Oreon-Lime-R2/selinux-policy/selinux-policy-bc228bd/selinux-policy-bc228bd0c249a9e4aa3dcf238c2b1bb138943b07/policy/modules/system/application.if

281 lines
5.8 KiB
Text

## <summary>Policy for user executable applications.</summary>
########################################
## <summary>
## Make the specified type usable as an application domain.
## </summary>
## <param name="type">
## <summary>
## Type to be used as a domain type.
## </summary>
## </param>
#
interface(`application_type',`
gen_require(`
attribute application_domain_type;
')
typeattribute $1 application_domain_type;
# start with basic domain
domain_type($1)
')
########################################
## <summary>
## Make the specified type usable for files
## that are exectuables, such as binary programs.
## This does not include shared libraries.
## </summary>
## <param name="type">
## <summary>
## Type to be used for files.
## </summary>
## </param>
#
interface(`application_executable_file',`
gen_require(`
attribute application_exec_type;
')
typeattribute $1 application_exec_type;
corecmd_executable_file($1)
')
#######################################
## <summary>
## Make the specified type usable for files
## that are exectuables, such as binary programs.
## This does not include shared libraries.
## </summary>
## <param name="type">
## <summary>
## Type to be used for files.
## </summary>
## </param>
#
interface(`application_executable_ioctl',`
gen_require(`
attribute application_exec_type;
')
allow $1 application_exec_type:file ioctl;
')
########################################
## <summary>
## Execute application executables in the caller domain.
## </summary>
## <param name="type">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`application_exec',`
gen_require(`
attribute application_exec_type;
')
can_exec($1, application_exec_type)
')
########################################
## <summary>
## Execute all executable files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`application_exec_all',`
corecmd_dontaudit_exec_all_executables($1)
corecmd_exec_bin($1)
corecmd_exec_shell($1)
application_exec($1)
')
########################################
## <summary>
## Dontaudit execute all executable files.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`application_dontaudit_exec',`
gen_require(`
attribute application_exec_type;
')
dontaudit $1 application_exec_type:file execute;
')
########################################
## <summary>
## Create a domain for applications.
## </summary>
## <desc>
## <p>
## Create a domain for applications. Typically these are
## programs that are run interactively.
## </p>
## <p>
## The types will be made usable as a domain and file, making
## calls to domain_type() and files_type() redundant.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Type to be used as an application domain.
## </summary>
## </param>
## <param name="entry_point">
## <summary>
## Type of the program to be used as an entry point to this domain.
## </summary>
## </param>
## <infoflow type="none"/>
#
interface(`application_domain',`
application_type($1)
application_executable_file($2)
domain_entry_file($1, $2)
')
########################################
## <summary>
## Send null signals to all application domains.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`application_signull',`
gen_require(`
attribute application_domain_type;
')
allow $1 application_domain_type:process signull;
')
########################################
## <summary>
## Do not audit attempts to send null signals
## to all application domains.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`application_dontaudit_signull',`
gen_require(`
attribute application_domain_type;
')
dontaudit $1 application_domain_type:process signull;
')
########################################
## <summary>
## Send general signals to all application domains.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`application_signal',`
gen_require(`
attribute application_domain_type;
')
allow $1 application_domain_type:process signal;
')
########################################
## <summary>
## Do not audit attempts to send general signals
## to all application domains.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`application_dontaudit_signal',`
gen_require(`
attribute application_domain_type;
')
dontaudit $1 application_domain_type:process signal;
')
########################################
## <summary>
## Send kill signals to all application domains.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`application_sigkill',`
gen_require(`
attribute application_domain_type;
')
allow $1 application_domain_type:process sigkill;
')
########################################
## <summary>
## Do not audit attempts to send kill signals
## to all application domains.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`application_dontaudit_sigkill',`
gen_require(`
attribute application_domain_type;
')
dontaudit $1 application_domain_type:process sigkill;
')
#######################################
## <summary>
## Getattr all application sockets.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`application_getattr_socket',`
gen_require(`
attribute application_domain_type;
')
allow $1 application_domain_type:socket_class_set getattr;
')