## Policy for user executable applications. ######################################## ## ## Make the specified type usable as an application domain. ## ## ## ## Type to be used as a domain type. ## ## # interface(`application_type',` gen_require(` attribute application_domain_type; ') typeattribute $1 application_domain_type; # start with basic domain domain_type($1) ') ######################################## ## ## Make the specified type usable for files ## that are exectuables, such as binary programs. ## This does not include shared libraries. ## ## ## ## Type to be used for files. ## ## # interface(`application_executable_file',` gen_require(` attribute application_exec_type; ') typeattribute $1 application_exec_type; corecmd_executable_file($1) ') ####################################### ## ## Make the specified type usable for files ## that are exectuables, such as binary programs. ## This does not include shared libraries. ## ## ## ## Type to be used for files. ## ## # interface(`application_executable_ioctl',` gen_require(` attribute application_exec_type; ') allow $1 application_exec_type:file ioctl; ') ######################################## ## ## Execute application executables in the caller domain. ## ## ## ## Domain allowed access. ## ## # interface(`application_exec',` gen_require(` attribute application_exec_type; ') can_exec($1, application_exec_type) ') ######################################## ## ## Execute all executable files. ## ## ## ## Domain allowed access. ## ## ## # interface(`application_exec_all',` corecmd_dontaudit_exec_all_executables($1) corecmd_exec_bin($1) corecmd_exec_shell($1) application_exec($1) ') ######################################## ## ## Dontaudit execute all executable files. ## ## ## ## Domain to not audit. ## ## # interface(`application_dontaudit_exec',` gen_require(` attribute application_exec_type; ') dontaudit $1 application_exec_type:file execute; ') ######################################## ## ## Create a domain for applications. ## ## ##

## Create a domain for applications. Typically these are ## programs that are run interactively. ##

##

## The types will be made usable as a domain and file, making ## calls to domain_type() and files_type() redundant. ##

##
## ## ## Type to be used as an application domain. ## ## ## ## ## Type of the program to be used as an entry point to this domain. ## ## ## # interface(`application_domain',` application_type($1) application_executable_file($2) domain_entry_file($1, $2) ') ######################################## ## ## Send null signals to all application domains. ## ## ## ## Domain allowed access. ## ## # interface(`application_signull',` gen_require(` attribute application_domain_type; ') allow $1 application_domain_type:process signull; ') ######################################## ## ## Do not audit attempts to send null signals ## to all application domains. ## ## ## ## Domain to not audit. ## ## # interface(`application_dontaudit_signull',` gen_require(` attribute application_domain_type; ') dontaudit $1 application_domain_type:process signull; ') ######################################## ## ## Send general signals to all application domains. ## ## ## ## Domain allowed access. ## ## # interface(`application_signal',` gen_require(` attribute application_domain_type; ') allow $1 application_domain_type:process signal; ') ######################################## ## ## Do not audit attempts to send general signals ## to all application domains. ## ## ## ## Domain to not audit. ## ## # interface(`application_dontaudit_signal',` gen_require(` attribute application_domain_type; ') dontaudit $1 application_domain_type:process signal; ') ######################################## ## ## Send kill signals to all application domains. ## ## ## ## Domain allowed access. ## ## # interface(`application_sigkill',` gen_require(` attribute application_domain_type; ') allow $1 application_domain_type:process sigkill; ') ######################################## ## ## Do not audit attempts to send kill signals ## to all application domains. ## ## ## ## Domain to not audit. ## ## # interface(`application_dontaudit_sigkill',` gen_require(` attribute application_domain_type; ') dontaudit $1 application_domain_type:process sigkill; ') ####################################### ## ## Getattr all application sockets. ## ## ## ## Domain allowed access. ## ## # interface(`application_getattr_socket',` gen_require(` attribute application_domain_type; ') allow $1 application_domain_type:socket_class_set getattr; ')