## ## Domain allowed access. ## ## # interface(`files_exec_etc_files',` gen_require(` type etc_t; ') allow $1 etc_t:dir list_dir_perms; read_lnk_files_pattern($1, etc_t, etc_t) exec_files_pattern($1, etc_t, etc_t) ') ####################################### ## ## Relabel from and to generic files in /etc. ## ## ## ## Domain allowed access. ## ## # interface(`files_relabel_etc_files',` gen_require(` type etc_t; ') allow $1 etc_t:dir list_dir_perms; relabel_files_pattern($1, etc_t, etc_t) ') ######################################## ## ## Read symbolic links in /etc. ## ## ## ## Domain allowed access. ## ## # interface(`files_read_etc_symlinks',` gen_require(` type etc_t; ') read_lnk_files_pattern($1, etc_t, etc_t) ') ######################################## ## ## Create, read, write, and delete symbolic links in /etc. ## ## ## ## Domain allowed access. ## ## # interface(`files_manage_etc_symlinks',` gen_require(` type etc_t; ') manage_lnk_files_pattern($1, etc_t, etc_t) ') ######################################## ## ## Create objects in /etc with a private ## type using a type_transition. ## ## ## ## Domain allowed access. ## ## ## ## ## Private file type. ## ## ## ## ## Object classes to be created. ## ## ## ## ## The name of the object being created. ## ## # interface(`files_etc_filetrans',` gen_require(` type etc_t; ') filetrans_pattern($1, etc_t, $2, $3, $4) ') ########################################## ## ## Watch generic directories in /etc. ## ## ## ## Domain allowed access ## ## # interface(`files_watch_etc_dirs',` gen_require(` type etc_t; ') allow $1 etc_t:dir watch_dir_perms; ') ########################################## ## ## Watch generic files in /etc. ## ## ## ## Domain allowed access ## ## # interface(`files_watch_etc_files',` gen_require(` type etc_t; ') allow $1 etc_t:file watch_file_perms; ') ######################################## ## ## Create a boot flag. ## ## ##

## Create a boot flag, such as ## /.autorelabel and /.autofsck. ##

##
## ## ## Domain allowed access. ## ## ## ## ## The name of the object being created. ## ## ## # interface(`files_create_boot_flag',` gen_require(` type root_t, etc_runtime_t; ') allow $1 etc_runtime_t:file manage_file_perms; filetrans_pattern($1, root_t, etc_runtime_t, file, $2) ') ######################################## ## ## Delete a boot flag. ## ## ##

## Delete a boot flag, such as ## /.autorelabel and /.autofsck. ##

##
## ## ## Domain allowed access. ## ## ## # interface(`files_delete_boot_flag',` gen_require(` type root_t, etc_runtime_t; ') delete_files_pattern($1, root_t, etc_runtime_t) ') ######################################## ## ## Read files in /etc that are dynamically ## created on boot, such as mtab. ## ## ##

## Allow the specified domain to read dynamically created ## configuration files in /etc. These files are typically ## general system configuration files that do ## not have more specific SELinux types. Some ## examples of these files are: ##

##
    ##
  • /etc/motd
  • ##
  • /etc/mtab
  • ##
  • /etc/nologin
  • ##
##

## This interface does not include access to /etc/shadow. ##

##
## ## ## Domain allowed access. ## ## ## ## # interface(`files_read_etc_runtime_files',` gen_require(` type etc_t, etc_runtime_t; ') allow $1 etc_t:dir list_dir_perms; read_files_pattern($1, etc_t, etc_runtime_t) read_lnk_files_pattern($1, etc_t, etc_runtime_t) ') ######################################## ## ## Do not audit attempts to set the attributes of the etc_runtime files ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_setattr_etc_runtime_files',` gen_require(` type etc_runtime_t; ') dontaudit $1 etc_runtime_t:file setattr; ') ######################################## ## ## Do not audit attempts to write etc_runtime files ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_write_etc_runtime_files',` gen_require(` type etc_runtime_t; ') dontaudit $1 etc_runtime_t:file write; ') ######################################## ## ## Do not audit attempts to read files ## in /etc that are dynamically ## created on boot, such as mtab. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_read_etc_runtime_files',` gen_require(` type etc_runtime_t; ') dontaudit $1 etc_runtime_t:file { getattr read }; ') ######################################## ## ## Read and write files in /etc that are dynamically ## created on boot, such as mtab. ## ## ## ## Domain allowed access. ## ## ## # interface(`files_rw_etc_runtime_files',` gen_require(` type etc_t, etc_runtime_t; ') allow $1 etc_t:dir list_dir_perms; rw_files_pattern($1, etc_t, etc_runtime_t) read_lnk_files_pattern($1, etc_t, etc_t) ') ######################################## ## ## Create, read, write, and delete files in ## /etc that are dynamically created on boot, ## such as mtab. ## ## ## ## Domain allowed access. ## ## ## # interface(`files_manage_etc_runtime_files',` gen_require(` type etc_t, etc_runtime_t; ') manage_dirs_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t) manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t) read_lnk_files_pattern($1, etc_t, etc_runtime_t) ') ######################################## ## ## Create, etc runtime objects with an automatic ## type transition. ## ## ## ## Domain allowed access. ## ## ## ## ## The class of the object being created. ## ## ## ## ## The name of the object being created. ## ## # interface(`files_etc_filetrans_etc_runtime',` gen_require(` type etc_t, etc_runtime_t; ') filetrans_pattern($1, etc_t, etc_runtime_t, $2, $3) ') ######################################## ## ## Getattr of directories on new filesystems ## that have not yet been labeled. ## ## ## ## Domain allowed access. ## ## # interface(`files_getattr_isid_type_dirs',` gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:dir getattr; ') ######################################## ## ## Getattr all file opbjects on new filesystems ## that have not yet been labeled. ## ## ## ## Domain allowed access. ## ## # interface(`files_getattr_isid_type',` gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:dir_file_class_set getattr; ') ######################################## ## ## Setattr of directories on new filesystems ## that have not yet been labeled. ## ## ## ## Domain allowed access. ## ## # interface(`files_setattr_isid_type_dirs',` gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:dir setattr; ') ######################################## ## ## Do not audit attempts to search directories on new filesystems ## that have not yet been labeled. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_search_isid_type_dirs',` gen_require(` type unlabeled_t; ') dontaudit $1 unlabeled_t:dir search_dir_perms; ') ######################################## ## ## List the contents of directories on new filesystems ## that have not yet been labeled. ## ## ## ## Domain allowed access. ## ## # interface(`files_list_isid_type_dirs',` gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:dir list_dir_perms; ') ######################################## ## ## Read and write directories on new filesystems ## that have not yet been labeled. ## ## ## ## Domain allowed access. ## ## # interface(`files_rw_isid_type_dirs',` gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:dir rw_dir_perms; ') ######################################## ## ## Delete directories on new filesystems ## that have not yet been labeled. ## ## ## ## Domain allowed access. ## ## # interface(`files_delete_isid_type_dirs',` gen_require(` type unlabeled_t; ') delete_dirs_pattern($1, unlabeled_t, unlabeled_t) ') ######################################## ## ## Execute files on new filesystems ## that have not yet been labeled. ## ## ## ## Domain allowed access. ## ## # interface(`files_exec_isid_files',` gen_require(` type unlabeled_t; ') can_exec($1, unlabeled_t) ') ######################################## ## ## Moundon directories on new filesystems ## that have not yet been labeled. ## ## ## ## Domain allowed access. ## ## # interface(`files_mounton_isid',` gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:dir mounton; ') ######################################## ## ## Relabelfrom all file opbjects on new filesystems ## that have not yet been labeled. ## ## ## ## Domain allowed access. ## ## # interface(`files_relabelfrom_isid_type',` gen_require(` type unlabeled_t; ') dontaudit $1 unlabeled_t:dir_file_class_set relabelfrom; ') ######################################## ## ## Create, read, write, and delete directories ## on new filesystems that have not yet been labeled. ## ## ## ## Domain allowed access. ## ## # interface(`files_manage_isid_type_dirs',` gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:dir manage_dir_perms; ') ######################################## ## ## Mount a filesystem on a directory on new filesystems ## that has not yet been labeled. ## ## ## ## Domain allowed access. ## ## # interface(`files_mounton_isid_type_dirs',` gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:dir { search_dir_perms mounton }; ') ######################################## ## ## Mount a filesystem on a new chr_file ## that has not yet been labeled. ## ## ## ## Domain allowed access. ## ## # interface(`files_mounton_isid_type_chr_file',` gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:chr_file mounton; ') ######################################## ## ## Read files on new filesystems ## that have not yet been labeled. ## ## ## ## Domain allowed access. ## ## # interface(`files_read_isid_type_files',` gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:file read_file_perms; ') ######################################## ## ## Delete files on new filesystems ## that have not yet been labeled. ## ## ## ## Domain allowed access. ## ## # interface(`files_delete_isid_type_files',` gen_require(` type unlabeled_t; ') delete_files_pattern($1, unlabeled_t, unlabeled_t) ') ######################################## ## ## Delete symbolic links on new filesystems ## that have not yet been labeled. ## ## ## ## Domain allowed access. ## ## # interface(`files_delete_isid_type_symlinks',` gen_require(` type unlabeled_t; ') delete_lnk_files_pattern($1, unlabeled_t, unlabeled_t) ') ######################################## ## ## Delete named pipes on new filesystems ## that have not yet been labeled. ## ## ## ## Domain allowed access. ## ## # interface(`files_delete_isid_type_fifo_files',` gen_require(` type unlabeled_t; ') delete_fifo_files_pattern($1, unlabeled_t, unlabeled_t) ') ######################################## ## ## Delete named sockets on new filesystems ## that have not yet been labeled. ## ## ## ## Domain allowed access. ## ## # interface(`files_delete_isid_type_sock_files',` gen_require(` type unlabeled_t; ') delete_sock_files_pattern($1, unlabeled_t, unlabeled_t) ') ######################################## ## ## Delete block files on new filesystems ## that have not yet been labeled. ## ## ## ## Domain allowed access. ## ## # interface(`files_delete_isid_type_blk_files',` gen_require(` type unlabeled_t; ') delete_blk_files_pattern($1, unlabeled_t, unlabeled_t) ') ######################################## ## ## Do not audit attempts to write to character ## files that have not yet been labeled. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_write_isid_chr_files',` gen_require(` type unlabeled_t; ') dontaudit $1 unlabeled_t:chr_file write; ') ######################################## ## ## Delete chr files on new filesystems ## that have not yet been labeled. ## ## ## ## Domain allowed access. ## ## # interface(`files_delete_isid_type_chr_files',` gen_require(` type unlabeled_t; ') delete_chr_files_pattern($1, unlabeled_t, unlabeled_t) ') ######################################## ## ## Create, read, write, and delete files ## on new filesystems that have not yet been labeled. ## ## ## ## Domain allowed access. ## ## # interface(`files_manage_isid_type_files',` gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:file manage_file_perms; ') ######################################## ## ## Create, read, write, and delete symbolic links ## on new filesystems that have not yet been labeled. ## ## ## ## Domain allowed access. ## ## # interface(`files_manage_isid_type_symlinks',` gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:lnk_file manage_lnk_file_perms; ') ######################################## ## ## Read and write block device nodes on new filesystems ## that have not yet been labeled. ## ## ## ## Domain allowed access. ## ## # interface(`files_rw_isid_type_blk_files',` gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:blk_file rw_blk_file_perms; ') ######################################## ## ## rw any files inherited from another process ## on new filesystems that have not yet been labeled. ## ## ## ## Domain allowed access. ## ## # interface(`files_rw_inherited_isid_type_files',` gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:file rw_inherited_file_perms; ') ######################################## ## ## Create, read, write, and delete block device nodes ## on new filesystems that have not yet been labeled. ## ## ## ## Domain allowed access. ## ## # interface(`files_manage_isid_type_blk_files',` gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:blk_file manage_blk_file_perms; ') ######################################## ## ## Create, read, write, and delete character device nodes ## on new filesystems that have not yet been labeled. ## ## ## ## Domain allowed access. ## ## # interface(`files_manage_isid_type_chr_files',` gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:chr_file manage_chr_file_perms; ') ######################################## ## ## Dontaudit Moundon directories on new filesystems ## that have not yet been labeled. ## ## ## ## Domain allowed access. ## ## # interface(`files_dontaudit_mounton_isid',` gen_require(` type unlabeled_t; ') dontaudit $1 unlabeled_t:dir mounton; ') ######################################## ## ## Get the attributes of the home directories root ## (/home). ## ## ## ## Domain allowed access. ## ## # interface(`files_getattr_home_dir',` gen_require(` type home_root_t; ') allow $1 home_root_t:dir getattr; allow $1 home_root_t:lnk_file getattr; ') ######################################## ## ## Do not audit attempts to get the ## attributes of the home directories root ## (/home). ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_getattr_home_dir',` gen_require(` type home_root_t; ') dontaudit $1 home_root_t:dir getattr; dontaudit $1 home_root_t:lnk_file getattr; ') ######################################## ## ## Do not audit attempts to check the ## access on home root directory. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_access_check_home_dir',` gen_require(` type home_root_t; ') dontaudit $1 home_root_t:dir_file_class_set audit_access; ') ######################################## ## ## Create /home directories ## ## ## ## Domain allowed access ## ## # interface(`files_create_home_dir',` gen_require(` type home_root_t; ') create_dirs_pattern($1, home_root_t, home_root_t) ') ######################################## ## ## Search home directories root (/home). ## ## ## ## Domain allowed access. ## ## # interface(`files_search_home',` gen_require(` type home_root_t; ') allow $1 home_root_t:dir search_dir_perms; allow $1 home_root_t:lnk_file read_lnk_file_perms; ') ######################################## ## ## Do not audit attempts to search ## home directories root (/home). ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_search_home',` gen_require(` type home_root_t; ') dontaudit $1 home_root_t:dir search_dir_perms; dontaudit $1 home_root_t:lnk_file read_lnk_file_perms; ') ######################################## ## ## Do not audit attempts to list ## home directories root (/home). ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_list_home',` gen_require(` type home_root_t; ') dontaudit $1 home_root_t:dir list_dir_perms; dontaudit $1 home_root_t:lnk_file read_lnk_file_perms; ') ######################################## ## ## Get listing of home directories. ## ## ## ## Domain allowed access. ## ## # interface(`files_list_home',` gen_require(` type home_root_t; ') allow $1 home_root_t:dir list_dir_perms; allow $1 home_root_t:lnk_file read_lnk_file_perms; ') ######################################## ## ## Watch home directories. ## ## ## ## Domain allowed access. ## ## # interface(`files_watch_home',` gen_require(` type home_root_t; ') allow $1 home_root_t:dir watch_dir_perms; ') ######################################## ## ## Watch_mount home directories. ## ## ## ## Domain allowed access. ## ## # interface(`files_watch_mount_home',` gen_require(` type home_root_t; ') allow $1 home_root_t:dir watch_mount_dir_perms; ') ######################################## ## ## Watch_with_perm home directories. ## ## ## ## Domain allowed access. ## ## # interface(`files_watch_with_perm_home',` gen_require(` type home_root_t; ') allow $1 home_root_t:dir watch_with_perm_dir_perms; ') ######################################## ## ## Relabel to user home root (/home). ## ## ## ## Domain allowed access. ## ## # interface(`files_relabelto_home',` gen_require(` type home_root_t; ') allow $1 home_root_t:dir relabelto; ') ######################################## ## ## Create objects in /home. ## ## ## ## Domain allowed access. ## ## ## ## ## The private type. ## ## ## ## ## The class of the object being created. ## ## ## ## ## The name of the object being created. ## ## # interface(`files_home_filetrans',` gen_require(` type home_root_t; ') filetrans_pattern($1, home_root_t, $2, $3, $4) ') ######################################## ## ## Get the attributes of lost+found directories. ## ## ## ## Domain allowed access. ## ## # interface(`files_getattr_lost_found_dirs',` gen_require(` type lost_found_t; ') allow $1 lost_found_t:dir getattr; ') ######################################## ## ## Do not audit attempts to get the attributes of ## lost+found directories. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_getattr_lost_found_dirs',` gen_require(` type lost_found_t; ') dontaudit $1 lost_found_t:dir getattr; ') ####################################### ## ## List the contents of lost+found directories. ## ## ## ## Domain allowed access. ## ## # interface(`files_list_lost_found',` gen_require(` type lost_found_t; ') allow $1 lost_found_t:dir list_dir_perms; ') ######################################## ## ## Create, read, write, and delete objects in ## lost+found directories. ## ## ## ## Domain allowed access. ## ## ## # interface(`files_manage_lost_found',` gen_require(` type lost_found_t; ') manage_dirs_pattern($1, lost_found_t, lost_found_t) manage_files_pattern($1, lost_found_t, lost_found_t) manage_lnk_files_pattern($1, lost_found_t, lost_found_t) manage_fifo_files_pattern($1, lost_found_t, lost_found_t) manage_sock_files_pattern($1, lost_found_t, lost_found_t) ') ######################################## ## ## Search the contents of /mnt. ## ## ## ## Domain allowed access. ## ## # interface(`files_search_mnt',` gen_require(` type mnt_t; ') allow $1 mnt_t:dir search_dir_perms; ') ######################################## ## ## Do not audit attempts to search /mnt. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_search_mnt',` gen_require(` type mnt_t; ') dontaudit $1 mnt_t:dir search_dir_perms; ') ######################################## ## ## List the contents of /mnt. ## ## ## ## Domain allowed access. ## ## # interface(`files_list_mnt',` gen_require(` type mnt_t; ') allow $1 mnt_t:dir list_dir_perms; ') ###################################### ## ## dontaudit List the contents of /mnt. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_list_mnt',` gen_require(` type mnt_t; ') dontaudit $1 mnt_t:dir list_dir_perms; ') ######################################## ## ## Do not audit attempts to check the ## write access on mnt files ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_access_check_mnt',` gen_require(` type mnt_t; ') dontaudit $1 mnt_t:dir_file_class_set audit_access; ') ######################################## ## ## Mount a filesystem on /mnt. ## ## ## ## Domain allowed access. ## ## # interface(`files_mounton_mnt',` gen_require(` type mnt_t; ') allow $1 mnt_t:dir { search_dir_perms mounton }; ') ######################################## ## ## Create, read, write, and delete directories in /mnt. ## ## ## ## Domain allowed access. ## ## ## # interface(`files_manage_mnt_dirs',` gen_require(` type mnt_t; ') allow $1 mnt_t:dir manage_dir_perms; ') ######################################## ## ## Create, read, write, and delete files in /mnt. ## ## ## ## Domain allowed access. ## ## # interface(`files_manage_mnt_files',` gen_require(` type mnt_t; ') manage_files_pattern($1, mnt_t, mnt_t) ') ######################################## ## ## read files in /mnt. ## ## ## ## Domain allowed access. ## ## # interface(`files_read_mnt_files',` gen_require(` type mnt_t; ') read_files_pattern($1, mnt_t, mnt_t) ') ###################################### ## ## Read symbolic links in /mnt. ## ## ## ## Domain allowed access. ## ## # interface(`files_read_mnt_symlinks',` gen_require(` type mnt_t; ') read_lnk_files_pattern($1, mnt_t, mnt_t) ') ######################################## ## ## Load kernel module files. ## ## ## ## Domain allowed access. ## ## # interface(`files_load_kernel_modules',` gen_require(` type modules_object_t; ') files_read_kernel_modules($1) allow $1 modules_object_t:system module_load; ') ######################################## ## ## Mmap kernel module files. ## ## ## ## Domain allowed access. ## ## # interface(`files_map_kernel_modules',` gen_require(` type modules_object_t; ') allow $1 modules_object_t:file map; ') ######################################## ## ## Create, read, write, and delete symbolic links in /mnt. ## ## ## ## Domain allowed access. ## ## # interface(`files_manage_mnt_symlinks',` gen_require(` type mnt_t; ') manage_lnk_files_pattern($1, mnt_t, mnt_t) ') ######################################## ## ## Search the contents of the kernel module directories. ## ## ## ## Domain allowed access. ## ## # interface(`files_search_kernel_modules',` gen_require(` type modules_object_t; ') allow $1 modules_object_t:dir search_dir_perms; read_lnk_files_pattern($1, modules_object_t, modules_object_t) ') ######################################## ## ## List the contents of the kernel module directories. ## ## ## ## Domain allowed access. ## ## # interface(`files_list_kernel_modules',` gen_require(` type modules_object_t; ') allow $1 modules_object_t:dir list_dir_perms; ') ######################################## ## ## Get the attributes of kernel module files. ## ## ## ## Domain allowed access. ## ## # interface(`files_getattr_kernel_modules',` gen_require(` type modules_object_t; ') getattr_files_pattern($1, modules_object_t, modules_object_t) ') ######################################## ## ## Read kernel module files. ## ## ## ## Domain allowed access. ## ## # interface(`files_read_kernel_modules',` gen_require(` type modules_object_t; ') allow $1 modules_object_t:dir list_dir_perms; read_files_pattern($1, modules_object_t, modules_object_t) read_lnk_files_pattern($1, modules_object_t, modules_object_t) ') ######################################## ## ## Write kernel module files. ## ## ## ## Domain allowed access. ## ## # interface(`files_write_kernel_modules',` gen_require(` type modules_object_t; ') allow $1 modules_object_t:dir list_dir_perms; write_files_pattern($1, modules_object_t, modules_object_t) ') ######################################## ## ## Delete kernel module files. ## ## ## ## Domain allowed access. ## ## # interface(`files_delete_kernel_modules',` gen_require(` type modules_object_t; ') delete_files_pattern($1, modules_object_t, modules_object_t) ') ######################################## ## ## Create, read, write, and delete ## kernel module files. ## ## ## ## Domain allowed access. ## ## ## # interface(`files_manage_kernel_modules',` gen_require(` type modules_object_t; ') manage_files_pattern($1, modules_object_t, modules_object_t) ') ######################################## ## ## Relabel from and to kernel module files. ## ## ## ## Domain allowed access. ## ## # interface(`files_relabel_kernel_modules',` gen_require(` type modules_object_t; ') relabel_files_pattern($1, modules_object_t, modules_object_t) allow $1 modules_object_t:dir list_dir_perms; ') ######################################## ## ## Create objects in the kernel module directories ## with a private type via an automatic type transition. ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the object to be created. ## ## ## ## ## The object class of the object being created. ## ## ## ## ## The name of the object being created. ## ## # interface(`files_kernel_modules_filetrans',` gen_require(` type modules_object_t; ') filetrans_pattern($1, modules_object_t, $2, $3, $4) ') ######################################## ## ## List world-readable directories. ## ## ## ## Domain allowed access. ## ## ## # interface(`files_list_world_readable',` gen_require(` type readable_t; ') allow $1 readable_t:dir list_dir_perms; ') ######################################## ## ## Read world-readable files. ## ## ## ## Domain allowed access. ## ## ## # interface(`files_read_world_readable_files',` gen_require(` type readable_t; ') allow $1 readable_t:file read_file_perms; ') ######################################## ## ## Read world-readable symbolic links. ## ## ## ## Domain allowed access. ## ## ## # interface(`files_read_world_readable_symlinks',` gen_require(` type readable_t; ') allow $1 readable_t:lnk_file read_lnk_file_perms; ') ######################################## ## ## Read world-readable named pipes. ## ## ## ## Domain allowed access. ## ## # interface(`files_read_world_readable_pipes',` gen_require(` type readable_t; ') allow $1 readable_t:fifo_file read_fifo_file_perms; ') ######################################## ## ## Read world-readable sockets. ## ## ## ## Domain allowed access. ## ## # interface(`files_read_world_readable_sockets',` gen_require(` type readable_t; ') allow $1 readable_t:sock_file read_sock_file_perms; ') ####################################### ## ## Read manageable system configuration files in /etc ## ## ## ## Domain allowed access. ## ## # interface(`files_read_system_conf_files',` gen_require(` type etc_t, system_conf_t; ') allow $1 etc_t:dir list_dir_perms; read_files_pattern($1, etc_t, system_conf_t) read_lnk_files_pattern($1, etc_t, system_conf_t) ') ####################################### ## ## Watch manageable system configuration dirs in /etc ## ## ## ## Domain allowed access. ## ## # interface(`files_watch_system_conf_dirs',` gen_require(` type etc_t, system_conf_t; ') files_search_etc($1) watch_dirs_pattern($1, system_conf_t, system_conf_t) ') ###################################### ## ## Manage manageable system configuration files in /etc. ## ## ## ## Domain allowed access. ## ## # interface(`files_manage_system_conf_files',` gen_require(` type etc_t, system_conf_t; ') manage_files_pattern($1, { etc_t system_conf_t }, system_conf_t) files_filetrans_system_conf_named_files($1) ') ##################################### ## ## File name transition for system configuration files in /etc. ## ## ## ## Domain allowed access. ## ## # interface(`files_filetrans_system_conf_named_files',` gen_require(` type etc_t, system_conf_t, usr_t; ') filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf") filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf.old") filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables") filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables.old") filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables-config") filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables-config.old") filetrans_pattern($1, etc_t, system_conf_t, file, "iptables") filetrans_pattern($1, etc_t, system_conf_t, file, "iptables.old") filetrans_pattern($1, etc_t, system_conf_t, file, "iptables.save") filetrans_pattern($1, etc_t, system_conf_t, file, "iptables-config") filetrans_pattern($1, etc_t, system_conf_t, file, "iptables-config.old") filetrans_pattern($1, etc_t, system_conf_t, file, "ip6tables") filetrans_pattern($1, etc_t, system_conf_t, file, "ip6tables.old") filetrans_pattern($1, etc_t, system_conf_t, file, "ip6tables-config") filetrans_pattern($1, etc_t, system_conf_t, file, "ip6tables-config.old") filetrans_pattern($1, etc_t, system_conf_t, file, "redhat.repo") filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall") filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall.old") filetrans_pattern($1, etc_t, system_conf_t, dir, "yum.repos.d") filetrans_pattern($1, etc_t, system_conf_t, dir, "remotes.d") filetrans_pattern($1, usr_t, system_conf_t, dir, "repo") ') ###################################### ## ## Relabel manageable system configuration files in /etc. ## ## ## ## Domain allowed access. ## ## # interface(`files_relabelto_system_conf_files',` gen_require(` type usr_t; ') relabelto_files_pattern($1, system_conf_t, system_conf_t) ') ###################################### ## ## Relabel manageable system configuration files in /etc. ## ## ## ## Domain allowed access. ## ## # interface(`files_relabelfrom_system_conf_files',` gen_require(` type usr_t; ') relabelfrom_files_pattern($1, system_conf_t, system_conf_t) ') ################################### ## ## Create files in /etc with the type used for ## the manageable system config files. ## ## ## ## The type of the process performing this action. ## ## # interface(`files_etc_filetrans_system_conf',` gen_require(` type etc_t, system_conf_t; ') filetrans_pattern($1, etc_t, system_conf_t, file) ') ###################################### ## ## Manage manageable system db files in /var/lib. ## ## ## ## Domain allowed access. ## ## # interface(`files_manage_system_db_files',` gen_require(` type var_lib_t, system_db_t; ') manage_files_pattern($1, { var_lib_t system_db_t }, system_db_t) files_filetrans_system_db_named_files($1) ') ###################################### ## ## Watch manageable system db dirs. ## ## ## ## Domain allowed access. ## ## # interface(`files_watch_system_db_dirs',` gen_require(` type system_db_t; ') allow $1 system_db_t:dir watch_dir_perms; ') ###################################### ## ## Watch manageable system db files in /var/db. ## ## ## ## Domain allowed access. ## ## # interface(`files_watch_system_db_files',` gen_require(` type system_db_t; ') allow $1 system_db_t:file watch_file_perms; ') ###################################### ## ## Map manageable system db files in /var/lib. ## ## ## ## Domain allowed access. ## ## # interface(`files_map_system_db_files',` gen_require(` type system_db_t; ') allow $1 system_db_t:file map; ') ##################################### ## ## File name transition for system db files in /var/lib. ## ## ## ## Domain allowed access. ## ## # interface(`files_filetrans_system_db_named_files',` gen_require(` type var_lib_t, system_db_t; ') filetrans_pattern($1, var_lib_t, system_db_t, file, "servicelog.db") filetrans_pattern($1, var_lib_t, system_db_t, file, "servicelog.db-journal") ') ##################################### ## ## File name transition for tmp files in /. ## ## ## ## Domain allowed access. ## ## # interface(`files_filetrans_tmp_named_files',` gen_require(` type tmp_t; ') files_root_filetrans($1, tmp_t, dir, "tmp-inst") ') ######################################## ## ## Allow the specified type to associate ## to a filesystem with the type of the ## temporary directory (/tmp). ## ## ## ## Type of the file to associate. ## ## # interface(`files_associate_tmp',` gen_require(` type tmp_t; ') allow $1 tmp_t:filesystem associate; ') ######################################## ## ## Allow the specified type to associate ## to a filesystem with the type of the ## / file system ## ## ## ## Type of the file to associate. ## ## # interface(`files_associate_rootfs',` gen_require(` type root_t; ') allow $1 root_t:filesystem associate; ') ######################################## ## ## Get the attributes of the tmp directory (/tmp). ## ## ## ## Domain allowed access. ## ## # interface(`files_getattr_tmp_dirs',` gen_require(` type tmp_t; ') read_lnk_files_pattern($1, tmp_t, tmp_t) allow $1 tmp_t:dir getattr; ') ######################################## ## ## Do not audit attempts to check the ## access on tmp files ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_access_check_tmp',` gen_require(` type etc_t; ') dontaudit $1 tmp_t:dir_file_class_set audit_access; ') ######################################## ## ## Do not audit attempts to get the ## attributes of the tmp directory (/tmp). ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_getattr_tmp_dirs',` gen_require(` type tmp_t; ') dontaudit $1 tmp_t:dir getattr; ') ######################################## ## ## Search the tmp directory (/tmp). ## ## ## ## Domain allowed access. ## ## # interface(`files_search_tmp',` gen_require(` type tmp_t; ') fs_search_tmpfs($1) read_lnk_files_pattern($1, tmp_t, tmp_t) allow $1 tmp_t:dir search_dir_perms; ') ######################################## ## ## Do not audit attempts to search the tmp directory (/tmp). ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_search_tmp',` gen_require(` type tmp_t; ') dontaudit $1 tmp_t:dir search_dir_perms; ') ######################################## ## ## Read the tmp directory (/tmp). ## ## ## ## Domain allowed access. ## ## # interface(`files_list_tmp',` gen_require(` type tmp_t; ') read_lnk_files_pattern($1, tmp_t, tmp_t) allow $1 tmp_t:dir list_dir_perms; ') ######################################## ## ## Do not audit listing of the tmp directory (/tmp). ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_list_tmp',` gen_require(` type tmp_t; ') dontaudit $1 tmp_t:dir list_dir_perms; ') ####################################### ## ## Allow read and write to the tmp directory (/tmp). ## ## ## ## Domain not to audit. ## ## # interface(`files_rw_generic_tmp_dir',` gen_require(` type tmp_t; ') files_search_tmp($1) allow $1 tmp_t:dir rw_dir_perms; ') ######################################## ## ## Delete generic tmp files. ## ## ## ## Domain allowed access. ## ## # interface(`files_delete_tmp_files',` gen_require(` type tmp_t; ') delete_files_pattern($1, tmp_t, tmp_t) ') ######################################## ## ## Delete generic tmp sock files. ## ## ## ## Domain allowed access. ## ## # interface(`files_delete_tmp_sockets',` gen_require(` type tmp_t; ') delete_sock_files_pattern($1, tmp_t, tmp_t) ') ######################################## ## ## Delete generic tmp named pipes ## ## ## ## Domain allowed access. ## ## # interface(`files_delete_tmp_pipes',` gen_require(` type tmp_t; ') delete_fifo_files_pattern($1, tmp_t, tmp_t) ') ######################################## ## ## Remove entries from the tmp directory. ## ## ## ## Domain allowed access. ## ## # interface(`files_delete_tmp_dir_entry',` gen_require(` type tmp_t; ') files_search_tmp($1) allow $1 tmp_t:dir del_entry_dir_perms; ') ######################################## ## ## Read files in the tmp directory (/tmp). ## ## ## ## Domain allowed access. ## ## # interface(`files_read_generic_tmp_files',` gen_require(` type tmp_t; ') read_files_pattern($1, tmp_t, tmp_t) ') ######################################## ## ## Write socket files in the tmp directory (/tmp). ## ## ## ## Domain allowed access. ## ## # interface(`files_write_generic_tmp_sock_files',` gen_require(` type tmp_t; ') write_sock_files_pattern($1, tmp_t, tmp_t) ') ######################################## ## ## Manage temporary directories in /tmp. ## ## ## ## Domain allowed access. ## ## # interface(`files_manage_generic_tmp_dirs',` gen_require(` type tmp_t; ') manage_dirs_pattern($1, tmp_t, tmp_t) ') ########################################## ## ## Watch generic directories in /tmp ## ## ## ## Domain allowed access ## ## # interface(`files_watch_generic_tmp_dirs',` gen_require(` type tmp_t; ') allow $1 tmp_t:dir watch_dir_perms; ') ########################################## ## ## Watch_mount generic directories in /tmp ## ## ## ## Domain allowed access ## ## # interface(`files_watch_mount_generic_tmp_dirs',` gen_require(` type tmp_t; ') allow $1 tmp_t:dir watch_mount_dir_perms; ') ########################################## ## ## Watch_with_perm generic directories in /tmp ## ## ## ## Domain allowed access ## ## # interface(`files_watch_with_perm_generic_tmp_dirs',` gen_require(` type tmp_t; ') allow $1 tmp_t:dir watch_with_perm_dir_perms; ') ######################################## ## ## Allow shared library text relocations in tmp files. ## ## ##

## Allow shared library text relocations in tmp files. ##

##

## This is added to support java policy. ##

##
## ## ## Domain allowed access. ## ## # interface(`files_execmod_tmp',` gen_require(` attribute tmpfile; ') allow $1 tmpfile:file execmod; ') ######################################## ## ## Manage temporary files and directories in /tmp. ## ## ## ## Domain allowed access. ## ## # interface(`files_manage_generic_tmp_files',` gen_require(` type tmp_t; ') manage_files_pattern($1, tmp_t, tmp_t) ') ####################################### ## ## Mmap temporary files ## ## ## ## Domain allowed access. ## ## ## # interface(`files_map_generic_tmp_files',` gen_require(` type tmp_t; ') allow $1 tmp_t:file map; ') ######################################## ## ## Read symbolic links in the tmp directory (/tmp). ## ## ## ## Domain allowed access. ## ## # interface(`files_read_generic_tmp_symlinks',` gen_require(` type tmp_t; ') read_lnk_files_pattern($1, tmp_t, tmp_t) ') ######################################## ## ## Read and write generic named sockets in the tmp directory (/tmp). ## ## ## ## Domain allowed access. ## ## # interface(`files_rw_generic_tmp_sockets',` gen_require(` type tmp_t; ') rw_sock_files_pattern($1, tmp_t, tmp_t) ') ######################################## ## ## Relabel a dir from the type used in /tmp. ## ## ## ## Domain allowed access. ## ## # interface(`files_relabelfrom_tmp_dirs',` gen_require(` type tmp_t; ') relabelfrom_dirs_pattern($1, tmp_t, tmp_t) ') ######################################## ## ## Relabel a file from the type used in /tmp. ## ## ## ## Domain allowed access. ## ## # interface(`files_relabelfrom_tmp_files',` gen_require(` type tmp_t; ') relabelfrom_files_pattern($1, tmp_t, tmp_t) ') ######################################## ## ## Set the attributes of all tmp directories. ## ## ## ## Domain allowed access. ## ## # interface(`files_setattr_all_tmp_dirs',` gen_require(` attribute tmpfile; ') allow $1 tmpfile:dir { search_dir_perms setattr }; ') ######################################## ## ## Allow caller to read inherited tmp files. ## ## ## ## Domain allowed access. ## ## # interface(`files_read_inherited_tmp_files',` gen_require(` attribute tmpfile; ') allow $1 tmpfile:file { append read_inherited_file_perms }; ') ######################################## ## ## Allow caller to append inherited tmp files. ## ## ## ## Domain allowed access. ## ## # interface(`files_append_inherited_tmp_files',` gen_require(` attribute tmpfile; ') allow $1 tmpfile:file append_inherited_file_perms; ') ######################################## ## ## Allow caller to read and write inherited tmp files. ## ## ## ## Domain allowed access. ## ## # interface(`files_rw_inherited_tmp_file',` gen_require(` attribute tmpfile; ') allow $1 tmpfile:file rw_inherited_file_perms; ') ######################################## ## ## List all tmp directories. ## ## ## ## Domain allowed access. ## ## # interface(`files_list_all_tmp',` gen_require(` attribute tmpfile; ') allow $1 tmpfile:dir list_dir_perms; ') ######################################## ## ## Relabel to and from all temporary ## directory types. ## ## ## ## Domain allowed access. ## ## ## # interface(`files_relabel_all_tmp_dirs',` gen_require(` attribute tmpfile; type var_t; ') allow $1 var_t:dir search_dir_perms; relabel_dirs_pattern($1, tmpfile, tmpfile) ') ######################################## ## ## Do not audit attempts to get the attributes ## of all tmp files. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_getattr_all_tmp_files',` gen_require(` attribute tmpfile; ') dontaudit $1 tmpfile:file getattr; ') ######################################## ## ## Allow attempts to get the attributes ## of all tmp files. ## ## ## ## Domain allowed access. ## ## # interface(`files_getattr_all_tmp_files',` gen_require(` attribute tmpfile; ') allow $1 tmpfile:file getattr; ') ######################################## ## ## Relabel to and from all temporary ## file types. ## ## ## ## Domain allowed access. ## ## ## # interface(`files_relabel_all_tmp_files',` gen_require(` attribute tmpfile; type var_t; ') allow $1 var_t:dir search_dir_perms; relabel_files_pattern($1, tmpfile, tmpfile) ') ######################################## ## ## Do not audit attempts to get the attributes ## of all tmp sock_file. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_getattr_all_tmp_sockets',` gen_require(` attribute tmpfile; ') dontaudit $1 tmpfile:sock_file getattr; ') ######################################## ## ## Read all tmp files. ## ## ## ## Domain allowed access. ## ## # interface(`files_read_all_tmp_files',` gen_require(` attribute tmpfile; ') read_files_pattern($1, tmpfile, tmpfile) ') ######################################## ## ## Do not audit attempts to read or write ## all leaked tmpfiles files. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_tmp_file_leaks',` gen_require(` attribute tmpfile; ') dontaudit $1 tmpfile:file rw_inherited_file_perms; ') ######################################## ## ## Do allow attempts to read or write ## all leaked tmpfiles files. ## ## ## ## Domain to not audit. ## ## # interface(`files_rw_tmp_file_leaks',` gen_require(` attribute tmpfile; ') allow $1 tmpfile:file rw_inherited_file_perms; ') ######################################## ## ## Create an object in the tmp directories, with a private ## type using a type transition. ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the object to be created. ## ## ## ## ## The object class of the object being created. ## ## ## ## ## The name of the object being created. ## ## # interface(`files_tmp_filetrans',` gen_require(` type tmp_t; ') filetrans_pattern($1, tmp_t, $2, $3, $4) ') ######################################## ## ## Delete the contents of /tmp. ## ## ## ## Domain allowed access. ## ## # interface(`files_purge_tmp',` gen_require(` attribute tmpfile; ') allow $1 tmpfile:dir list_dir_perms; delete_dirs_pattern($1, tmpfile, tmpfile) delete_files_pattern($1, tmpfile, tmpfile) delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) delete_chr_files_pattern($1, tmpfile, tmpfile) delete_blk_files_pattern($1, tmpfile, tmpfile) files_list_isid_type_dirs($1) files_delete_isid_type_dirs($1) files_delete_isid_type_files($1) files_delete_isid_type_symlinks($1) files_delete_isid_type_fifo_files($1) files_delete_isid_type_sock_files($1) files_delete_isid_type_blk_files($1) files_delete_isid_type_chr_files($1) ') ######################################## ## ## Set the attributes of the /usr directory. ## ## ## ## Domain allowed access. ## ## # interface(`files_setattr_usr_dirs',` gen_require(` type usr_t; ') allow $1 usr_t:dir setattr; ') ######################################## ## ## Search the content of /usr. ## ## ## ## Domain allowed access. ## ## # interface(`files_search_usr',` gen_require(` type usr_t; ') allow $1 usr_t:dir search_dir_perms; ') ######################################## ## ## List the contents of generic ## directories in /usr. ## ## ## ## Domain allowed access. ## ## # interface(`files_list_usr',` gen_require(` type usr_t; ') allow $1 usr_t:dir list_dir_perms; ') ######################################## ## ## Do not audit write of /usr dirs ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_write_usr_dirs',` gen_require(` type usr_t; ') dontaudit $1 usr_t:dir write; ') ######################################## ## ## Add and remove entries from /usr directories. ## ## ## ## Domain allowed access. ## ## # interface(`files_rw_usr_dirs',` gen_require(` type usr_t; ') allow $1 usr_t:dir rw_dir_perms; ') ######################################## ## ## Do not audit attempts to add and remove ## entries from /usr directories. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_rw_usr_dirs',` gen_require(` type usr_t; ') dontaudit $1 usr_t:dir rw_dir_perms; ') ######################################## ## ## Delete generic directories in /usr in the caller domain. ## ## ## ## Domain allowed access. ## ## # interface(`files_delete_usr_dirs',` gen_require(` type usr_t; ') delete_dirs_pattern($1, usr_t, usr_t) ') ######################################## ## ## Manage generic directories in /usr in the caller domain. ## ## ## ## Domain allowed access. ## ## # interface(`files_manage_usr_dirs',` gen_require(` type usr_t; ') manage_dirs_pattern($1, usr_t, usr_t) ') ######################################## ## ## Delete generic files in /usr in the caller domain. ## ## ## ## Domain allowed access. ## ## # interface(`files_delete_usr_files',` gen_require(` type usr_t; ') delete_files_pattern($1, usr_t, usr_t) ') ######################################## ## ## Map files in /usr in the caller domain. ## ## ## ## Domain allowed access. ## ## # interface(`files_mmap_usr_files',` gen_require(` type usr_t; ') allow $1 usr_t:file map; ') ######################################## ## ## Get the attributes of files in /usr. ## ## ## ## Domain allowed access. ## ## # interface(`files_getattr_usr_files',` gen_require(` type usr_t; ') getattr_files_pattern($1, usr_t, usr_t) ') ######################################## ## ## Read generic files in /usr. ## ## ##

## Allow the specified domain to read generic ## files in /usr. These files are various program ## files that do not have more specific SELinux types. ## Some examples of these files are: ##

##
    ##
  • /usr/include/*
  • ##
  • /usr/share/doc/*
  • ##
  • /usr/share/info/*
  • ##
##

## Generally, it is safe for many domains to have ## this access. ##

##
## ## ## Domain allowed access. ## ## ## # interface(`files_read_usr_files',` gen_require(` type usr_t; ') allow $1 usr_t:dir list_dir_perms; read_files_pattern($1, usr_t, usr_t) read_lnk_files_pattern($1, usr_t, usr_t) ') ######################################## ## ## Execute generic programs in /usr in the caller domain. ## ## ## ## Domain allowed access. ## ## # interface(`files_exec_usr_files',` gen_require(` type usr_t; ') allow $1 usr_t:dir list_dir_perms; exec_files_pattern($1, usr_t, usr_t) read_lnk_files_pattern($1, usr_t, usr_t) ') ######################################## ## ## dontaudit write of /usr files ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_write_usr_files',` gen_require(` type usr_t; ') dontaudit $1 usr_t:file write; ') ######################################## ## ## Create, read, write, and delete files in the /usr directory. ## ## ## ## Domain allowed access. ## ## # interface(`files_manage_usr_files',` gen_require(` type usr_t; ') manage_files_pattern($1, usr_t, usr_t) ') ######################################## ## ## Relabel a file to the type used in /usr. ## ## ## ## Domain allowed access. ## ## # interface(`files_relabelto_usr_files',` gen_require(` type usr_t; ') relabelto_files_pattern($1, usr_t, usr_t) ') ######################################## ## ## Relabel a file from the type used in /usr. ## ## ## ## Domain allowed access. ## ## # interface(`files_relabelfrom_usr_files',` gen_require(` type usr_t; ') relabelfrom_files_pattern($1, usr_t, usr_t) ') ######################################## ## ## Read symbolic links in /usr. ## ## ## ## Domain allowed access. ## ## # interface(`files_read_usr_symlinks',` gen_require(` type usr_t; ') read_lnk_files_pattern($1, usr_t, usr_t) ') ######################################## ## ## Create objects in the /usr directory ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the object to be created ## ## ## ## ## The object class. ## ## ## ## ## The name of the object being created. ## ## # interface(`files_usr_filetrans',` gen_require(` type usr_t; ') filetrans_pattern($1, usr_t, $2, $3, $4) ') ######################################## ## ## Do not audit attempts to search /usr/src. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_search_src',` gen_require(` type src_t; ') dontaudit $1 src_t:dir search_dir_perms; ') ######################################## ## ## Get the attributes of files in /usr/src. ## ## ## ## Domain allowed access. ## ## # interface(`files_getattr_usr_src_files',` gen_require(` type usr_t, src_t; ') getattr_files_pattern($1, src_t, src_t) # /usr/src/linux symlink: read_lnk_files_pattern($1, usr_t, src_t) ') ######################################## ## ## Read files in /usr/src. ## ## ## ## Domain allowed access. ## ## # interface(`files_read_usr_src_files',` gen_require(` type usr_t, src_t; ') allow $1 usr_t:dir search_dir_perms; read_files_pattern($1, { usr_t src_t }, src_t) read_lnk_files_pattern($1, { usr_t src_t }, src_t) allow $1 src_t:dir list_dir_perms; ') ######################################## ## ## Execute programs in /usr/src in the caller domain. ## ## ## ## Domain allowed access. ## ## # interface(`files_exec_usr_src_files',` gen_require(` type usr_t, src_t; ') list_dirs_pattern($1, usr_t, src_t) exec_files_pattern($1, src_t, src_t) read_lnk_files_pattern($1, src_t, src_t) ') ######################################## ## ## Watch generic directories in /usr. ## ## ## ## Domain allowed access. ## ## # interface(`files_watch_usr_dirs',` gen_require(` type usr_t; ') allow $1 usr_t:dir watch_dir_perms; ') ######################################## ## ## Watch generic files in /usr. ## ## ## ## Domain allowed access. ## ## # interface(`files_watch_usr_files',` gen_require(` type usr_t; ') allow $1 usr_t:file watch_file_perms; ') ######################################## ## ## Watch generic lnk_files in /usr. ## ## ## ## Domain allowed access. ## ## # interface(`files_watch_usr_lnk_files',` gen_require(` type usr_t; ') allow $1 usr_t:lnk_file watch_lnk_file_perms; ') ######################################## ## ## Install a system.map into the /boot directory. ## ## ## ## Domain allowed access. ## ## # interface(`files_create_kernel_symbol_table',` gen_require(` type boot_t, system_map_t; ') allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms }; allow $1 system_map_t:file { create_file_perms rw_file_perms }; ') ######################################## ## ## Dontaudit getattr attempts on the system.map file ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_getattr_kernel_symbol_table',` gen_require(` type system_map_t; ') dontaudit $1 system_map_t:file getattr; ') ######################################## ## ## Read system.map in the /boot directory. ## ## ## ## Domain allowed access. ## ## # interface(`files_read_kernel_symbol_table',` gen_require(` type boot_t, system_map_t; ') allow $1 boot_t:dir list_dir_perms; read_files_pattern($1, boot_t, system_map_t) ') ######################################## ## ## Delete a system.map in the /boot directory. ## ## ## ## Domain allowed access. ## ## # interface(`files_delete_kernel_symbol_table',` gen_require(` type boot_t, system_map_t; ') allow $1 boot_t:dir list_dir_perms; delete_files_pattern($1, boot_t, system_map_t) ') ######################################## ## ## Mounton system_map directory. ## ## ## ## Domain allowed access. ## ## # interface(`files_mounton_kernel_symbol_table',` gen_require(` type system_map_t; ') allow $1 system_map_t:dir { mounton getattr }; allow $1 system_map_t:file { mounton getattr }; ') ######################################## ## ## Search the contents of /var. ## ## ## ## Domain allowed access. ## ## # interface(`files_search_var',` gen_require(` type var_t; ') allow $1 var_t:dir search_dir_perms; ') ######################################## ## ## Do not audit attempts to write to /var. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_write_var_dirs',` gen_require(` type var_t; ') dontaudit $1 var_t:dir write; ') ######################################## ## ## Allow attempts to write to /var.dirs ## ## ## ## Domain allowed access. ## ## # interface(`files_write_var_dirs',` gen_require(` type var_t; ') allow $1 var_t:dir write; ') ######################################## ## ## Set the attributes of the /var directory. ## ## ## ## Domain allowed access. ## ## # interface(`files_setattr_var_dirs',` gen_require(` type usr_t; ') allow $1 var_t:dir setattr; ') ######################################## ## ## Do not audit attempts to search ## the contents of /var. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_search_var',` gen_require(` type var_t; ') dontaudit $1 var_t:dir search_dir_perms; ') ######################################## ## ## List the contents of /var. ## ## ## ## Domain allowed access. ## ## # interface(`files_list_var',` gen_require(` type var_t; ') allow $1 var_t:dir list_dir_perms; ') ######################################## ## ## Do not audit listing of the var directory (/var). ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_list_var',` gen_require(` type var_t; ') dontaudit $1 var_t:dir list_dir_perms; ') ######################################## ## ## Create directories ## in the /var directory. ## ## ## ## Domain allowed access. ## ## # interface(`files_create_var_dirs',` gen_require(` type var_t; ') allow $1 var_t:dir create_dir_perms; ') ######################################## ## ## Create, read, write, and delete directories ## in the /var directory. ## ## ## ## Domain allowed access. ## ## # interface(`files_manage_var_dirs',` gen_require(` type var_t; ') allow $1 var_t:dir manage_dir_perms; ') ######################################## ## ## Watch generic directories in /var. ## ## ## ## Domain allowed access. ## ## # interface(`files_watch_var_dirs',` gen_require(` type var_t; ') watch_dirs_pattern($1, var_t, var_t) ') ######################################## ## ## Read files in the /var directory. ## ## ## ## Domain allowed access. ## ## # interface(`files_read_var_files',` gen_require(` type var_t; ') read_files_pattern($1, var_t, var_t) ') ######################################## ## ## Append files in the /var directory. ## ## ## ## Domain allowed access. ## ## # interface(`files_append_var_files',` gen_require(` type var_t; ') append_files_pattern($1, var_t, var_t) ') ######################################## ## ## Read and write files in the /var directory. ## ## ## ## Domain allowed access. ## ## # interface(`files_rw_var_files',` gen_require(` type var_t; ') rw_files_pattern($1, var_t, var_t) ') ######################################## ## ## Do not audit attempts to read and write ## files in the /var directory. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_rw_var_files',` gen_require(` type var_t; ') dontaudit $1 var_t:file rw_inherited_file_perms; ') ######################################## ## ## Create, read, write, and delete files in the /var directory. ## ## ## ## Domain allowed access. ## ## # interface(`files_manage_var_files',` gen_require(` type var_t; ') manage_files_pattern($1, var_t, var_t) ') ######################################## ## ## Read symbolic links in the /var directory. ## ## ## ## Domain allowed access. ## ## # interface(`files_read_var_symlinks',` gen_require(` type var_t; ') read_lnk_files_pattern($1, var_t, var_t) ') ######################################## ## ## Create, read, write, and delete symbolic ## links in the /var directory. ## ## ## ## Domain allowed access. ## ## # interface(`files_manage_var_symlinks',` gen_require(` type var_t; ') manage_lnk_files_pattern($1, var_t, var_t) ') ######################################## ## ## Create objects in the /var directory ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the object to be created ## ## ## ## ## The object class. ## ## ## ## ## The name of the object being created. ## ## # interface(`files_var_filetrans',` gen_require(` type var_t; ') filetrans_pattern($1, var_t, $2, $3, $4) ') ######################################## ## ## Relabel dirs in the /var directory. ## ## ## ## Domain allowed access. ## ## # interface(`files_relabel_var_dirs',` gen_require(` type var_t; ') allow $1 var_t:dir relabel_dir_perms; ') ######################################## ## ## Get the attributes of the /var/lib directory. ## ## ## ## Domain allowed access. ## ## # interface(`files_getattr_var_lib_dirs',` gen_require(` type var_t, var_lib_t; ') getattr_dirs_pattern($1, var_t, var_lib_t) ') ######################################## ## ## Search the /var/lib directory. ## ## ##

## Search the /var/lib directory. This is ## necessary to access files or directories under ## /var/lib that have a private type. For example, a ## domain accessing a private library file in the ## /var/lib directory: ##

##

## allow mydomain_t mylibfile_t:file read_file_perms; ## files_search_var_lib(mydomain_t) ##

##
## ## ## Domain allowed access. ## ## ## # interface(`files_search_var_lib',` gen_require(` type var_t, var_lib_t; ') search_dirs_pattern($1, var_t, var_lib_t) ') ######################################## ## ## Do not audit attempts to search the ## contents of /var/lib. ## ## ## ## Domain to not audit. ## ## ## # interface(`files_dontaudit_search_var_lib',` gen_require(` type var_lib_t; ') dontaudit $1 var_lib_t:dir search_dir_perms; ') ######################################## ## ## List the contents of the /var/lib directory. ## ## ## ## Domain allowed access. ## ## # interface(`files_list_var_lib',` gen_require(` type var_t, var_lib_t; ') list_dirs_pattern($1, var_t, var_lib_t) ') ########################################### ## ## Read-write /var/lib directories ## ## ## ## Domain allowed access. ## ## # interface(`files_rw_var_lib_dirs',` gen_require(` type var_lib_t; ') rw_dirs_pattern($1, var_lib_t, var_lib_t) ') ########################################### ## ## Map /var/lib directories ## ## ## ## Domain allowed access. ## ## # interface(`files_map_var_lib_files',` gen_require(` type var_lib_t; ') allow $1 var_lib_t:file map; ') ######################################## ## ## Create directories in /var/lib ## ## ## ## Domain allowed access. ## ## # interface(`files_create_var_lib_dirs',` gen_require(` type var_lib_t; ') allow $1 var_lib_t:dir { create rw_dir_perms setattr }; ') ######################################## ## ## Create symlinks in /var/lib ## ## ## ## Domain allowed access. ## ## # interface(`files_create_var_lib_symlinks',` gen_require(` type var_lib_t; ') allow $1 var_lib_t:lnk_file { create write }; ') ######################################## ## ## Create objects in the /var/lib directory ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the object to be created ## ## ## ## ## The object class. ## ## ## ## ## The name of the object being created. ## ## # interface(`files_var_lib_filetrans',` gen_require(` type var_t, var_lib_t; ') allow $1 var_t:dir search_dir_perms; filetrans_pattern($1, var_lib_t, $2, $3, $4) ') ######################################## ## ## Read generic files in /var/lib. ## ## ## ## Domain allowed access. ## ## # interface(`files_read_var_lib_files',` gen_require(` type var_t, var_lib_t; ') allow $1 var_lib_t:dir list_dir_perms; read_files_pattern($1, { var_t var_lib_t }, var_lib_t) ') ######################################## ## ## Manage generic files in /var/lib. ## ## ## ## Domain allowed access. ## ## # interface(`files_manage_var_lib_files',` gen_require(` type var_lib_t; ') manage_files_pattern($1, var_lib_t, var_lib_t) ') ######################################## ## ## Read generic symbolic links in /var/lib ## ## ## ## Domain allowed access. ## ## # interface(`files_read_var_lib_symlinks',` gen_require(` type var_t, var_lib_t; ') read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) ') ######################################## ## ## manage generic symbolic links ## in the /var/lib directory. ## ## ## ## Domain allowed access. ## ## # interface(`files_manage_var_lib_symlinks',` gen_require(` type var_lib_t; ') manage_lnk_files_pattern($1,var_lib_t,var_lib_t) ') ######################################## ## ## Manage generic directories in /var/lib. ## ## ## ## Domain allowed access. ## ## # interface(`files_manage_var_lib_dirs',` gen_require(` type var_lib_t; ') manage_dirs_pattern($1, var_lib_t, var_lib_t) ') ######################################## ## ## Watch generic directories in /var/lib. ## ## ## ## Domain allowed access. ## ## # interface(`files_watch_var_lib_dirs',` gen_require(` type var_lib_t; ') watch_dirs_pattern($1, var_lib_t, var_lib_t) ') # cjp: the next two interfaces really need to be fixed # in some way. They really neeed their own types. ######################################## ## ## Create, read, write, and delete the ## pseudorandom number generator seed. ## ## ## ## Domain allowed access. ## ## # interface(`files_manage_urandom_seed',` gen_require(` type var_t, var_lib_t; ') allow $1 var_t:dir search_dir_perms; manage_files_pattern($1, var_lib_t, var_lib_t) ') ######################################## ## ## Relabel to dirs in the /var/lib directory. ## ## ## ## Domain allowed access. ## ## # interface(`files_relabelto_var_lib_dirs',` gen_require(` type var_lib_t; ') allow $1 var_lib_t:dir relabelto; ') ######################################## ## ## Relabel dirs in the /var/lib directory. ## ## ## ## Domain allowed access. ## ## # interface(`files_relabel_var_lib_dirs',` gen_require(` type var_lib_t; ') allow $1 var_lib_t:dir relabel_dir_perms; ') ######################################## ## ## Allow domain to manage mount tables ## necessary for rpcd, nfsd, etc. ## ## ## ## Domain allowed access. ## ## # interface(`files_manage_mounttab',` gen_require(` type var_t, var_lib_t; ') allow $1 var_t:dir search_dir_perms; manage_files_pattern($1, var_lib_t, var_lib_t) ') ######################################## ## ## List generic lock directories. ## ## ## ## Domain allowed access. ## ## # interface(`files_list_locks',` gen_require(` type var_t, var_lock_t; ') files_search_locks($1) list_dirs_pattern($1, var_t, var_lock_t) ') ######################################## ## ## Search the locks directory (/var/lock). ## ## ## ## Domain allowed access. ## ## # interface(`files_search_locks',` gen_require(` type var_t, var_lock_t; ') files_search_pids($1) allow $1 var_lock_t:lnk_file read_lnk_file_perms; search_dirs_pattern($1, var_t, var_lock_t) ') ######################################## ## ## Do not audit attempts to search the ## locks directory (/var/lock). ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_search_locks',` gen_require(` type var_lock_t; ') dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms; dontaudit $1 var_lock_t:dir search_dir_perms; ') ######################################## ## ## Do not audit attempts to read/write inherited ## locks (/var/lock). ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_rw_inherited_locks',` gen_require(` type var_lock_t; ') dontaudit $1 var_lock_t:file rw_inherited_file_perms; ') ######################################## ## ## Set the attributes of the /var/lock directory. ## ## ## ## Domain allowed access. ## ## # interface(`files_setattr_lock_dirs',` gen_require(` type var_lock_t; ') allow $1 var_lock_t:dir setattr; ') ######################################## ## ## Add and remove entries in the /var/lock ## directories. ## ## ## ## Domain allowed access. ## ## # interface(`files_rw_lock_dirs',` gen_require(` type var_t, var_lock_t; ') files_search_locks($1) rw_dirs_pattern($1, var_t, var_lock_t) ') ######################################## ## ## Create lock directories ## ## ## ## Domain allowed access ## ## # interface(`files_create_lock_dirs',` gen_require(` type var_t, var_lock_t; ') allow $1 var_t:dir search_dir_perms; allow $1 var_lock_t:lnk_file read_lnk_file_perms; create_dirs_pattern($1, var_lock_t, var_lock_t) ') ######################################## ## ## Relabel to and from all lock directory types. ## ## ## ## Domain allowed access. ## ## # interface(`files_relabel_all_lock_dirs',` gen_require(` attribute lockfile; type var_t, var_lock_t; ') allow $1 var_t:dir search_dir_perms; allow $1 var_lock_t:lnk_file read_lnk_file_perms; relabel_dirs_pattern($1, lockfile, lockfile) ') ######################################## ## ## Relabel to and from all lock file types. ## ## ## ## Domain allowed access. ## ## # interface(`files_relabel_all_lock_files',` gen_require(` attribute lockfile; type var_t, var_lock_t; ') allow $1 var_t:dir search_dir_perms; allow $1 var_lock_t:lnk_file read_lnk_file_perms; relabel_files_pattern($1, lockfile, lockfile) ') ######################################## ## ## Get the attributes of generic lock files. ## ## ## ## Domain allowed access. ## ## # interface(`files_getattr_generic_locks',` gen_require(` type var_t, var_lock_t; ') files_search_locks($1) allow $1 var_lock_t:dir list_dir_perms; getattr_files_pattern($1, var_lock_t, var_lock_t) ') ######################################## ## ## Delete generic lock files. ## ## ## ## Domain allowed access. ## ## # interface(`files_delete_generic_locks',` gen_require(` type var_t, var_lock_t; ') files_search_locks($1) delete_files_pattern($1, var_lock_t, var_lock_t) ') ######################################## ## ## Create, read, write, and delete generic ## lock files. ## ## ## ## Domain allowed access. ## ## # interface(`files_manage_generic_locks',` gen_require(` type var_t, var_lock_t; ') files_search_locks($1) manage_files_pattern($1, var_lock_t, var_lock_t) ') ######################################## ## ## Delete all lock files. ## ## ## ## Domain allowed access. ## ## ## # interface(`files_delete_all_locks',` gen_require(` attribute lockfile; type var_t, var_lock_t; ') allow $1 var_t:dir search_dir_perms; allow $1 var_lock_t:lnk_file read_lnk_file_perms; delete_files_pattern($1, lockfile, lockfile) ') ######################################## ## ## Read all lock files. ## ## ## ## Domain allowed access. ## ## # interface(`files_read_all_locks',` gen_require(` attribute lockfile; type var_t, var_lock_t; ') files_search_locks($1) allow $1 lockfile:dir list_dir_perms; read_files_pattern($1, lockfile, lockfile) read_lnk_files_pattern($1, lockfile, lockfile) ') ######################################## ## ## manage all lock files. ## ## ## ## Domain allowed access. ## ## # interface(`files_manage_all_locks',` gen_require(` attribute lockfile; type var_t, var_lock_t; ') files_search_locks($1) manage_dirs_pattern($1, lockfile, lockfile) manage_files_pattern($1, lockfile, lockfile) manage_lnk_files_pattern($1, lockfile, lockfile) ') ######################################## ## ## Create an object in the locks directory, with a private ## type using a type transition. ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the object to be created. ## ## ## ## ## The object class of the object being created. ## ## ## ## ## The name of the object being created. ## ## # interface(`files_lock_filetrans',` gen_require(` type var_t, var_lock_t; ') files_search_locks($1) filetrans_pattern($1, var_lock_t, $2, $3, $4) ') ######################################## ## ## Do not audit attempts to get the attributes ## of the /var/run directory. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_getattr_pid_dirs',` gen_require(` type var_run_t; ') dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; dontaudit $1 var_run_t:dir getattr; ') ######################################## ## ## Set the attributes of the /var/run directory. ## ## ## ## Domain allowed access. ## ## # interface(`files_setattr_pid_dirs',` gen_require(` type var_run_t; ') files_search_pids($1) allow $1 var_run_t:dir setattr; ') ######################################## ## ## Search the contents of runtime process ## ID directories (/var/run). ## ## ## ## Domain allowed access. ## ## # interface(`files_search_pids',` gen_require(` type var_t, var_run_t; ') allow $1 var_t:lnk_file read_lnk_file_perms; allow $1 var_run_t:lnk_file read_lnk_file_perms; search_dirs_pattern($1, var_t, var_run_t) ') ###################################### ## ## Add and remove entries from pid directories. ## ## ## ## Domain allowed access. ## ## # interface(`files_rw_pid_dirs',` gen_require(` type var_run_t; ') allow $1 var_run_t:dir rw_dir_perms; ') ####################################### ## ## Create generic pid directory. ## ## ## ## Domain allowed access. ## ## # interface(`files_create_var_run_dirs',` gen_require(` type var_t, var_run_t; ') allow $1 var_t:dir search_dir_perms; allow $1 var_run_t:dir create_dir_perms; ') ######################################## ## ## Do not audit attempts to search ## the /var/run directory. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_search_pids',` gen_require(` type var_run_t; ') dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; dontaudit $1 var_run_t:dir search_dir_perms; ') ######################################## ## ## Do not audit attempts to search ## the all /var/run directory. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_search_all_pids',` gen_require(` attribute pidfile; ') dontaudit $1 pidfile:dir search_dir_perms; ') ######################################## ## ## Allow search the all /var/run directory. ## ## ## ## Domain to not audit. ## ## # interface(`files_search_all_pids',` gen_require(` attribute pidfile; ') allow $1 pidfile:dir search_dir_perms; ') ####################################### ## ## Watch generic pid directory. ## ## ## ## Domain allowed access. ## ## # interface(`files_watch_var_run_dirs',` gen_require(` type var_run_t; ') allow $1 var_run_t:dir watch_dir_perms; ') ####################################### ## ## Watch generic pid directory and its parents. ## ## ## ## Domain allowed access. ## ## # interface(`files_watch_var_run_path',` gen_require(` type var_run_t; ') files_watch_root_dirs($1) files_watch_var_run_dirs($1) ') ######################################## ## ## List the contents of the runtime process ## ID directories (/var/run). ## ## ## ## Domain allowed access. ## ## # interface(`files_list_pids',` gen_require(` type var_t, var_run_t; ') files_search_pids($1) list_dirs_pattern($1, var_t, var_run_t) ') ######################################## ## ## Read generic process ID files. ## ## ## ## Domain allowed access. ## ## # interface(`files_read_generic_pids',` gen_require(` type var_t, var_run_t; ') files_search_pids($1) list_dirs_pattern($1, var_t, var_run_t) read_files_pattern($1, var_run_t, var_run_t) ') ######################################## ## ## Write named generic process ID pipes ## ## ## ## Domain allowed access. ## ## # interface(`files_write_generic_pid_pipes',` gen_require(` type var_run_t; ') files_search_pids($1) allow $1 var_run_t:fifo_file write; ') ######################################## ## ## Write named generic process ID sockets ## ## ## ## Domain allowed access. ## ## # interface(`files_write_generic_pid_sockets',` gen_require(` type var_run_t; ') files_search_pids($1) allow $1 var_run_t:sock_file write; ') ######################################## ## ## Create an object in the process ID directory, with a private type. ## ## ##

## Create an object in the process ID directory (e.g., /var/run) ## with a private type. Typically this is used for creating ## private PID files in /var/run with the private type instead ## of the general PID file type. To accomplish this goal, ## either the program must be SELinux-aware, or use this interface. ##

##

## Related interfaces: ##

##
    ##
  • files_pid_file()
  • ##
##

## Example usage with a domain that can create and ## write its PID file with a private PID file type in the ## /var/run directory: ##

##

## type mypidfile_t; ## files_pid_file(mypidfile_t) ## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms }; ## files_pid_filetrans(mydomain_t, mypidfile_t, file) ##

##
## ## ## Domain allowed access. ## ## ## ## ## The type of the object to be created. ## ## ## ## ## The object class of the object being created. ## ## ## ## ## The name of the object being created. ## ## ## # interface(`files_pid_filetrans',` gen_require(` type var_t, var_run_t; ') allow $1 var_t:dir search_dir_perms; filetrans_pattern($1, var_run_t, $2, $3, $4) ') ######################################## ## ## Create a generic lock directory within the run directories ## ## ## ## Domain allowed access ## ## ## ## ## The name of the object being created. ## ## # interface(`files_pid_filetrans_lock_dir',` gen_require(` type var_lock_t; ') files_pid_filetrans($1, var_lock_t, dir, $2) ') ######################################## ## ## rw generic pid files inherited from another process ## ## ## ## Domain allowed access. ## ## # interface(`files_rw_inherited_generic_pid_files',` gen_require(` type var_run_t; ') allow $1 var_run_t:file rw_inherited_file_perms; ') ######################################## ## ## Read and write generic process ID files. ## ## ## ## Domain allowed access. ## ## # interface(`files_rw_generic_pids',` gen_require(` type var_t, var_run_t; ') files_search_pids($1) list_dirs_pattern($1, var_t, var_run_t) rw_files_pattern($1, var_run_t, var_run_t) ') ######################################## ## ## Do not audit attempts to get the attributes of ## daemon runtime data files. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_getattr_all_pids',` gen_require(` attribute pidfile; type var_run_t; ') dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; dontaudit $1 pidfile:file getattr; ') ######################################## ## ## Do not audit attempts to write to daemon runtime data files. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_write_all_pids',` gen_require(` attribute pidfile; ') dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; dontaudit $1 pidfile:file write; ') ######################################## ## ## Do not audit attempts to ioctl daemon runtime data files. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_ioctl_all_pids',` gen_require(` attribute pidfile; type var_run_t; ') dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; dontaudit $1 pidfile:file ioctl; ') ######################################## ## ## Relable all pid directories ## ## ## ## Domain allowed access. ## ## # interface(`files_relabel_all_pid_dirs',` gen_require(` attribute pidfile; ') relabel_dirs_pattern($1, pidfile, pidfile) ') ######################################## ## ## Delete all pid sockets ## ## ## ## Domain allowed access. ## ## # interface(`files_delete_all_pid_sockets',` gen_require(` attribute pidfile; ') allow $1 pidfile:sock_file delete_sock_file_perms; ') ######################################## ## ## Create all pid sockets ## ## ## ## Domain allowed access. ## ## # interface(`files_create_all_pid_sockets',` gen_require(` attribute pidfile; ') allow $1 pidfile:sock_file create_sock_file_perms; ') ######################################## ## ## Create all pid named pipes ## ## ## ## Domain allowed access. ## ## # interface(`files_create_all_pid_pipes',` gen_require(` attribute pidfile; ') allow $1 pidfile:fifo_file create_fifo_file_perms; ') ######################################## ## ## Delete all pid named pipes ## ## ## ## Domain allowed access. ## ## # interface(`files_delete_all_pid_pipes',` gen_require(` attribute pidfile; ') allow $1 pidfile:fifo_file delete_fifo_file_perms; ') ######################################## ## ## manage all pidfile directories ## in the /var/run directory. ## ## ## ## Domain allowed access. ## ## # interface(`files_manage_all_pid_dirs',` gen_require(` attribute pidfile; ') manage_dirs_pattern($1,pidfile,pidfile) ') ######################################## ## ## Read all process ID files. ## ## ## ## Domain allowed access. ## ## ## # interface(`files_read_all_pids',` gen_require(` attribute pidfile; type var_t; ') list_dirs_pattern($1, var_t, pidfile) read_files_pattern($1, pidfile, pidfile) read_lnk_files_pattern($1, pidfile, pidfile) ') ######################################## ## ## mmap all process ID files. ## ## ## ## Domain allowed access. ## ## ## # interface(`files_map_all_pids',` gen_require(` attribute pidfile; type var_t; ') allow $1 pidfile:file map; ') ######################################## ## ## Relable all pid files ## ## ## ## Domain allowed access. ## ## # interface(`files_relabel_all_pid_files',` gen_require(` attribute pidfile; ') relabel_files_pattern($1, pidfile, pidfile) ') ######################################## ## ## Execute generic programs in /var/run in the caller domain. ## ## ## ## Domain allowed access. ## ## # interface(`files_exec_generic_pid_files',` gen_require(` type var_run_t; ') exec_files_pattern($1, var_run_t, var_run_t) ') ######################################## ## ## Write all sockets ## in the /var/run directory. ## ## ## ## Domain allowed access. ## ## # interface(`files_write_all_pid_sockets',` gen_require(` attribute pidfile; ') allow $1 pidfile:sock_file write_sock_file_perms; ') ######################################## ## ## manage all pidfiles ## in the /var/run directory. ## ## ## ## Domain allowed access. ## ## # interface(`files_manage_all_pids',` gen_require(` attribute pidfile; ') manage_files_pattern($1,pidfile,pidfile) ') ######################################## ## ## Mount filesystems on all polyinstantiation ## member directories. ## ## ## ## Domain allowed access. ## ## # interface(`files_mounton_all_poly_members',` gen_require(` attribute polymember; ') allow $1 polymember:dir mounton; ') ######################################## ## ## Delete all process IDs. ## ## ## ## Domain allowed access. ## ## ## # interface(`files_delete_all_pids',` gen_require(` attribute pidfile; type var_t, var_run_t; ') files_search_pids($1) allow $1 var_t:dir search_dir_perms; allow $1 var_run_t:dir rmdir; allow $1 var_run_t:lnk_file delete_lnk_file_perms; delete_files_pattern($1, pidfile, pidfile) delete_fifo_files_pattern($1, pidfile, pidfile) delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) ') ######################################## ## ## Delete all process ID directories. ## ## ## ## Domain allowed access. ## ## # interface(`files_delete_all_pid_dirs',` gen_require(` attribute pidfile; type var_t, var_run_t; ') files_search_pids($1) allow $1 var_t:dir search_dir_perms; delete_dirs_pattern($1, pidfile, pidfile) ') ######################################## ## ## Make the specified type a file ## used for spool files. ## ## ##

## Make the specified type usable for spool files. ## This will also make the type usable for files, making ## calls to files_type() redundant. Failure to use this interface ## for a spool file may result in problems with ## purging spool files. ##

##

## Related interfaces: ##

##
    ##
  • files_spool_filetrans()
  • ##
##

## Example usage with a domain that can create and ## write its spool file in the system spool file ## directories (/var/spool): ##

##

## type myspoolfile_t; ## files_spool_file(myfile_spool_t) ## allow mydomain_t myfile_spool_t:file { create_file_perms write_file_perms }; ## files_spool_filetrans(mydomain_t, myfile_spool_t, file) ##

##
## ## ## Type of the file to be used as a ## spool file. ## ## ## # interface(`files_spool_file',` gen_require(` attribute spoolfile; ') files_type($1) typeattribute $1 spoolfile; ') ######################################## ## ## Create all spool sockets ## ## ## ## Domain allowed access. ## ## # interface(`files_create_all_spool_sockets',` gen_require(` attribute spoolfile; ') allow $1 spoolfile:sock_file create_sock_file_perms; ') ######################################## ## ## Delete all spool sockets ## ## ## ## Domain allowed access. ## ## # interface(`files_delete_all_spool_sockets',` gen_require(` attribute spoolfile; ') allow $1 spoolfile:sock_file delete_sock_file_perms; ') ######################################## ## ## Relabel to and from all spool ## directory types. ## ## ## ## Domain allowed access. ## ## ## # interface(`files_relabel_all_spool_dirs',` gen_require(` attribute spoolfile; type var_t; ') relabel_dirs_pattern($1, spoolfile, spoolfile) ') ######################################## ## ## Search the contents of generic spool ## directories (/var/spool). ## ## ## ## Domain allowed access. ## ## # interface(`files_search_spool',` gen_require(` type var_t, var_spool_t; ') search_dirs_pattern($1, var_t, var_spool_t) ') ######################################## ## ## Do not audit attempts to search generic ## spool directories. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_search_spool',` gen_require(` type var_spool_t; ') dontaudit $1 var_spool_t:dir search_dir_perms; ') ######################################## ## ## List the contents of generic spool ## (/var/spool) directories. ## ## ## ## Domain allowed access. ## ## # interface(`files_list_spool',` gen_require(` type var_t, var_spool_t; ') list_dirs_pattern($1, var_t, var_spool_t) ') ######################################## ## ## Create, read, write, and delete generic ## spool directories (/var/spool). ## ## ## ## Domain allowed access. ## ## # interface(`files_manage_generic_spool_dirs',` gen_require(` type var_t, var_spool_t; ') allow $1 var_t:dir search_dir_perms; manage_dirs_pattern($1, var_spool_t, var_spool_t) ') ######################################## ## ## Read generic spool files. ## ## ## ## Domain allowed access. ## ## # interface(`files_read_generic_spool',` gen_require(` type var_t, var_spool_t; ') list_dirs_pattern($1, var_t, var_spool_t) read_files_pattern($1, var_spool_t, var_spool_t) ') ######################################## ## ## Create, read, write, and delete generic ## spool files. ## ## ## ## Domain allowed access. ## ## # interface(`files_manage_generic_spool',` gen_require(` type var_t, var_spool_t; ') allow $1 var_t:dir search_dir_perms; manage_files_pattern($1, var_spool_t, var_spool_t) ') ######################################## ## ## Create objects in the spool directory ## with a private type with a type transition. ## ## ## ## Domain allowed access. ## ## ## ## ## Type to which the created node will be transitioned. ## ## ## ## ## Object class(es) (single or set including {}) for which this ## the transition will occur. ## ## ## ## ## The name of the object being created. ## ## # interface(`files_spool_filetrans',` gen_require(` type var_t, var_spool_t; ') allow $1 var_t:dir search_dir_perms; filetrans_pattern($1, var_spool_t, $2, $3, $4) ') ######################################## ## ## Allow access to manage all polyinstantiated ## directories on the system. ## ## ## ## Domain allowed access. ## ## # interface(`files_polyinstantiate_all',` gen_require(` attribute polydir, polymember, polyparent; type poly_t; ') # Need to give access to /selinux/member selinux_compute_member($1) # Need sys_admin capability for mounting allow $1 self:capability { chown fsetid sys_admin fowner }; # Need to give access to the directories to be polyinstantiated allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; # Need to give access to the polyinstantiated subdirectories allow $1 polymember:dir search_dir_perms; # Need to give access to parent directories where original # is remounted for polyinstantiation aware programs (like gdm) allow $1 polyparent:dir { getattr mounton }; # Need to give permission to create directories where applicable allow $1 self:process setfscreate; allow $1 polymember: dir { create setattr relabelto }; allow $1 polydir: dir { write add_name open }; allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto }; # Default type for mountpoints allow $1 poly_t:dir { create mounton }; fs_unmount_xattr_fs($1) fs_mount_tmpfs($1) fs_unmount_tmpfs($1) ifdef(`distro_redhat',` # namespace.init files_search_tmp($1) files_search_home($1) corecmd_exec_bin($1) seutil_domtrans_setfiles($1) ') ') ######################################## ## ## Unconfined access to files. ## ## ## ## Domain allowed access. ## ## # interface(`files_unconfined',` gen_require(` attribute files_unconfined_type; ') typeattribute $1 files_unconfined_type; ') ######################################## ## ## Create a core files in / ## ## ##

## Create a core file in /, ##

##
## ## ## Domain allowed access. ## ## ## # interface(`files_manage_root_files',` gen_require(` type root_t; ') manage_files_pattern($1, root_t, root_t) ') ######################################## ## ## Create a default directory ## ## ##

## Create a default_t direcrory ##

##
## ## ## Domain allowed access. ## ## ## # interface(`files_create_default_dir',` gen_require(` type default_t; ') allow $1 default_t:dir create; ') ######################################## ## ## Create, default_t objects with an automatic ## type transition. ## ## ## ## Domain allowed access. ## ## ## ## ## The class of the object being created. ## ## # interface(`files_root_filetrans_default',` gen_require(` type root_t, default_t; ') filetrans_pattern($1, root_t, default_t, $2) ') ######################################## ## ## Create, lib_t objects with an automatic ## type transition. ## ## ## ## Domain allowed access. ## ## ## ## ## Type of the directory to be transitioned from ## ## ## ## ## The class of the object being created. ## ## ## ## ## The name of the object being created. ## ## # interface(`files_filetrans_lib',` gen_require(` type lib_t, lib_t; ') filetrans_pattern($1, $2, lib_t, $3, $4) ') ######################################## ## ## Watch generic directories in /lib. ## ## ## ## Domain allowed access. ## ## # interface(`files_watch_lib_dirs',` gen_require(` type lib_t; ') allow $1 lib_t:dir watch_dir_perms; ') ######################################## ## ## manage generic symbolic links ## in the /var/run directory. ## ## ## ## Domain allowed access. ## ## # interface(`files_manage_generic_pids_symlinks',` gen_require(` type var_run_t; ') manage_lnk_files_pattern($1,var_run_t,var_run_t) ') ########################################## ## ## Watch the pidfile files and directories ## ## ## ## Domain allowed access ## ## # interface(`files_watch_all_pid',` gen_require(` attribute pidfile; ') allow $1 pidfile:dir watch_dir_perms; allow $1 pidfile:file watch_file_perms; ') ######################################## ## ## Do not audit attempts to getattr ## all tmpfs files. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_getattr_tmpfs_files',` gen_require(` attribute tmpfsfile; ') allow $1 tmpfsfile:file getattr; ') ######################################## ## ## Allow delete all tmpfs files. ## ## ## ## Domain to not audit. ## ## # interface(`files_delete_tmpfs_files',` gen_require(` attribute tmpfsfile; ') allow $1 tmpfsfile:file delete_file_perms; ') ######################################## ## ## Allow read write all tmpfs files ## ## ## ## Domain to not audit. ## ## # interface(`files_rw_tmpfs_files',` gen_require(` attribute tmpfsfile; ') allow $1 tmpfsfile:file { read write }; ') ########################################## ## ## Watch a tmpfs directory. ## ## ## ## Domain allowed access ## ## # interface(`files_watch_tmpfs_dirs',` gen_require(` type root_t; ') allow $1 tmpfs_t:dir watch_dir_perms; ') ######################################## ## ## Do not audit attempts to read security files ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_read_security_files',` gen_require(` attribute security_file_type; ') dontaudit $1 security_file_type:file read_file_perms; ') ######################################## ## ## Do not audit attempts to search security files ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_search_security_files',` gen_require(` attribute security_file_type; ') dontaudit $1 security_file_type:dir search_dir_perms; ') ######################################## ## ## Do not audit attempts to read security dirs ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_list_security_dirs',` gen_require(` attribute security_file_type; ') dontaudit $1 security_file_type:dir list_dir_perms; ') ######################################## ## ## rw any files inherited from another process ## ## ## ## Domain allowed access. ## ## ## ## ## Object type. ## ## # interface(`files_rw_all_inherited_files',` gen_require(` attribute file_type; ') allow $1 { file_type $2 }:file rw_inherited_file_perms; allow $1 { file_type $2 }:fifo_file rw_inherited_fifo_file_perms; allow $1 { file_type $2 }:sock_file rw_inherited_sock_file_perms; allow $1 { file_type $2 }:chr_file rw_inherited_chr_file_perms; ') ######################################## ## ## Allow any file point to be the entrypoint of this domain ## ## ## ## Domain allowed access. ## ## ## # interface(`files_entrypoint_all_files',` gen_require(` attribute file_type; type unlabeled_t; ') allow $1 {file_type -unlabeled_t} :file entrypoint; ') ######################################## ## ## Do not audit attempts to rw inherited file perms ## of non security files. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_all_non_security_leaks',` gen_require(` attribute non_security_file_type; ') dontaudit $1 non_security_file_type:file_class_set rw_inherited_file_perms; ') ######################################## ## ## Do not audit attempts to read or write ## all leaked files. ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_leaks',` gen_require(` attribute file_type; ') dontaudit $1 file_type:file rw_inherited_file_perms; dontaudit $1 file_type:lnk_file { read }; ') ######################################## ## ## Allow domain to create_file_ass all types ## ## ## ## Domain allowed access. ## ## # interface(`files_create_as_is_all_files',` gen_require(` attribute file_type; class kernel_service create_files_as; ') allow $1 file_type:kernel_service create_files_as; ') ######################################## ## ## Do not audit attempts to check the ## access on all files ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_all_access_check',` gen_require(` attribute file_type; ') dontaudit $1 file_type:dir_file_class_set audit_access; ') ######################################## ## ## Do not audit attempts to write to all files ## ## ## ## Domain to not audit. ## ## # interface(`files_dontaudit_write_all_files',` gen_require(` attribute file_type; ') dontaudit $1 file_type:dir_file_class_set write; ') ######################################## ## ## Allow domain to delete to all files ## ## ## ## Domain to not audit. ## ## # interface(`files_delete_all_non_security_files',` gen_require(` attribute non_security_file_type; ') allow $1 non_security_file_type:dir del_entry_dir_perms; allow $1 non_security_file_type:file_class_set delete_file_perms; ') ######################################## ## ## Allow domain to delete to all dirs ## ## ## ## Domain to not audit. ## ## # interface(`files_delete_all_non_security_dirs',` gen_require(` attribute non_security_file_type; ') allow $1 non_security_file_type:dir { del_entry_dir_perms delete_dir_perms }; ') ######################################## ## ## Transition named content in the var_run_t directory ## ## ## ## Domain allowed access. ## ## # interface(`files_filetrans_named_content',` gen_require(` type etc_t; type mnt_t; type usr_t; type tmp_t; type var_t; type var_run_t; type var_lock_t; type tmp_t; type system_conf_t; ') files_pid_filetrans($1, mnt_t, dir, "media") files_root_filetrans($1, etc_runtime_t, file, ".readahead") files_root_filetrans($1, etc_runtime_t, file, ".autorelabel") files_root_filetrans($1, etc_runtime_t, dir, "oldroot") files_root_filetrans($1, etc_runtime_t, file, ".profile") files_root_filetrans($1, mnt_t, dir, "afs") files_root_filetrans($1, mnt_t, dir, "misc") files_root_filetrans($1, mnt_t, dir, "net") files_root_filetrans($1, usr_t, dir, "export") files_root_filetrans($1, usr_t, dir, "opt") files_root_filetrans($1, usr_t, dir, "ostree") files_root_filetrans($1, usr_t, dir, "emul") files_root_filetrans($1, var_t, dir, "srv") files_root_filetrans($1, var_run_t, dir, "run") files_root_filetrans($1, var_run_t, lnk_file, "run") files_root_filetrans($1, var_lock_t, lnk_file, "lock") files_root_filetrans($1, tmp_t, dir, "sandbox") files_root_filetrans($1, tmp_t, dir, "tmp") files_root_filetrans($1, var_t, dir, "nsr") files_etc_filetrans($1, etc_t, file, "system-auth-ac") files_etc_filetrans($1, etc_t, file, "postlogin-ac") files_etc_filetrans($1, etc_t, file, "password-auth-ac") files_etc_filetrans($1, etc_t, file, "fingerprint-auth-ac") files_etc_filetrans($1, etc_t, file, "smartcard-auth-ac") files_etc_filetrans($1, etc_t, file, "hwdb.bin") files_etc_filetrans_etc_runtime($1, file, ".updated") files_etc_filetrans_etc_runtime($1, file, "runtime") files_etc_filetrans_etc_runtime($1, dir, "blkid") files_etc_filetrans_etc_runtime($1, dir, "cmtab") files_etc_filetrans_etc_runtime($1, file, "fstab.REVOKE") files_etc_filetrans_etc_runtime($1, file, "ioctl.save") files_etc_filetrans_etc_runtime($1, file, "nologin") files_etc_filetrans_etc_runtime($1, file, "securetty") files_etc_filetrans_etc_runtime($1, file, "ifstate") files_etc_filetrans_etc_runtime($1, file, "ptal-printd-like") files_etc_filetrans_etc_runtime($1, file, "hwconf") filetrans_pattern($1, etc_t, system_conf_t, file, "iptables.save") files_tmp_filetrans($1, tmp_t, dir, "tmp-inst") files_var_filetrans($1, tmp_t, dir, "tmp") files_var_filetrans($1, var_run_t, dir, "run") files_var_filetrans($1, etc_runtime_t, file, ".updated") ') ######################################## ## ## Make the specified type a ## base file. ## ## ##

## Identify file type as base file type. Tools will use this attribute, ## to help users diagnose problems. ##

##
## ## ## Type to be used as a base files. ## ## ## # interface(`files_base_file',` gen_require(` attribute base_file_type; ') files_type($1) typeattribute $1 base_file_type; ') ######################################## ## ## Make the specified type a ## base read only file. ## ## ##

## Make the specified type readable for all domains. ##

##
## ## ## Type to be used as a base read only files. ## ## ## # interface(`files_ro_base_file',` gen_require(` attribute base_ro_file_type; ') files_base_file($1) typeattribute $1 base_ro_file_type; ') ######################################## ## ## Read all ro base files. ## ## ## ## Domain allowed access. ## ## ## # interface(`files_read_all_base_ro_files',` gen_require(` attribute base_ro_file_type; ') list_dirs_pattern($1, base_ro_file_type, base_ro_file_type) read_files_pattern($1, base_ro_file_type, base_ro_file_type) read_lnk_files_pattern($1, base_ro_file_type, base_ro_file_type) ') ######################################## ## ## Execute all base ro files. ## ## ## ## Domain allowed access. ## ## ## # interface(`files_exec_all_base_ro_files',` gen_require(` attribute base_ro_file_type; ') can_exec($1, base_ro_file_type) ') ######################################## ## ## Allow the specified domain to modify the systemd configuration of ## any file. ## ## ## ## Domain allowed access. ## ## # interface(`files_config_all_files',` gen_require(` attribute file_type; ') allow $1 file_type:service all_service_perms; ') ######################################## ## ## Get the status of etc_t files ## ## ## ## Domain allowed access. ## ## # interface(`files_status_etc',` gen_require(` type etc_t; ') allow $1 etc_t:service status; ') ######################################## ## ## Dontaudit Mount a modules_object_t ## ## ## ## Domain allowed access. ## ## # interface(`files_dontaudit_mounton_modules_object',` gen_require(` type modules_object_t; ') allow $1 modules_object_t:dir mounton; ') ######################################## ## ## Allow the domain to use IORING_OP_URING_CMD on all files. ## ## ## ## Domain allowed access. ## ## # interface(`files_io_uring_cmd_on_all_files',` gen_require(` attribute file_type; ') allow $1 file_type:io_uring cmd; ')